Knowledge Management

Splunk Security Essentials Unmatched paranthesis in Domain Controller query

bseppanen1
Explorer

In the latest Splunk Security Essentials 3.4.0, and previous release the Data Inventory detection in CIM+Event Size Introspection starts a query that will never complete due to an unmatched paranthesis.    The query is autogenerated, so I'm not sure if this is due to a misconfiguration on my part, or perhaps just a unwanted feature.

 

(index=main source=WinEventLog:Security) ) OR (index=main source=WinEventLog:Security ) | head 10000 | eval SSELENGTH = len(_raw) | eventstats range(_time) as SSETIMERANGE | fields SSELENGTH SSETIMERANGE tag | fieldsummary

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

If you have an entitlement, please file a support request to report that bug.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

If you have an entitlement, please file a support request to report that bug.

---
If this reply helps you, an upvote would be appreciated.
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...