Splunk Enterprise Security

Is there a way to optimize correlation search with tstats?


Hello everyone,

I have a correlation search setup to detect Suricata IDS alerts of a specific severity and trigger a notable as response action to ES.

I would like to know if there is a way to optimize my search and transform it into tstats one in order to optimize the speed and performance.

My current search:




index=suricata sourcetype=suricata event_type=alert alert.severity=1





I have Datamodel "Intrusion Detected" populated with suricata logs (also accelerated). But I would like to know if I can take advantage of the acceleration and use a tstats command in my correlation search in order to save some resources.

Thank you in advance.




Labels (1)
0 Karma


I managed to create the following tstats command:


|tstats `summariesonly` count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.severity=high by IDS_Attacks.signature | `drop_dm_object_name(IDS_Attacks)'


I do get results in a table with high severity alerts.

I created a test correlation search which fires a notable event, but it contains zero data on it.

What shall I do in order to have all notable event's additional fields populated (if data exists) and also have the notable event's row in Incident Review, populated with src, dest (they are empty too)?



0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...