Solved: Re: Tweek Enterprise Security when having few log ...

b_chris21 · ‎02-01-2020

Hello everyone,

i am using Splunk Enterprise Security but at the moment because I don't have enough logs (only from Suricata) I use only ES's "Incident Review" to track notable events and create investigations. This is quite handy while waiting for new logs to be input and use 100% of Enterprise Security app.

Since I only use 5% of its capabilites I would like to "kill" most of resource consuming functions from ES. Any ideas what shall I deactivate (eg. accelerated searches, apps like threat-Intel since I am offline etc)?

Thanks a lot,

Chris

adonio · ‎02-02-2020

Hello there,

couple of things you can do right away are:
disable DM accelerations for indexes that dont contain any data / enable only relevant DMs and map to the right index
follow this document to manage as you see fit (many links to possible tweaks)
https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Managingcontent

hope it helps

View solution in original post

adonio · ‎02-02-2020

Hello there,

couple of things you can do right away are:
disable DM accelerations for indexes that dont contain any data / enable only relevant DMs and map to the right index
follow this document to manage as you see fit (many links to possible tweaks)
https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Managingcontent

hope it helps

Tweek Enterprise Security when having few log inputs

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!