Splunk Search

Correlation Searches - timing, scheduling, and throttling question

echojacques
Builder

When you create or edit a correlation search, you can configure the Time range, Cron schedule, and Throttling. I have several correlation searches configured like this:

Time range: Start: -15m | Finish: now

Cron schedule: 00, 15, 30, 45

Throttling: 1d

As I understand it, I've asked Splunk to run this correlation search every 15 minutes and to search through 15 minutes of historical events every time it runs.

My question is, if the correlation search is running every 15 minutes, should I have it search trough the last 20 minutes of events (Time range start: -20m) so that there is some "overlap"? Or is what I have above a decent/normal configuration? The searches that I have configured like this take approx 1 minute to run so I don't have to worry about a search taking longer than the allotted 15 minutes.

Also, what is throttling? I have read the documentation on correlation searches and still not clear on what throttling is.

Thanks!

0 Karma
1 Solution

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

the utility of overlapping depends on the data source and use case; if you're trying to catch transactions of variable length, some overlap can definitely help, but if you're looking for simple correlations it's probably not useful.

Throttling uses the set of fields you specify to prevent creating a new notable event. For instance, if you look at "Brute Force Access Behavior Detected", it throttles by src over a 1 day period. Even if we detect the behavior with a src of 192.168.1.1 on every run, that will only create a single notable event. It gets a little more complicated with multiple fields, for instance if we added user to this rule, we might get two notable events in a day -- one where src=192.168.1.1 and user=mysqladmin were the matching fields, and one where src=192.168.1.1 and user=administrator were the matching fields.

Jack

View solution in original post

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

the utility of overlapping depends on the data source and use case; if you're trying to catch transactions of variable length, some overlap can definitely help, but if you're looking for simple correlations it's probably not useful.

Throttling uses the set of fields you specify to prevent creating a new notable event. For instance, if you look at "Brute Force Access Behavior Detected", it throttles by src over a 1 day period. Even if we detect the behavior with a src of 192.168.1.1 on every run, that will only create a single notable event. It gets a little more complicated with multiple fields, for instance if we added user to this rule, we might get two notable events in a day -- one where src=192.168.1.1 and user=mysqladmin were the matching fields, and one where src=192.168.1.1 and user=administrator were the matching fields.

Jack

echojacques
Builder

Thanks for the explanation.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...