Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: Can I hold all the events which matched my correlation search?

nandha_2
Engager
‎02-03-2017 11:25 PM

can i hold all the events which matched the correlation search in Splunk Enterprise Security, before it gets indexed in the notable index?

so thats like --> Cor.search runs --> (store all the contributing events in a file) --> then allow splunk to index in the index=notable disk.

Is this possible to add a script before Splunk index events to index notable ?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-04-2017 12:15 AM

Hi nandha_2,

using Splunk, you can only filter events using regexes (see http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Routeandfilterdatad).

If you want to pre-parse your logs before indexing, you have to run a pre-parsing script outside Splunk and index the output file.

To do this is easy if you have a syslog data flow or a file on the Splunk server, but less easy if you receive logs via Forwarder, because, you have to distribute the external script in every Forwarder.
In addition, you lose the real time monitoring because there is always a delay between the log arrive and the indexing time.

We asked to Splunk to insert the possibility to run a script before indexing, but not yet.

Bye.
Giuseppe

0 Karma
Reply

nandha_2
Engager
‎02-04-2017 01:15 AM

Could you please explain me what happens when the correlation search matches a set of events. Does spunk store this in a memory or file before it load it's data to index notable?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-04-2017 02:05 AM

all the Splunk's search results (correlation or not) are stored in a file for a configurable time and they are reusable.
you can find it in [Settings -- Processes].
If instead you want information on the search run use "Job properties"
Bye.
Giuseppe

0 Karma
Reply

nandha_2
Engager
‎02-04-2017 03:52 AM

I am not sure if you understood my question rightly !? . This is regarding Splunk Enterprise security App. An security analyst can configure correlation search which scan data and take an action creating a notables.

http://docs.splunk.com/Documentation/PCI/3.3.0/Install/Correlationsearches

So, it matches against a set of data. does splunk store those matches data in memory or a file before creating a notable. it has to store somewhere before creating a notable.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...