can i hold all the events which matched the correlation search in Splunk Enterprise Security, before it gets indexed in the notable index?
so thats like --> Cor.search runs --> (store all the contributing events in a file) --> then allow splunk to index in the index=notable disk.
Is this possible to add a script before Splunk index events to index notable ?
Hi nandha_2,
using Splunk, you can only filter events using regexes (see http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Routeandfilterdatad).
If you want to pre-parse your logs before indexing, you have to run a pre-parsing script outside Splunk and index the output file.
To do this is easy if you have a syslog data flow or a file on the Splunk server, but less easy if you receive logs via Forwarder, because, you have to distribute the external script in every Forwarder.
In addition, you lose the real time monitoring because there is always a delay between the log arrive and the indexing time.
We asked to Splunk to insert the possibility to run a script before indexing, but not yet.
Bye.
Giuseppe
Could you please explain me what happens when the correlation search matches a set of events. Does spunk store this in a memory or file before it load it's data to index notable?
all the Splunk's search results (correlation or not) are stored in a file for a configurable time and they are reusable.
you can find it in [Settings -- Processes].
If instead you want information on the search run use "Job properties"
Bye.
Giuseppe
I am not sure if you understood my question rightly !? . This is regarding Splunk Enterprise security App. An security analyst can configure correlation search which scan data and take an action creating a notables.
http://docs.splunk.com/Documentation/PCI/3.3.0/Install/Correlationsearches
So, it matches against a set of data. does splunk store those matches data in memory or a file before creating a notable. it has to store somewhere before creating a notable.