Splunk Community Office Hours - March 4th 2022 11:...

muebel · ‎03-02-2022

The Splunk Trust and members of the community will be hosting open office hours for anybody who wanted to chat about anything Splunk related.

Please visit the office_hours channel in slack or drop comments here if there is any topic you'd like to see discussed!

muebel · ‎03-04-2022

Concerning the subtleties of _index_time in search, making sure you find the events you need, great conf talk on this

https://conf.splunk.com/watch/conf-online.html?search=PLA1327B&search.event=conf21

slides directly https://conf.splunk.com/files/2021/slides/PLA1327B.pdf

>With minimal up-front effort it is possible to guarantee that your alerts and other scheduled searches run, are always successful, and do not miss data. Common challenges are skipped searches, latent data, Splunk down time, failures, and dependencies on other searches. Approaches such as an expanded sliding window consume additional resources and will inevitably fail. We will demonstrate a Splunk macro that tracks search execution times in a KVstore and dynamically controls the search timeframe, thus decoupling it from execution time. This additionally provides a capability to quickly and easily re-run a search over any timeframe in a controllable manner. We will further demonstrate the use of Apache Airflow for more complex use cases.

muebel · ‎03-04-2022

https://batchworks.de/recover-deleted-data/ for recovering deleted data

Taruchit · ‎03-03-2022

Hello All,

Thank you for organizing office hours event tomorrow. I will need your expertise and support for following topics and questions: -

Can you please explain use of Delta command? And how it is used with syntax and an example.
Can we build SPL and Splunk alert in a way that everytime there is a new entry in the table, a notification email and a ticket gets generated to support team? And for older events, no action triggers. I understand for suppressing Splunk alert trigger, we use Throttle, but I see Suppressing trigger action is available based on time. For example:
Suppressing for __ seconds/minutes/hours/days
In Splunk alerts, can you please explain about writing custom scripts in Splunk? Can you please share the resources to understand the syntax for writing custom scripts?
Can we add dynamic up and down KPI arrow in Splunk dashboard table based on increase or decrease in current values compared to values in previous day? I asked the same earlier in separate forum, but, need more information about it? I do not have support to add apps from Splunkbase, can we still build the solution?
If adding up and down arrow is an issue, please help with the approach to decide if today's values are different than last day and then we can decide the color of cells based on it for differentiation.

muebel · ‎03-04-2022

Timechart + single-value visualization from Rich

muebel · ‎03-04-2022

Best thing to do for usage of the delta command is find blog posts such as https://www.splunk.com/en_us/blog/tips-and-tricks/search-commands-delta.html

I'd also suggest searching GitHub for "| delta" to find SPL examples for people that added searches to their repos.

https://dev.splunk.com/ is a good starting place for custom search commands, and alert actions. For finding existing third party integrations via alert actions, checking splunkbase is always a good idea.

https://splunkbase.splunk.com/app/4621/ The TrackMe is something I've found useful for watchdog type alerting on the absence of certain types of data.

`!missinghosts` in slack drops a links to all sorts of apps and thoughts on this

Splunk Community Office Hours - March 4th 2022 11:00AM ET

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?