Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to optimize correlation search with tstats?

b_chris21
Communicator
‎03-03-2022 01:01 AM

Hello everyone,

I have a correlation search setup to detect Suricata IDS alerts of a specific severity and trigger a notable as response action to ES.

I would like to know if there is a way to optimize my search and transform it into tstats one in order to optimize the speed and performance.

My current search:

 

 

 

index=suricata sourcetype=suricata event_type=alert alert.severity=1

 

 

 

 

I have Datamodel "Intrusion Detected" populated with suricata logs (also accelerated). But I would like to know if I can take advantage of the acceleration and use a tstats command in my correlation search in order to save some resources.

Thank you in advance.

Regards,

Chris

 

Labels (1)
Labels
0 Karma
Reply

b_chris21
Communicator
‎03-03-2022 01:19 AM

I managed to create the following tstats command:

 

|tstats `summariesonly` count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.severity=high by IDS_Attacks.signature | `drop_dm_object_name(IDS_Attacks)'

 

I do get results in a table with high severity alerts.

I created a test correlation search which fires a notable event, but it contains zero data on it.

What shall I do in order to have all notable event's additional fields populated (if data exists) and also have the notable event's row in Incident Review, populated with src, dest (they are empty too)?

Thanks,

Chris

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Top