Troubleshoot performance issues by editing saved searches in Splunk Enterprise Security

Issue

Performance issues might occur due to some saved searches that populate the Risk event timeline, MITRE ATT&CK matrix, and link charts in Splunk Enterprise Security.

Cause

Following are some examples of saved searches that run on Splunk Enterprise Security that can impact performance:

• Mitre Attack Related Searches

[Mitre - Technique Lookup]
[Mitre - Tactic Lookup]
[Mitre - Get TechniqueIds For Risk Object]

• Threat Topology Searches

[Incident Review - Threat Topology - Current Threat Object]
[Incident Review - Threat Topology - Threat Topology Search]

Solution

Edit the searches that populate the Risk event timeline, MITRE ATT&CK matrix, and link charts in Splunk Enterprise Security since they aren't hard coded SPL searches in Javascript. Customizing these saved searches can improve the performance of Splunk Enterprise Security.

Follow these steps to edit the saved searches that run on Splunk Enterprise Security:

1. Identify the saved searches by navigating to the Splunk Search and Reporting app: Search > Search History.
   This displays a list of all recent searches, including saved searches.
   Alternatively, you can open the developer tools and navigate to the Network tab. Search for the SPL to the Jobs endpoint. Select the Request parameter to view the Payload tab and identify the saved search that was run on Splunk Enterprise Security.
2. Go to to the saved search: Security content and then select Content Management.
3. Select Searches, Reports, and Alerts.
4. Edit the saved search by selecting the saved search.
5. Select Edit search and then select Search.

   If you don't have edit permissions, you must contact the Splunk administrator who created the saved search.

See also

For more information on performance considerations in Splunk Enterprise Security, see the product documentation:

Performance reference in Splunk Enterprise Security