Splunk Enterprise Security

How do I find a list of correlation searches in ES or Splunk Ent. that are not working like missing macros etc...?

SamHTexas
Builder

Please help me with an SPL to locate Corr. searches that are in trouble , not working right. For example missing a macro or so. Thank u very much in advance.

Labels (1)
Tags (1)
0 Karma

lakshman239
SplunkTrust
SplunkTrust

@SamHTexas   you can look at  index=_internal (sourcetype=splunkd OR sourcetype=scheduler) log_level="ERROR" to see all failures in the correlation search due to issues in macros or lookups. You can then tune the SPL as needed for your environment.  Hope this helps.

SamHTexas
Builder

Thank u bro. for your message, do you have any good SPLs to share for this purpose? For Enterprise or ES? Thank u in advance.

Tags (1)
0 Karma

lakshman239
SplunkTrust
SplunkTrust

Something like this will do in Splunk Core or ES.

index=_internal (sourcetype=splunkd OR sourcetype=scheduler) log_level="ERROR" |rex field=_raw "savedsearch=(?<mysaved_search>.+) err=" | rex field=_raw "savedsearch_id=\"(?<mysavedsearch>.+)\", message=\"Error" | stats count by host, mysaved_search

 You can then adjust as per your setup and perhaps setup an alert/correlation search to show you  errors from macros/lookups within the correlation search in ES. 

0 Karma

manojannabathin
Loves-to-Learn Lots

how can check only skipped correlation search in splunk spl query


index=notable sourcetype=scheduler status!=success
| stats count as skipped_count by search_type user app savedsearch_name status

 

with this query i am getting all the skipped searches 

could you help me on this

TIA

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...