英文:
How can I get hits for all enabled correlation searches in Splunk in a specific timeframe without running each search separately?
问题
我尝试在Splunk中针对特定时间段一起运行所有已启用的关联搜索。是否有一种方式可以在特定时间范围内一次性获取所有这些搜索的命中结果,而不是分别运行每个搜索?
我们有大约80个关联搜索,并希望在特定时间段内运行它们。但分别运行每个逻辑太耗时了。请提出一种方法,看看是否可以一起运行所有这些搜索。
英文:
I’m trying to run all enabled correlation searches in Splunk for a specific time frame together. Is there anyway instead of running each search separately we can get hits for all those searches in a single go in a specific timeframe
We have about 80 correlation searches and want to run them for a specific timeframe. But running each logic sepeately is time consUming. Kindly suggest a way if all these searches can be run together
答案1
得分: 1
没有简单的方法来设置所有相关性搜索来覆盖相同的时间框架。您将不得不在用户界面中手动编辑每个相关性搜索,或者编辑每个savedsearches.conf文件。
无论如何,您可能不希望这样做。相关性搜索覆盖的用例不同,更改时间窗口可能会导致误报或漏报警报/重要事件。
英文:
There is no easy way to set all correlation searches to covert the same time frame. You would have to manually edit each CS in the UI or edit each savedsearches.conf file.
You probably don't want to do that, anyway. The use cases covered by the CSs are different and changing the time windows may lead to false positive or false negative alerts/notables.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论