Splunk Enterprise Security

How to test a correlation search?

echojacques
Builder

So this is the pre-configured correlation search called "substantial increase in port activity". I'd like to tweak it to our needs... but to tweak it I need to test it. When I copy and paste the actual correlation search into the Splunk Search bar it doesn't work. What am I missing? This is exactly what I'm pasting into the Search bar:

| `tstats` sum(count) from sa_port_proto groupby _time,transport,dest_port span=30m | stats sum(count) as count by _time,transport,dest_port | `timeDiff` | appendpipe [search timeDiff<=86400 | stats max(_time) as _time,sum(count) as count by transport,dest_port | eval group="Last 24 hours"] | eval group=if(_time<relative_time(time(),"@d") AND timeDiff<=5184000,"Last 60 days",group) | bin _time span=1d | stats sum(count) as count by _time,group,transport,dest_port | eval temp=if(group="Last 60 days",transport.dest_port,null()) | eventstats stdev(count) as stdev,avg(count) as avg by temp | eventstats max(stdev) as stdev,max(avg) as avg by transport,dest_port | dedup transport,dest_port sortby -_time | eval limit=(3*stdev)+avg | eval diff=count-limit | search diff>0
0 Karma
1 Solution

sowings
Splunk Employee
Splunk Employee

What do you mean by "doesn't work"? Gives no results? Take off the "search diff>0" at the end--that's a filtering search, as I indicated last time. It could simply be that you've got "normal" levels of activity. Try changing the 3*stdev term to 2, and see if you have results then.

View solution in original post

chetandravid
New Member

I have a question here how migrate correlation search to data model?

0 Karma

sowings
Splunk Employee
Splunk Employee

What do you mean by "doesn't work"? Gives no results? Take off the "search diff>0" at the end--that's a filtering search, as I indicated last time. It could simply be that you've got "normal" levels of activity. Try changing the 3*stdev term to 2, and see if you have results then.

sowings
Splunk Employee
Splunk Employee

I believe that this search is expected to "learn" over time what the usual behavior is, so you'll only see results (now that it has learned) if something truly does exceed the averages that have previously been observed.

echojacques
Builder

I think I have other problems, I'm getting "splunkd daemon not responding" now. So it's probably not the search that is the problem. Thanks for the info, I'll keep testing.

0 Karma

echojacques
Builder

When I run the search, I don't get any results. I had disabled the search last week because I was getting 500+ results every time it ran. And now today, I get no results.

I tested with 1*stdev and 2*stev and removed the search diff>0 and still no results. I am also searching last 30 days.

Just confused because last week it was finding a lot and then this week nothing.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...