Splunk Enterprise Security

Discussions

Thread Info

"notable events over time" panel is lagging behind the time

I want to understand the irregular behaviour of output displays for "notable events over time" panel in ES. Right no...

by Communicator in

How to integrate BMC remedy asset management tool with splunk

Hi, We have Splunk Enterprise 7.0.1 and BMC remedy 8.0 and wanted to integrate remedy asset management module with sp...

by New Member in

Enterprise Security admin privileges, why

We have a growing Splunk environment with one ES SH, and a SH cluster. We have an MSS that is going to manage our ES ...

by Contributor in

whitelist user account or windows service

Hi, Is it possible to whitelist windows service(xyz.EXE) traffic in splunk or should I whitelist user account?

by Path Finder in

How to maintain lookups?

I am analyzing our Splunk set-up and was going through the lookups, need suggestions on the best strategy to maintain...

by Path Finder in

Multivalue fields correlation

How can I search for multiple values present in different fields? For example, I have fields titled FinalPurchases an...

by Engager in

Is there a way to modify an inputlookup subsearch from an implied equals operator to an "IN" operator?

I have a subsearch doing "| inputlookup" against a CSV... the implied operator is equals. "Column/Field = Cell Value"...

by Engager in

OpenLDAP add-on fields extraction

I recently installed openldap add-on on both splunk cloud instance and splunk enterprise security instance https:/...

by New Member in

Splunk architectural design - global search head

Hi, I need someone to shed me some light on what is the best approach for me on changing my splunk architecture. C...

by Explorer in

How to access Threat Grid thru workflow action in Enterprise Security

Looking for a way to create a workflow action in ES, to research URL and IP addresses.

by Path Finder in

Feature Request: Pivot to Search App or Dashboard.

Feature Request: Pivot to Search App or Dashboard. This would allow to leverage already created dashboards and openin...

by New Member in

How to get diff between previous day vs current?

the below search provides me info on failed logins for the past month, for example the last four fridays now i want t...

by Path Finder in

how to create a threshold alert based on previous data?

I started off with the following search which gives me failed authentication to cisco acs on a daily basis, now i wan...

by Explorer in

I am trying to integrate couple of security devices with Splunk, if any body does this already, please let me know the integration process and version compatibility for vendor software.

Does anybody integrated Imperva DAM with Splunk? if yes what is the process and version compatibility with Splunk? Do...

by New Member in

Does Splunk ES live entirely within etc/apps?

Is there any component that makes Splunk ES tick, which isn't inside the directory etc/apps?

by Explorer in

Comparison chart of data indexed per index over one week

Greetings Splunkers, My question is two fold. I'm in need of an SPL that will show how much data was indexed p...

by Explorer in

Using certificate-based auth for a TAXII Threat Intel download?

I notice that Splice was deprecated as ES (allegedly) did everything Splice did, however one thing Splice supported t...

by Path Finder in

modular_actions_invocations macro

Hi all, Does anyone have any knowledge or understanding with the macro "modular_actions_invocations(2)"? This is a...

by Explorer in

alert triggered but ip not available in csv

Hello Folks, I have enabled a notable in ES_app, which triggers if it finds any ip available from local_ip_intel.c...

by Communicator in

Complex RegEx Capturing Group Assistance

Complex RegEx Capturing Group Assistance I have a couple similar cases where I am struggling to get the desired fi...

by Engager in

How to resolve replication errors on knowledge bundle size over 200MB due to Splunk Enterprise Security identities and assets?

Hi, I'm looking for some answer and suggestion how I could decrease/workaround the knowledge bundle replication er...

by Path Finder in

How to populate malware_alias with TAXII feeds?

Hello everyone! Does anyone know how can I populate the "malware_alias" field with TAXII/STIX objects? I have trie...

by New Member in