Splunk Enterprise Security

Tweek Enterprise Security when having few log inputs

b_chris21
Path Finder

Hello everyone,

i am using Splunk Enterprise Security but at the moment because I don't have enough logs (only from Suricata) I use only ES's "Incident Review" to track notable events and create investigations. This is quite handy while waiting for new logs to be input and use 100% of Enterprise Security app.

Since I only use 5% of its capabilites I would like to "kill" most of resource consuming functions from ES. Any ideas what shall I deactivate (eg. accelerated searches, apps like threat-Intel since I am offline etc)?

Thanks a lot,

Chris

0 Karma
1 Solution

adonio
Ultra Champion

Hello there,

couple of things you can do right away are:
disable DM accelerations for indexes that dont contain any data / enable only relevant DMs and map to the right index
follow this document to manage as you see fit (many links to possible tweaks)
https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Managingcontent

hope it helps

View solution in original post

adonio
Ultra Champion

Hello there,

couple of things you can do right away are:
disable DM accelerations for indexes that dont contain any data / enable only relevant DMs and map to the right index
follow this document to manage as you see fit (many links to possible tweaks)
https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Managingcontent

hope it helps

View solution in original post

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!