Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I find a list of correlation searches in ES or Splunk Ent. that are not working like missing macros etc...?

SamHTexas
Builder
‎09-01-2021 10:21 AM

Please help me with an SPL to locate Corr. searches that are in trouble , not working right. For example missing a macro or so. Thank u very much in advance.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

lakshman239
Influencer
‎09-03-2021 06:11 AM

@SamHTexas   you can look at  index=_internal (sourcetype=splunkd OR sourcetype=scheduler) log_level="ERROR" to see all failures in the correlation search due to issues in macros or lookups. You can then tune the SPL as needed for your environment.  Hope this helps.

Reply

SamHTexas
Builder
‎09-03-2021 09:05 AM

Thank u bro. for your message, do you have any good SPLs to share for this purpose? For Enterprise or ES? Thank u in advance.

Tags (1)
0 Karma
Reply

lakshman239
Influencer
‎09-08-2021 05:25 AM

Something like this will do in Splunk Core or ES.

index=_internal (sourcetype=splunkd OR sourcetype=scheduler) log_level="ERROR" |rex field=_raw "savedsearch=(?<mysaved_search>.+) err=" | rex field=_raw "savedsearch_id=\"(?<mysavedsearch>.+)\", message=\"Error" | stats count by host, mysaved_search

 You can then adjust as per your setup and perhaps setup an alert/correlation search to show you  errors from macros/lookups within the correlation search in ES. 

0 Karma
Reply

manojannabathin
Loves-to-Learn Everything
‎01-24-2023 01:42 AM

how can check only skipped correlation search in splunk spl query


index=notable sourcetype=scheduler status!=success
| stats count as skipped_count by search_type user app savedsearch_name status

 

with this query i am getting all the skipped searches 

could you help me on this

TIA

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...