Splunk Enterprise Security

What does "summariesonly' mean in this Enterprise Security search?

Builder

I found this search in ES Content Updates

| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `ctime(firstTime)` | `ctime(lastTime)` | `drop_dm_object_name("All_Traffic")`

What mean

`summariesonly`

And what should I do to make this search working?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

In this search summariesonly referes to a macro which indicates (summariesonly=true) meaning only search data that has been summarized by the data model acceleration. Summarized data will be available once you've enabled data model acceleration for the data model Network_Traffic.

So first:

  • Check that the data model is accelerated:
    Settings>data models > > edit acceleration

  • Is the data model complete ~100% or always stuck in building ? If stuck building, is the scheduled search able to run? Here you can check scheduler.log and look for
    index=_internal source=*scheduler.log* "*Network_Traffic*"

is the status=successful for these searches?

DMA searches are scheduled searches that run every 5 min to keep the summarized data up to date. Here is an example from scheduler.log of a successful run for the data model "Splunk_Audit"

index=_internal source=*scheduler.log* "*Splunk_Audit*"

10-24-2017 12:40:39.875 -0400 INFO SavedSplunker - savedsearchid="nobody;SplunkSACIM;ACCELERATEDMSplunkSACIMSplunkAudit.ViewActivityACCELERATE", searchtype="datamodelacceleration", user="nobody", app="SplunkSACIM", savedsearchname="ACCELERATEDMSplunkSACIMSplunkAudit.ViewActivityACCELERATE", priority=highest, status=success, digestmode=1, scheduledtime=1508863200, windowtime=0, dispatchtime=1508863201, runtime=20.723, resultcount=21, alertactions="", sid="schedulernobodyU3BsdW5rX1NBX0NJTQ_RMD5d055c6aa87889902at15088632002166", suppressed=0, thread_id="AlertNotifierWorker-0"

  • if still having issues then run the following search to determine the actual search being run when the scheduled search for the data model acceleration runs:
  • | rest splunk_server=local /services/datamodel/acceleration | fields title search

copy the value from the search field for the relevant data model and run that search manually to see if there are any issues running that search

  • check data model and knowledge object permissions and the app context you are running the search from

View solution in original post

Splunk Employee
Splunk Employee

In this search summariesonly referes to a macro which indicates (summariesonly=true) meaning only search data that has been summarized by the data model acceleration. Summarized data will be available once you've enabled data model acceleration for the data model Network_Traffic.

So first:

  • Check that the data model is accelerated:
    Settings>data models > > edit acceleration

  • Is the data model complete ~100% or always stuck in building ? If stuck building, is the scheduled search able to run? Here you can check scheduler.log and look for
    index=_internal source=*scheduler.log* "*Network_Traffic*"

is the status=successful for these searches?

DMA searches are scheduled searches that run every 5 min to keep the summarized data up to date. Here is an example from scheduler.log of a successful run for the data model "Splunk_Audit"

index=_internal source=*scheduler.log* "*Splunk_Audit*"

10-24-2017 12:40:39.875 -0400 INFO SavedSplunker - savedsearchid="nobody;SplunkSACIM;ACCELERATEDMSplunkSACIMSplunkAudit.ViewActivityACCELERATE", searchtype="datamodelacceleration", user="nobody", app="SplunkSACIM", savedsearchname="ACCELERATEDMSplunkSACIMSplunkAudit.ViewActivityACCELERATE", priority=highest, status=success, digestmode=1, scheduledtime=1508863200, windowtime=0, dispatchtime=1508863201, runtime=20.723, resultcount=21, alertactions="", sid="schedulernobodyU3BsdW5rX1NBX0NJTQ_RMD5d055c6aa87889902at15088632002166", suppressed=0, thread_id="AlertNotifierWorker-0"

  • if still having issues then run the following search to determine the actual search being run when the scheduled search for the data model acceleration runs:
  • | rest splunk_server=local /services/datamodel/acceleration | fields title search

copy the value from the search field for the relevant data model and run that search manually to see if there are any issues running that search

  • check data model and knowledge object permissions and the app context you are running the search from

View solution in original post