Splunk Enterprise Security

What does "summariesonly' mean in this Enterprise Security search?

test_qweqwe
Builder

I found this search in ES Content Updates

| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `ctime(firstTime)` | `ctime(lastTime)` | `drop_dm_object_name("All_Traffic")`

What mean

`summariesonly`

And what should I do to make this search working?

0 Karma
1 Solution

rphillips_splun
Splunk Employee
Splunk Employee

In this search summariesonly referes to a macro which indicates (summariesonly=true) meaning only search data that has been summarized by the data model acceleration. Summarized data will be available once you've enabled data model acceleration for the data model Network_Traffic.

So first:

  • Check that the data model is accelerated:
    Settings>data models > > edit acceleration

  • Is the data model complete ~100% or always stuck in building ? If stuck building, is the scheduled search able to run? Here you can check scheduler.log and look for
    index=_internal source=*scheduler.log* "*Network_Traffic*"

is the status=successful for these searches?

DMA searches are scheduled searches that run every 5 min to keep the summarized data up to date. Here is an example from scheduler.log of a successful run for the data model "Splunk_Audit"

index=_internal source=*scheduler.log* "*Splunk_Audit*"

10-24-2017 12:40:39.875 -0400 INFO SavedSplunker - savedsearch_id="nobody;Splunk_SA_CIM;ACCELERATE_DM_Splunk_SA_CIM_Splunk_Audit.View_Activity_ACCELERATE", search_type="datamodel_acceleration", user="nobody", app="Splunk_SA_CIM", savedsearch_name="ACCELERATE_DM_Splunk_SA_CIM_Splunk_Audit.View_Activity_ACCELERATE", priority=highest, status=success, digest_mode=1, scheduled_time=1508863200, window_time=0, dispatch_time=1508863201, run_time=20.723, result_count=21, alert_actions="", sid="scheduler_nobody_U3BsdW5rX1NBX0NJTQ_RMD5d055c6aa87889902_at_1508863200_2166", suppressed=0, thread_id="AlertNotifierWorker-0"

  • if still having issues then run the following search to determine the actual search being run when the scheduled search for the data model acceleration runs:
  • | rest splunk_server=local /services/datamodel/acceleration | fields title search

copy the value from the search field for the relevant data model and run that search manually to see if there are any issues running that search

  • check data model and knowledge object permissions and the app context you are running the search from

View solution in original post

rphillips_splun
Splunk Employee
Splunk Employee

In this search summariesonly referes to a macro which indicates (summariesonly=true) meaning only search data that has been summarized by the data model acceleration. Summarized data will be available once you've enabled data model acceleration for the data model Network_Traffic.

So first:

  • Check that the data model is accelerated:
    Settings>data models > > edit acceleration

  • Is the data model complete ~100% or always stuck in building ? If stuck building, is the scheduled search able to run? Here you can check scheduler.log and look for
    index=_internal source=*scheduler.log* "*Network_Traffic*"

is the status=successful for these searches?

DMA searches are scheduled searches that run every 5 min to keep the summarized data up to date. Here is an example from scheduler.log of a successful run for the data model "Splunk_Audit"

index=_internal source=*scheduler.log* "*Splunk_Audit*"

10-24-2017 12:40:39.875 -0400 INFO SavedSplunker - savedsearch_id="nobody;Splunk_SA_CIM;ACCELERATE_DM_Splunk_SA_CIM_Splunk_Audit.View_Activity_ACCELERATE", search_type="datamodel_acceleration", user="nobody", app="Splunk_SA_CIM", savedsearch_name="ACCELERATE_DM_Splunk_SA_CIM_Splunk_Audit.View_Activity_ACCELERATE", priority=highest, status=success, digest_mode=1, scheduled_time=1508863200, window_time=0, dispatch_time=1508863201, run_time=20.723, result_count=21, alert_actions="", sid="scheduler_nobody_U3BsdW5rX1NBX0NJTQ_RMD5d055c6aa87889902_at_1508863200_2166", suppressed=0, thread_id="AlertNotifierWorker-0"

  • if still having issues then run the following search to determine the actual search being run when the scheduled search for the data model acceleration runs:
  • | rest splunk_server=local /services/datamodel/acceleration | fields title search

copy the value from the search field for the relevant data model and run that search manually to see if there are any issues running that search

  • check data model and knowledge object permissions and the app context you are running the search from

View solution in original post

b_chris21
Path Finder

Hello,

thanks for your detailed answer. I have just realized after running :

| rest splunk_server=local /services/datamodel/acceleration | fields title search

that my Endpoint Datamodel has an empty search while all the others have one in place.

What might be the reason for that?

I have manually rebuilt the acceleration. Will this do the trick?

Thank you in advance.

Chris

 

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.