Tag: Knowledge Bits

Handling the Dynamic Pruning Failure in Cardinality Aggregations in Elasticsearch
Handling the Dynamic Pruning Failure in Cardinality Aggregations in Elasticsearch

When working with Elasticsearch, you may encounter the following error during complex queries involving cardinality aggregations: This error typically occurs when Elasticsearch’s dynamic pruning mechanism, designed to optimize aggregation queries, struggles to handle high cardinality (i.e., a large number of unique terms or values). Let’s dive into what this means and how to resolve it. […]

Read More
OpenSearch Alert Monitoring: High CPU Usage Example
OpenSearch Alert Monitoring: High CPU Usage Example

OpenSearch alerting feature sends notifications when data from one or more indices meets certain customizable conditions. Use cases include monitoring for HTTP status code 503, detecting CPU load averages above a specific threshold, or tracking the count of specific keywords in logs over defined intervals. Notifications can be configured to be sent via email, Slack, […]

Read More
How to Retrieve and Restore Snapshots from S3 Repository in OpenSearch
How to Retrieve and Restore Snapshots from S3 Repository in OpenSearch

Step 1: List Available Snapshots First, you need to list the snapshots available in your S3 repository. You can do this by running the following query: This will return a list of all snapshots in the my_s3_repository. The response will include details like the snapshot id, creation date, and state (e.g., success, partial). Step 2: […]

Read More
Creating Snapshot Management Policies with Keystore Integration and Slack Notification Setup
Creating Snapshot Management Policies with Keystore Integration and Slack Notification Setup

Step 1: Add AWS Credentials to the Keystore To securely store your AWS credentials, use the OpenSearch keystore. Add your AWS credentials to the OpenSearch keystore with the following commands: Enter your AWS access_key and secret_key when prompted. OpenSearch will use these stored credentials for S3 interactions. Step 2: Connect to S3 Bucket Now that […]

Read More
Making Use of Building Block Rules in Elastic
Making Use of Building Block Rules in Elastic

Within the “Advanced Options” of the “About Rule” section of Elastic hides a useful feature that gets little attention. This feature makes the rule generate alerts that are ‘hidden’ from the alerts view. This can be powerful. Here are some ideas to get you started! Threshold Rules Create some rules that look for distinct behaviors […]

Read More
Fields Aren’t Always Faster, Keyword Searches to Speed Up Splunk
Fields Aren’t Always Faster, Keyword Searches to Speed Up Splunk

When possible, use datamodels, they are generally your best bet for speed. However, not everything in your Splunk will be in a datamodel, and you may require a good-old-fashioned index based search. This may come as a surprise, as it is counter intuitive but often using a token in an index based search will absolutely […]

Read More
Making Use of Fillnull and Values() to Increase Rule Resiliency in Splunk
Making Use of Fillnull and Values() to Increase Rule Resiliency in Splunk

Within splunk we use “stats” and “tstats” a bunch as threat hunters. However, these useful operations can cause interesting events to be dropped unexpectedly. For instance: index=windows sourcetype=*winevent* AND EventCode=4688 AND NewProcessName=*Evil.exe| stats count by ComputerName, ParentProcessName, NewProcessName, CommandLine CommandLine is a field in 4688 events that needs to be enabled via “group policy”. So, […]

Read More
Creating Macros for Code Reuse in Splunk
Creating Macros for Code Reuse in Splunk

When you find yourself constantly reusing certain strings of Splunk commands, it can be a lot easier to represent those commands as a single line of code that can accept positional arguments and serve the same functions as a set of commands you find yourself using often. This is the purpose of a Splunk macro […]

Read More