Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Correlation searches scheduling to overcome downtimes and event delays

tibi
Observer
‎06-09-2021 01:10 AM

Hello,

 

Hello,

 

Any suggestions on how to configure the correlation search schedule in a way that will not be affected by a maintenance downtime ? 

 

For example if you have a correlation search that is schedule to run every hour at minute 5 for the last hour . how can be configured to cover also the skipped run and to not miss alerts?

 

Thanks.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-09-2021 01:38 AM

Can you do your correlation search over a couple of hours bucketed by hour, then append the previous results and remove duplicates?

0 Karma
Reply

tibi
Observer
‎06-10-2021 04:14 AM

thanks for the reply.

 

please can you provide an example how to configure the cs and how to exclude duplicates?

0 Karma
Reply
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...