This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Does anyone have experience reconciling Splunk event counts vs SecOps event counts? I’m running queries in both platforms and noticing large discrepancies by log type(Splunk typically has far more events). The webhook feeds I am using to send to SecOPs don’t show any obvious issues sending data.
The timestamps and timeframes are going to be extremely important here when trying to compare between products. Are you using Raw data or UDM data for your comparison?
Yep definitely checked for timestamps. I’m doing a like for like comparison in that regard. The event counts I get in SecOps is via ingestion metrics. So running against ingestion.log_type and then summing up by ingestion.log_count given the time period of interest.
UDM data takes some time to normalize. The best practice here would be to use an hour window but make it back in time; 2 hours back would be ideal. Or, you need to use raw log.
LinkedIn
Twitter
