When you create or edit a correlation search, you can configure the Time range, Cron schedule, and Throttling. I have several correlation searches configured like this:
Time range: Start: -15m | Finish: now
Cron schedule: 00, 15, 30, 45
As I understand it, I've asked Splunk to run this correlation search every 15 minutes and to search through 15 minutes of historical events every time it runs.
My question is, if the correlation search is running every 15 minutes, should I have it search trough the last 20 minutes of events (Time range start: -20m) so that there is some "overlap"? Or is what I have above a decent/normal configuration? The searches that I have configured like this take approx 1 minute to run so I don't have to worry about a search taking longer than the allotted 15 minutes.
Also, what is throttling? I have read the documentation on correlation searches and still not clear on what throttling is.
the utility of overlapping depends on the data source and use case; if you're trying to catch transactions of variable length, some overlap can definitely help, but if you're looking for simple correlations it's probably not useful.
Throttling uses the set of fields you specify to prevent creating a new notable event. For instance, if you look at "Brute Force Access Behavior Detected", it throttles by src over a 1 day period. Even if we detect the behavior with a src of 192.168.1.1 on every run, that will only create a single notable event. It gets a little more complicated with multiple fields, for instance if we added user to this rule, we might get two notable events in a day -- one where src=192.168.1.1 and user=mysqladmin were the matching fields, and one where src=192.168.1.1 and user=administrator were the matching fields.