Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to test a correlation search?

echojacques
Builder
‎08-27-2013 08:33 AM

So this is the pre-configured correlation search called "substantial increase in port activity". I'd like to tweak it to our needs... but to tweak it I need to test it. When I copy and paste the actual correlation search into the Splunk Search bar it doesn't work. What am I missing? This is exactly what I'm pasting into the Search bar:

| `tstats` sum(count) from sa_port_proto groupby _time,transport,dest_port span=30m | stats sum(count) as count by _time,transport,dest_port | `timeDiff` | appendpipe [search timeDiff<=86400 | stats max(_time) as _time,sum(count) as count by transport,dest_port | eval group="Last 24 hours"] | eval group=if(_time<relative_time(time(),"@d") AND timeDiff<=5184000,"Last 60 days",group) | bin _time span=1d | stats sum(count) as count by _time,group,transport,dest_port | eval temp=if(group="Last 60 days",transport.dest_port,null()) | eventstats stdev(count) as stdev,avg(count) as avg by temp | eventstats max(stdev) as stdev,max(avg) as avg by transport,dest_port | dedup transport,dest_port sortby -_time | eval limit=(3*stdev)+avg | eval diff=count-limit | search diff>0
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎08-27-2013 08:49 AM

What do you mean by "doesn't work"? Gives no results? Take off the "search diff>0" at the end--that's a filtering search, as I indicated last time. It could simply be that you've got "normal" levels of activity. Try changing the 3*stdev term to 2, and see if you have results then.

View solution in original post

Reply
Solved! Jump to solution

chetandravid
New Member
‎06-02-2016 11:48 AM

I have a question here how migrate correlation search to data model?

0 Karma
Reply
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎08-27-2013 08:49 AM

What do you mean by "doesn't work"? Gives no results? Take off the "search diff>0" at the end--that's a filtering search, as I indicated last time. It could simply be that you've got "normal" levels of activity. Try changing the 3*stdev term to 2, and see if you have results then.

Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎08-27-2013 09:03 AM

I believe that this search is expected to "learn" over time what the usual behavior is, so you'll only see results (now that it has learned) if something truly does exceed the averages that have previously been observed.

Reply
Solved! Jump to solution

echojacques
Builder
‎08-27-2013 09:02 AM

I think I have other problems, I'm getting "splunkd daemon not responding" now. So it's probably not the search that is the problem. Thanks for the info, I'll keep testing.

0 Karma
Reply
Solved! Jump to solution

echojacques
Builder
‎08-27-2013 08:58 AM

When I run the search, I don't get any results. I had disabled the search last week because I was getting 500+ results every time it ran. And now today, I get no results.

I tested with 1*stdev and 2*stev and removed the search diff>0 and still no results. I am also searching last 30 days.

Just confused because last week it was finding a lot and then this week nothing.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...