Splunk Enterprise Security

Time Range options in Correlation Search?

echojacques
Builder

In Enterprise Security I have this correlation search which I believe includes searching through the previous 24 hours of events:

| inputlookup append=T listeningports_tracker | eval _time=firstTime | `hoursago(24)` | stats dc(dest) as dest_count by transport,dest_port | search dest_count>10

In the correlation search properties (Configure->Correlation Searches->Edit Correlation Search) you can specify a "time range". Would it be incorrect to specify the start time as -60m (previous 60 minutes) if the search string itself wants to go back 24 hours?

I'm confused about how the time range options affect searches that include defined time ranges.

Thanks.

0 Karma
1 Solution

hazekamp
Builder

echojacques,

In this case the search is an "| inputlookup" search, so the "time range" in the correlation search editor is ignored. This holds true for Splunk search as well (the TimeRangePicker would be ignored in the flashtimeline/search view). This is why we are using the hoursago macro to filter based on time.

View solution in original post

hazekamp
Builder

echojacques,

In this case the search is an "| inputlookup" search, so the "time range" in the correlation search editor is ignored. This holds true for Splunk search as well (the TimeRangePicker would be ignored in the flashtimeline/search view). This is why we are using the hoursago macro to filter based on time.

echojacques
Builder

Great, thanks for the info! So I'll modify the in-search time references and also the Time Range (start/end) settings in the search config.

0 Karma

hazekamp
Builder

That correlation search is a tstats query, so it absolutely respects "time range" (either a Time Range Picker, or in this case dispatch.earliest and dispatch.latest in savedsearches.conf).

For this correlation search, you can modify the "time range" to look back over a different period of time, we would just need to also modify the in-search bucket calculation.

Let's say you wanted to go back 30 days, you would modify all instances of "Last 60 days" to "Last 30 days", and timeDiff<=5184000 to timeDiff<=2592000.

0 Karma

echojacques
Builder

| bin _time span=1d | stats sum(count) as count by _time,group,transport,dest_port | eval temp=if(group="Last 60 days",transport.dest_port,null()) | eventstats stdev(count) as stdev,avg(count) as avg by temp | eventstats max(stdev) as stdev,max(avg) as avg by transport,dest_port | dedup transport,dest_port sortby -_time | eval limit=(3.2*stdev)+avg | eval diff=count-limit | search diff>0

0 Karma

echojacques
Builder

Thanks for the info! So then what about this correlation search that doesn't use inputlookup and looks like it goes back 60 days?

| `tstats` sum(count) from sa_port_proto groupby _time,transport,dest_port span=30m | stats sum(count) as count by _time,transport,dest_port | `timeDiff` | appendpipe [search timeDiff<=86400 | stats max(_time) as _time,sum(count) as count by transport,dest_port | eval group="Last 24 hours"] | eval group=if(_time<relative_time(time(),"@d") AND timeDiff<=5184000,"Last 60 days",group

continued in next comment...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...