Splunk Enterprise Security

how to ensure that splunk correlation rules are running continuously in background

saurabh_tek11
Communicator

I see some searches apparently are running but since the user activity is less these days so cant confirm if those events are happening which violates the many of the OOB correlations rule. Other the other hand, log ingestion is no less.

how to ensure that splunk correlation rules are running continuously in background and there is no issue from the searches side.

0 Karma

Splunker
Communicator

Correlation searches are just searches at the end of the day, running on a schedule.

You could do a search like..

index=_internal sourcetype=scheduler savedsearch_name=part_match

Look for a successful run and there should be an evcount (event count) field with a value of 0 or more if it returned any result (depends on your search if no events returned is normal or not).

Also important is the 'status' field which says if it ran, was delegated, deferred, or skipped by Splunks scheduler.

Please forgive any minor inaccuracies of fields, I'm not in front of a PC at the moment 🙂

Cheers.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...