×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
kirchoff
Explorer
Member since: ‎03-01-2020
a week ago
Community Statistics
Posts 4
Solutions 0
Karma Given 2
Karma Received 1
Member Since ‎03-01-2020
Activity Feed
View All

Re: Correlation Search Skipped / Backfill Operatio...

by in Splunk Enterprise Security
a week ago
1 Karma
a week ago
1 Karma
Thank you both for your detailed answers. I completely agree with your assessments and recommendations. Nearly all of our correlation searches are configured to run against accelerated data models, and their average runtime is around 10 seconds. The searches are scheduled to run every 5 minutes, and we have distributed their cron schedules evenly (e.g., */5 * * * *, 1/5 * * * *, 2/5 * * * *, etc.) to reduce concurrency peaks. However, in certain situations where system performance drops, some searches take over 300 seconds to complete, which leads to them being skipped as you described. As you suggested, we are investigating the root causes (infrastructure, query optimization, etc.) so that skips do not occur in the first place. In parallel, we also want to be prepared with an effective workaround for the cases that still slip through. In particular, I'm exploring whether there might be a workaround involving Adaptive Response actions to somehow manually trigger the relevant correlation rules or actions when a scheduled search is skipped due to resource limitations. If you have any ideas or have seen such approaches implemented (for example, triggering alerts or responses outside the normal search schedule when skips are detected), your input would be extremely valuable. ... View more

Correlation Search Skipped / Backfill Operations

by in Splunk Enterprise Security
a week ago
a week ago
Hi all, We intermittently see some ES correlation searches getting “skipped” at their scheduled run time (we confirm this from _internal logs). When the correlation search runs normally, it triggers Notable Event creation and Risk Analysis (Risk Modifier) adaptive response actions. However, when a run is skipped, the corresponding time window is effectively missed: no notable events are created and no risk modifier events are generated, which creates a security coverage gap. What we need is a supported/recommended way to backfill / replay a correlation search for a specific earliest/latest time range that was skipped. The replay must: Execute the same SPL for the missed window, Trigger the same Adaptive Response actions (Notable + Risk Modifier) based on the results, Not create duplicates (no duplicate notables and no duplicate risk events) — i.e., the replay should be idempotent. If anyone has faced this before, I’d appreciate any best-practice recommendations or a supported approach to handle replay/backfill for skipped correlation searches in ES. ... View more

Certificate error while installing app via API fro...

by in Security
‎12-27-2022 12:28 PM
‎12-27-2022 12:28 PM
Hi all, I'm trying to install(tar.gz file) an app available on GitLab. I am using 'apps/local' endpoint to install it.     curl -k -u user:pass -X POST https://localhost:8089/services/apps/local -d path=https://gitlab.com/xxxxx/yyyyy/internal_app-1.0.0.tar.gz -d update=1     But it gives an error like below.     splunklib.binding.HTTPError: HTTP 500 Internal Server Error -- Unexpected error downloading update: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.     Does anyone have an idea how can i solve it? Btw, i do not want to disable ssl-tls verification if possible.     ... View more
Labels

Splunk REST API | Validate SPL

by in Splunk Dev
‎01-21-2022 02:18 PM
‎01-21-2022 02:18 PM
Hi all, I am working on a project that take SPL input from user. So, i need to be sure that SPL has a correct syntax without making a search with the SPL. I could not see but is there a validator for SPLs? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
a week ago
Karma from
View All
Karma given to
View All