Splunk Enterprise Security

Time Range options in Correlation Search?

echojacques
Builder

In Enterprise Security I have this correlation search which I believe includes searching through the previous 24 hours of events:

| inputlookup append=T listeningports_tracker | eval _time=firstTime | `hoursago(24)` | stats dc(dest) as dest_count by transport,dest_port | search dest_count>10

In the correlation search properties (Configure->Correlation Searches->Edit Correlation Search) you can specify a "time range". Would it be incorrect to specify the start time as -60m (previous 60 minutes) if the search string itself wants to go back 24 hours?

I'm confused about how the time range options affect searches that include defined time ranges.

Thanks.

0 Karma
1 Solution

hazekamp
Builder

echojacques,

In this case the search is an "| inputlookup" search, so the "time range" in the correlation search editor is ignored. This holds true for Splunk search as well (the TimeRangePicker would be ignored in the flashtimeline/search view). This is why we are using the hoursago macro to filter based on time.

View solution in original post

hazekamp
Builder

echojacques,

In this case the search is an "| inputlookup" search, so the "time range" in the correlation search editor is ignored. This holds true for Splunk search as well (the TimeRangePicker would be ignored in the flashtimeline/search view). This is why we are using the hoursago macro to filter based on time.

echojacques
Builder

Great, thanks for the info! So I'll modify the in-search time references and also the Time Range (start/end) settings in the search config.

0 Karma

hazekamp
Builder

That correlation search is a tstats query, so it absolutely respects "time range" (either a Time Range Picker, or in this case dispatch.earliest and dispatch.latest in savedsearches.conf).

For this correlation search, you can modify the "time range" to look back over a different period of time, we would just need to also modify the in-search bucket calculation.

Let's say you wanted to go back 30 days, you would modify all instances of "Last 60 days" to "Last 30 days", and timeDiff<=5184000 to timeDiff<=2592000.

0 Karma

echojacques
Builder

| bin _time span=1d | stats sum(count) as count by _time,group,transport,dest_port | eval temp=if(group="Last 60 days",transport.dest_port,null()) | eventstats stdev(count) as stdev,avg(count) as avg by temp | eventstats max(stdev) as stdev,max(avg) as avg by transport,dest_port | dedup transport,dest_port sortby -_time | eval limit=(3.2*stdev)+avg | eval diff=count-limit | search diff>0

0 Karma

echojacques
Builder

Thanks for the info! So then what about this correlation search that doesn't use inputlookup and looks like it goes back 60 days?

| `tstats` sum(count) from sa_port_proto groupby _time,transport,dest_port span=30m | stats sum(count) as count by _time,transport,dest_port | `timeDiff` | appendpipe [search timeDiff<=86400 | stats max(_time) as _time,sum(count) as count by transport,dest_port | eval group="Last 24 hours"] | eval group=if(_time<relative_time(time(),"@d") AND timeDiff<=5184000,"Last 60 days",group

continued in next comment...

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...