Splunk Enterprise Security

Time Range options in Correlation Search?

echojacques
Builder

In Enterprise Security I have this correlation search which I believe includes searching through the previous 24 hours of events:

| inputlookup append=T listeningports_tracker | eval _time=firstTime | `hoursago(24)` | stats dc(dest) as dest_count by transport,dest_port | search dest_count>10

In the correlation search properties (Configure->Correlation Searches->Edit Correlation Search) you can specify a "time range". Would it be incorrect to specify the start time as -60m (previous 60 minutes) if the search string itself wants to go back 24 hours?

I'm confused about how the time range options affect searches that include defined time ranges.

Thanks.

0 Karma
1 Solution

hazekamp
Builder

echojacques,

In this case the search is an "| inputlookup" search, so the "time range" in the correlation search editor is ignored. This holds true for Splunk search as well (the TimeRangePicker would be ignored in the flashtimeline/search view). This is why we are using the hoursago macro to filter based on time.

View solution in original post

hazekamp
Builder

echojacques,

In this case the search is an "| inputlookup" search, so the "time range" in the correlation search editor is ignored. This holds true for Splunk search as well (the TimeRangePicker would be ignored in the flashtimeline/search view). This is why we are using the hoursago macro to filter based on time.

echojacques
Builder

Great, thanks for the info! So I'll modify the in-search time references and also the Time Range (start/end) settings in the search config.

0 Karma

hazekamp
Builder

That correlation search is a tstats query, so it absolutely respects "time range" (either a Time Range Picker, or in this case dispatch.earliest and dispatch.latest in savedsearches.conf).

For this correlation search, you can modify the "time range" to look back over a different period of time, we would just need to also modify the in-search bucket calculation.

Let's say you wanted to go back 30 days, you would modify all instances of "Last 60 days" to "Last 30 days", and timeDiff<=5184000 to timeDiff<=2592000.

0 Karma

echojacques
Builder

| bin _time span=1d | stats sum(count) as count by _time,group,transport,dest_port | eval temp=if(group="Last 60 days",transport.dest_port,null()) | eventstats stdev(count) as stdev,avg(count) as avg by temp | eventstats max(stdev) as stdev,max(avg) as avg by transport,dest_port | dedup transport,dest_port sortby -_time | eval limit=(3.2*stdev)+avg | eval diff=count-limit | search diff>0

0 Karma

echojacques
Builder

Thanks for the info! So then what about this correlation search that doesn't use inputlookup and looks like it goes back 60 days?

| `tstats` sum(count) from sa_port_proto groupby _time,transport,dest_port span=30m | stats sum(count) as count by _time,transport,dest_port | `timeDiff` | appendpipe [search timeDiff<=86400 | stats max(_time) as _time,sum(count) as count by transport,dest_port | eval group="Last 24 hours"] | eval group=if(_time<relative_time(time(),"@d") AND timeDiff<=5184000,"Last 60 days",group

continued in next comment...

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...