Solved: Why do correlation searches in Enterprise Security...

koshyk · ‎02-02-2016

hi,

I was looking into the out-of-box Splunk correlation searches in Splunk Enterprise Security (ES) and it contains allow_old_summaries=true and not summariesOnly=true. Both give me the same set of results.

Time required to run the original Splunk Searches takes me >220 seconds, but with summariesOnly=true, it gives me exactly same output in 8 seconds. So was thinking why Splunk didn't do it in first place? Will data be missed if I use summariesOnly=true?

stanwin · ‎02-03-2016

When you add the summariesonly=t flag, this tells the data model only to look at existing accelerated data (tsidx.) If you dont have acceleration configured, or it hasnt run fully, then you wont get results.

From https://answers.splunk.com/answers/301913/where-and-when-do-we-use-summariesonlyt-with-datam.html

also

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Tstats

View solution in original post

stanwin · ‎02-03-2016

When you add the summariesonly=t flag, this tells the data model only to look at existing accelerated data (tsidx.) If you dont have acceleration configured, or it hasnt run fully, then you wont get results.

From https://answers.splunk.com/answers/301913/where-and-when-do-we-use-summariesonlyt-with-datam.html

also

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Tstats

koshyk · ‎02-04-2016

Thank you. So that means if we have accelerated data models(eg Splunk_TA_CIM), it is good enough to use "summariesonly=t"

Why do correlation searches in Enterprise Security not use "summariesOnly=true"?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)