Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Troubleshoot performance issues by editing saved searches in Splunk Enterprise Security

Searches that populate the Risk Event timeline, MITRE ATT&CK matrix, and link charts in Splunk Enterprise Security aren't hard coded SPL searches in Javascript. Instead, you can edit and customize these saved searches to improve the performance of Splunk Enterprise Security.Following are some examples of saved searches that run on Splunk Enterprise Security, which you can edit to improve performance:

  • Mitre Attack Related Searches

[Mitre - Technique Lookup]
[Mitre - Tactic Lookup]
[Mitre - Get TechniqueIds For Risk Object]

  • Threat Topology Searches

[Incident Review - Threat Topology - Current Threat Object]
[Incident Review - Threat Topology - Threat Topology Search]

Follow these steps to edit the saved searches that run on Splunk Enterprise Security:

  1. Identify the saved searches by navigating to the Splunk Search and Reporting app: Search > Search History.
    This displays a list of all recent searches, including saved searches.
    Alternatively, you can open the developer tools and navigate to the Network tab. Search for the SPL to the Jobs endpoint. Click on the Request parameter to view the Payload tab and identify the saved search that was run on Splunk Enterprise Security.
  2. Navigate to the saved search: Configure > Content Management > Searches, Reports, and Alerts.
  3. Edit the saved search by click on the saved search: Edit Search > Search.Note: If you don't have edit permissions, you must contact the Splunk administrator who created the saved search.
Last modified on 07 February, 2023
Troubleshoot performance issues due to large KV Store collections   Troubleshoot messages about default indexes searched by the admin role

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters