Solved: Reg. Correlation searches. Do they have to be conf...

SamHTexas · ‎03-25-2021

Reg. Correlation searches. Do they have to be configured in Splunk Ent. & ES? Could they be only on one of these 2 ? And reused in the whole environment? If can be on one side? How do I benefit across the whole environment?

richgalloway · ‎03-25-2021

Correlation searches are an ES concept. Outside of ES they're called "scheduled searches". Whatever they're called and wherever they exist they still have access to all of your indexed data.

What are you doing with them that they need to be in both the ES search head and the non-ES search head? IMO, running the same search in two search heads just doubles the load on the indexers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-25-2021

Correlation searches are an ES concept. Outside of ES they're called "scheduled searches". Whatever they're called and wherever they exist they still have access to all of your indexed data.

What are you doing with them that they need to be in both the ES search head and the non-ES search head? IMO, running the same search in two search heads just doubles the load on the indexers.

---
If this reply helps you, Karma would be appreciated.

SamHTexas · ‎03-25-2021

That answers my question sir, Thank u.

Reg. Correlation searches. Do they have to be configured in Splunk Ent. & ES? Could they be only on one of these 2 ?

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)