Splunk Enterprise Security
Highlighted

Tweek Enterprise Security when having few log inputs

New Member

Hello everyone,

i am using Splunk Enterprise Security but at the moment because I don't have enough logs (only from Suricata) I use only ES's "Incident Review" to track notable events and create investigations. This is quite handy while waiting for new logs to be input and use 100% of Enterprise Security app.

Since I only use 5% of its capabilites I would like to "kill" most of resource consuming functions from ES. Any ideas what shall I deactivate (eg. accelerated searches, apps like threat-Intel since I am offline etc)?

Thanks a lot,

Chris

0 Karma
Highlighted

Re: Tweek Enterprise Security when having few log inputs

SplunkTrust
SplunkTrust

Hello there,

couple of things you can do right away are:
disable DM accelerations for indexes that dont contain any data / enable only relevant DMs and map to the right index
follow this document to manage as you see fit (many links to possible tweaks)
https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Managingcontent

hope it helps

0 Karma