Splunk Enterprise Security

Tweek Enterprise Security when having few log inputs

b_chris21
Path Finder

Hello everyone,

i am using Splunk Enterprise Security but at the moment because I don't have enough logs (only from Suricata) I use only ES's "Incident Review" to track notable events and create investigations. This is quite handy while waiting for new logs to be input and use 100% of Enterprise Security app.

Since I only use 5% of its capabilites I would like to "kill" most of resource consuming functions from ES. Any ideas what shall I deactivate (eg. accelerated searches, apps like threat-Intel since I am offline etc)?

Thanks a lot,

Chris

0 Karma

adonio
SplunkTrust
SplunkTrust

Hello there,

couple of things you can do right away are:
disable DM accelerations for indexes that dont contain any data / enable only relevant DMs and map to the right index
follow this document to manage as you see fit (many links to possible tweaks)
https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Managingcontent

hope it helps

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!