Download topic as PDF
Troubleshoot performance issues by editing saved searches in Splunk Enterprise Security
Searches that populate the Risk Event timeline, MITRE ATT&CK matrix, and link charts in Splunk Enterprise Security aren't hard coded SPL searches in Javascript. Instead, you can edit and customize these saved searches to improve the performance of Splunk Enterprise Security.Following are some examples of saved searches that run on Splunk Enterprise Security, which you can edit to improve performance:
- Mitre Attack Related Searches
[Mitre - Technique Lookup]
[Mitre - Tactic Lookup]
[Mitre - Get TechniqueIds For Risk Object]
- Threat Topology Searches
[Incident Review - Threat Topology - Current Threat Object]
[Incident Review - Threat Topology - Threat Topology Search]
Follow these steps to edit the saved searches that run on Splunk Enterprise Security:
- Identify the saved searches by navigating to the Splunk Search and Reporting app: Search > Search History.
This displays a list of all recent searches, including saved searches.
Alternatively, you can open the developer tools and navigate to the Network tab. Search for the SPL to the Jobs endpoint. Click on the Request parameter to view the Payload tab and identify the saved search that was run on Splunk Enterprise Security. - Navigate to the saved search: Configure > Content Management > Searches, Reports, and Alerts.
- Edit the saved search by click on the saved search: Edit Search > Search.Note: If you don't have edit permissions, you must contact the Splunk administrator who created the saved search.
|
PREVIOUS Troubleshoot performance issues due to large KV Store collections |
NEXT Troubleshoot messages about default indexes searched by the admin role |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1
Feedback submitted, thanks!