Splunk Enterprise Security

Discussions

Thread Info

Why are events included in one Search Head but not the other when running the same search?

I have a two search head, one indexer environment. One Search Head is dedicated to Splunk Enterprise Security (ES). I...

by Engager in

How to aggregate events per host per hour?

Hello, I believe this does not give me what I want but it does at the same time. After events are indexed I'm atte...

by Communicator in

Tracking Session Open/Closed

Hello, How could I track if a session is opened but not closed immediately and by track I mean implementing a rule...

by Communicator in

How to compare columns in an inputlookup and return results that do not match?

Hello, I am trying to build a search that takes an inputlookup file that has 2 columns; One is a list of usernames...

by Path Finder in

How to organize my columns, in a table, by urgency for tracking KPI for notable events?

I would like to organize a table for tracking KPI for notable events like so: No. of Critical No. of High No. of M...

by Explorer in

How to test Environment for Splunk ES?

Hi Splunkers, I have completed administering Splunk enterprise security two months back and now I need to do some ...

by Communicator in

Splunk Enterprise Security: API 'notable_update' error - Invalid method for this endpoint

Hello! I'm trying to query the notable_update service via api (.../services/notable_update) and get error of - "In...

by Explorer in

Splunk ES local setup

Hi, can somebody help me to download the local setup file for Splunk ES.

by New Member in

Which TA should I use for FortiGate?

Splunk ES includes TA-fortinet 4.7.1. FortiNet maintain Splunk_TA_fortinet_fortigate, currently at v1.5, and whose...

by Communicator in

Any challenges running Splunk ES without admin I should be aware of?

All, Per a request from our security team, I moved Splunk to LDAP only and blasted the local admin account. But E...

by Builder in

How to assign roles to X team if model User doesn't have access to that Index?

How to assign roles to X team if model User doesn't have access to that Index? How to search those roles in Model Use...

by Engager in

What are all the URLs I need to open Splunk Enterprise Security up to for its default threat lists?

All, Anyone have a list of all the URL's IPs I need to open Splunk Enterprise Security up to for its threat lists...

by Builder in

How to resolve the problem when disc full in prod ES SHC members?

Disc space is almost full i.e., 96% How to resolve this problem? What to do if my Mount Point is full? Any Linux Comm...

by Engager in

Using Inputlookup to Eliminate Search Results

Been banging my head on this and need some assistance. Trying to use a csv to eliminate some search results with no s...

by Explorer in

Why are the dashboards not displaying any data in the Enterprise Security app?

So I recently had to nuke the search head that our Enterprise Security app was running on. I have reinstalled everyth...

by Path Finder in

Notable events stopped updating in Incidnet Review in ES app

Hi Splunkers, we are not able to see any notable events from yesterday in ES app even though we have not made chan...

by New Member in

How to retrieve open incidents from splunk enterprise security?

Is it the proper way to get incidents through a webhook that searchs for notable events and send them to our api? ...

by Engager in

Rule_id's missing in incident_review_lookup for Correlation Search

Hi, I am reviewing the results for the 'ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule' cor...

by Path Finder in

Why eStreamer data from sourcefire is not getting tagged for IDS_Attacks datamodel?

Hi, We are indexing eStreamer logs from sourcefire and have the app, "eStreamer for Splunk" (2.2.1) and add-on, "S...

by Builder in

Splunk Enterprise Security API is not allowed for admin

I have admin, user, power roles on Splunk Enterprise Security instance but it still requires authentication and it do...

by Engager in

Failed to find the target event with valid host and source values error

When using Enterprise Security we get the following error "Failed to find the target event with valid host and source...

by Path Finder in

is it possible to install other Splunk Apps (CIM compliant and non compliant) on the same search head which contains Enterprise security ?

If it isn't possible to install other apps that aren't CIM Compliant on the Sh machine that has the Enterprise securi...

by Engager in

Data Model rebuild loose any kind of data from indexers?

If I am rebuilding existing data model in ES then it may be possible to loose any kind of data from indexers?

by Path Finder in

Is Extreme Search still available?

I no longer see Extreme Search on Splunkbase. Is it part of Splunk or Enterprise Security? (We are a few version ...

by Path Finder in

Why are the notable events from Symantec not accurate?

Hi Community, Not sure how to explain this... But the whole timeline looks like this: A user plugs in a USB sti...

by New Member in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Why are events included in one Search Head but not the other when running the same search?

How to aggregate events per host per hour?

Tracking Session Open/Closed

How to compare columns in an inputlookup and return results that do not match?

How to organize my columns, in a table, by urgency for tracking KPI for notable events?

How to test Environment for Splunk ES?

Splunk Enterprise Security: API 'notable_update' error - Invalid method for this endpoint

Splunk ES local setup

Which TA should I use for FortiGate?

Any challenges running Splunk ES without admin I should be aware of?

How to assign roles to X team if model User doesn't have access to that Index?

What are all the URLs I need to open Splunk Enterprise Security up to for its default threat lists?

How to resolve the problem when disc full in prod ES SHC members?

Using Inputlookup to Eliminate Search Results

Why are the dashboards not displaying any data in the Enterprise Security app?

Notable events stopped updating in Incidnet Review in ES app

How to retrieve open incidents from splunk enterprise security?

Rule_id's missing in incident_review_lookup for Correlation Search

Why eStreamer data from sourcefire is not getting tagged for IDS_Attacks datamodel?

Splunk Enterprise Security API is not allowed for admin

Failed to find the target event with valid host and source values error

is it possible to install other Splunk Apps (CIM compliant and non compliant) on the same search head which contains Enterprise security ?

Data Model rebuild loose any kind of data from indexers?

Is Extreme Search still available?

Why are the notable events from Symantec not accurate?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!

Drill-down and Next Step are not read in Incident ...

Throttling Notables - Do Underlying Alerts Need to...

How long are asset list field values stored in the...

Documentation for SA-AccessProtection / DA-ESS-Acc...

Multi-Select in HTML for Alert Action does not ret...