Splunk Search

How to speed up my old correlated threat intel search using tstats & datamodel accelerations?

bravosec1
New Member

Hello Splunker>
I would like to convert my old correlation search which used the join function below:-
index=main sourcetype="firewall"
| join dstip [search index=main sourcetype="threat_lists"
| stats count by date, user, srcip, dstip, ETmsg
I want to use tstats & data model acceleration
Notes:-

data user srcip dstip >>>>firewall fields
ETmsg dstip >>>>>>>> threat_lists fields
dstip is common 🙂

0 Karma

DEAD_BEEF
Builder

@bravosec1 Based on the query you provided, you are joining data from two different sourcetypes when they share dstip, then doing a stats count by.

index=main sourcetype="firewall"
| join dstip 
    [search index=main sourcetype="threat_lists" ]
| stats count by date, user, srcip, dstip, ETmsg 

To convert this to a correlated search, we would need to know what data model these are going to and which fields in your original search map to which datamodel fields

0 Karma

alemarzu
Motivator

Hi there @bravosec1

Start reading this first, http://docs.splunk.com/Documentation/CIM/4.10.0/User/Overview

But for this particular use case of yours I would choose summary indexing. Just my 2 cents

0 Karma

bravosec1
New Member

Hi @alemarzu

thank you ... but still I don't want to use the join command, so in my use case I want to correlate two data model seeking matching dstip field..

any help will be appreciated.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...