Splunk Enterprise Security

Community Activity

Splunk ES Drill-Down- How do I receive 2 separate notable alerts? I created the following correlation alerts in ES with Notable Index=fw (dest_ip=1.2.3.4 OR dest_ip=1.2.3.5) The alert... by LIP Loves-to-Learn in Splunk Enterprise Security 10-23-2022 0 1	0	1
More Enterprise Security Correlation Search Variable Substitution for Contributing Events- Is there documentation? As in previous posts I am talking about using variables or tokens in the Contributing Events part of enterprise secur... by lugoon Explorer in Splunk Enterprise Security 10-21-2022 0 0	0	0
Is there a drill down search variable substitution? Hi I have two questions here 1.In the drill down search i have given dest=$dest$ and it is not working and when i c... by umesh Path Finder in Splunk Enterprise Security 10-19-2022 0 3	0	3
How to know the correlation search query and time range conditions for two of these use cases? Please let me know the correlation search query and time range conditions for two of these usecases. I have windows p... by Ash Engager in Splunk Enterprise Security 10-18-2022 0 0	0	0
How to make Splunk ES override urgency changes? Hi all, I have a correlation search that passes alerts from another system into ES and I need to prevent the urgency ... by Dworsnop Path Finder in Splunk Enterprise Security 10-17-2022 0 3	0	3
Why are risk objects not being normalized against assets and identities? I'm using RBA and am having issues with duplicate notables for the same thing. For example, I'll get a notable for bo... by chromefinch Loves-to-Learn Lots in Splunk Enterprise Security 10-17-2022 0 1	0	1
Why am I not getting the correct percentage difference? HelloKindly assist me in this query/solution.I have a long list of IPs that logged in. Out of this list, I want to kn... by Lye Path Finder in Splunk Enterprise Security 10-15-2022 0 11	0	11
Risk based alerting - Contributing Risk Events Drilldown not working? Hi, I have problems with the drilldown button in the "Risk Event Timeline" view for an Risk Notable. When expanding R... by torstein1 Explorer in Splunk Enterprise Security 10-14-2022 5 5	5	5
Search for failed logins: Why is the search creating false positive alerts? Hello, I have created a search for failed logins for win,linux and network devices from authentication datamodel but ... by Ash Engager in Splunk Enterprise Security 10-13-2022 0 0	0	0
Enterprise Security Threat Intelligence - Lookup population? Hi,I'm starting with ES Threat Intelligence and am wondering, how threat intel data is populated to the KV stores use... by HeinzWaescher Motivator in Splunk Enterprise Security 10-13-2022 0 1	0	1
Is there a way to query ES investigations for artifacts? Is there a way to query ES investigations for artifacts? For example, suppose that I have a current notable with a h... by dokaas_2 Communicator in Splunk Enterprise Security 10-12-2022 0 0	0	0
Unable to find sourcetype="ms365:defender:incident:alerts"? Unable to find sourcetype="ms365:defender:incident:alerts"can u pls help by Gaikwad Explorer in Splunk Enterprise Security 10-12-2022 0 7	0	7
Comparing IP Addresses after using the Join Command? Hi Team, I am trying to compare IP addresses but I am unable to find any logic that can do so with the below query: i... by Splunk_Master01 Explorer in Splunk Enterprise Security 10-12-2022 0 0	0	0
Fields Not Showing After I Add Them in The Incident Review Settings Page? Hi All, I want to display some additional fields and I have added them by following the below method: Configure -> In... by Splunk_Master01 Explorer in Splunk Enterprise Security 10-11-2022 1 0	1	0
How to join information into one table? Hi peeps,I want to join below information result in one table: 1st queryindex=sslvpn\| iplocation src_ip\| search Count... by syazwani Path Finder in Splunk Enterprise Security 10-11-2022 0 1	0	1
Does Splunk "Clean All" make itself a backup of auth data for logging into the instance? In many Splunk official Documentation we read sometimes, to "wipe" an instance, to launch the command splunk clean ... by verbal_666 Builder in Splunk Enterprise Security 10-11-2022 0 2	0	2
Unable to open some correlation rules in Splunk enterprise security? When I click on some correlation rules in content management in Splunk ES, I get the following error and it does not ... by Toto1 Engager in Splunk Enterprise Security 10-10-2022 1 1	1	1
CIM Field Values- Do field values have to be consistent for ES or doesn't it matter? Hello Do field values have to be consistent for ES or doesn't it matter? So in the wineventlog if src is sometimes t... by R00ster Engager in Splunk Enterprise Security 10-10-2022 0 2	0	2
How to prevent notable events from being created in Enterprise Security when the source is one of the scanning devices? We have several devices that perform endpoint and network device scanning. As intended, they are scanning prohibited... by waynemurraysgs Engager in Splunk Enterprise Security 10-09-2022 0 3	0	3
How to create a table to display different users who logged in from same clientip? Hi, I am a student and new to Splunk. I really need help creating a table like this: The goal is to detect different ... by Win Explorer in Splunk Enterprise Security 10-06-2022 0 2	0	2
Threat Intel lookup - Can we change how frequently ES reads new information? Hi all,We have few Custom CSV lookups that have been added to ES for Threat Intel. For the existing data, we can look... by att35 Builder in Splunk Enterprise Security 10-06-2022 0 1	0	1
How to change Threat Intelligence time interval? Hi Splunkers, How to change the threat intelligence Function time interval in Splunk ES. currently , I'm getting ... by restinlinux Explorer in Splunk Enterprise Security 10-05-2022 0 0	0	0
How to fix this Error in 'SearchParser': The search specifies a macro 'm365_default_index' that cannot be found? I'm getting this error after upgrading Microsoft 365 app in Splunk error - Error in 'SearchParser': The search specif... by Gaikwad Explorer in Splunk Enterprise Security 10-05-2022 0 4	0	4
Short-lived Account Detected - How to narrow down searches to certain accounts? HiIts my first week in the job and I am finding creating alerts is not the issue but how to create useful alerts is m... by Jay1234 Explorer in Splunk Enterprise Security 10-04-2022 0 3	0	3
Enterprise Security Suite Incident Review - How do you edit the owners list? How do you control who is in the drop down list of owners, so you can assign a ticket to someone else? It seems to ha... by vaudajordan Engager in Splunk Enterprise Security 09-30-2022 1 3	1	3

Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community, What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Enterprise Security

Splunk ES Drill-Down- How do I receive 2 separate notable alerts?

More Enterprise Security Correlation Search Variable Substitution for Contributing Events- Is there documentation?

Is there a drill down search variable substitution?

How to know the correlation search query and time range conditions for two of these use cases?

How to make Splunk ES override urgency changes?

Why are risk objects not being normalized against assets and identities?

Why am I not getting the correct percentage difference?

Risk based alerting - Contributing Risk Events Drilldown not working?

Search for failed logins: Why is the search creating false positive alerts?

Enterprise Security Threat Intelligence - Lookup population?

Is there a way to query ES investigations for artifacts?

Unable to find sourcetype="ms365:defender:incident:alerts"?

Comparing IP Addresses after using the Join Command?

Fields Not Showing After I Add Them in The Incident Review Settings Page?

How to join information into one table?

Does Splunk "Clean All" make itself a backup of auth data for logging into the instance?

Unable to open some correlation rules in Splunk enterprise security?

CIM Field Values- Do field values have to be consistent for ES or doesn't it matter?

How to prevent notable events from being created in Enterprise Security when the source is one of the scanning devices?

How to create a table to display different users who logged in from same clientip?

Threat Intel lookup - Can we change how frequently ES reads new information?

How to change Threat Intelligence time interval?

How to fix this Error in 'SearchParser': The search specifies a macro 'm365_default_index' that cannot be found?

Short-lived Account Detected - How to narrow down searches to certain accounts?

Enterprise Security Suite Incident Review - How do you edit the owners list?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025

How to handle Defender Incidents/Alerts with ES No...

Splunk Enterprise Security API support for update ...

Clarification on UBA Capability in Splunk Enterpri...

KV Store communication fails with TLS errors after...

Findings Comments

Splunk Enterprise Security

Are you a member of the Splunk Community?