Splunk Enterprise Security

How do I find a list of correlation searches in ES or Splunk Ent. that are not working like missing macros etc...?

SamHTexas
Builder

Please help me with an SPL to locate Corr. searches that are in trouble , not working right. For example missing a macro or so. Thank u very much in advance.

Labels (1)
Tags (1)
0 Karma

lakshman239
SplunkTrust
SplunkTrust

@SamHTexas   you can look at  index=_internal (sourcetype=splunkd OR sourcetype=scheduler) log_level="ERROR" to see all failures in the correlation search due to issues in macros or lookups. You can then tune the SPL as needed for your environment.  Hope this helps.

SamHTexas
Builder

Thank u bro. for your message, do you have any good SPLs to share for this purpose? For Enterprise or ES? Thank u in advance.

Tags (1)
0 Karma

lakshman239
SplunkTrust
SplunkTrust

Something like this will do in Splunk Core or ES.

index=_internal (sourcetype=splunkd OR sourcetype=scheduler) log_level="ERROR" |rex field=_raw "savedsearch=(?<mysaved_search>.+) err=" | rex field=_raw "savedsearch_id=\"(?<mysavedsearch>.+)\", message=\"Error" | stats count by host, mysaved_search

 You can then adjust as per your setup and perhaps setup an alert/correlation search to show you  errors from macros/lookups within the correlation search in ES. 

0 Karma

manojannabathin
Loves-to-Learn Everything

how can check only skipped correlation search in splunk spl query


index=notable sourcetype=scheduler status!=success
| stats count as skipped_count by search_type user app savedsearch_name status

 

with this query i am getting all the skipped searches 

could you help me on this

TIA

Tags (1)
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...