Does anyone have experience reconciling Splunk event counts vs SecOps event counts? Iβm running queries in both platforms and noticing large discrepancies by log type(Splunk typically has far more events). The webhook feeds I am using to send to SecOPs donβt show any obvious issues sending data.
Splunk vs SecOps Event Counts
+3
+16Hello,
The timestamps and timeframes are going to be extremely important here when trying to compare between products. Are you using Raw data or UDM data for your comparison?
+3Yep definitely checked for timestamps. Iβm doing a like for like comparison in that regard. The event counts I get in SecOps is via ingestion metrics. So running against ingestion.log_type and then summing up by ingestion.log_count given the time period of interest.
+16The data you are using is UDM.
UDM data takes some time to normalize. The best practice here would be to use an hour window but make it back in time; 2 hours back would be ideal. Or, you need to use raw log.
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.