Splunk Enterprise Security

Start a Conversation

Discussions

Start a Conversation

Thread Info

Does threat intelligence work only with data Accelerated Datamodels?

Hi All, I have enabled threat feed into my Splunk Enterprise Security app and the data was working fine until few ...

by Explorer in

How to deal with the duplicate events in Authentication datamodel?

Hi Guys, I have built the Authentication datamodel on the Splunk ES. However I am dealing with a dilemma of duplic...

by Explorer in

i want to display the time intearval today and last 30 days i want to display the difference between these to days how we can wright query

| mstats c(System.System_Up_Time) as Uptime prestats=t WHERE index="em_metrics" AND host="*" by host,metric_name span...

by New Member in

Can you match with subsearch using an evaluated field?

I am trying to compare 2 indexes (malicious domains against proxy logs) using an evaluated field. I have a subsearch ...

by New Member in

Error in replication of incident (notables) from sh1 to other sh's in a cluster.

Hi Folks, The incidents triggered in Splunk enterprise security are not getting replicated , i checked splunkd.log...

by Path Finder in

Extract description into Threat Activity Object

Splunk has all of those threat intel lists for file, process, registry, ip, url, etc... And each list has a descripti...

by Explorer in

How do I drilldown to a unique URL using a table row's unique token?

Situation: I have a panel. The panel creates a token for me from a field I extract from the search. In the sa...

by Communicator in

How to monitor changes in kv store lookups

Hello everyone I have following problem: I have set disabled flag in ip_intel by following query: | inputlookup ip...

by Path Finder in

Incident Review | Search is waiting for input...

Hello all! I'm having trouble with Enterprise Security => Incident Review page. all time "Search is waiting for input...

by Explorer in

Matching value from two multi-value field

I am working with MS-Exchange data. I am taking recipient email value and matching with user lookup for other details...

by Communicator in

Sparkline after Join Command Problem

Hello Fellow Splunkers, I have been trying the following query to pull the ES notified hosts and bring a sparkline...

by Path Finder in

No data sent to Splunk while debug logs show successful connections to Microsoft graph API, and 'None' content length

In an attempt to bring in some additional Azure AD data we have begun using the Microsoft Azure Add-on for Splunk, ho...

by Explorer in

tstats isn't displaying search

| tstats count where index=proxy AND sourcetype=dns earliest=-7d by _time, ComputerName span=1h | xyseries _time, Com...

by Path Finder in

Error in 'lookup' command: Could not construct lookup

I have the following scheduled search that updates a lookup (simple_identity_lookup) by adding new entries that aren'...

by Explorer in

Create token in SPL to be used later in SPL

Hello, I am attempting to create a workflow action that allows a risk modifier to be adjusted. I have the command ...

by Explorer in

umbrella is not assigning data to the network resolution dns data model

How do I go about editing the data have the data from umbrella dns logs update the network resolution dns data model

by Path Finder in

How to size Splunk deployment for 1800 clients

Hello, I've been using Splunk for less than a year and I'm trying to know how to size Splunk deployment(hardware r...

by Loves-to-Learn in

How may I change MM/DD/YYYY HH:MM:SS to epoch time?

Situation: - I have some records with a human readable field "Creation Date" (MM/DD/YYYY HH:MM:SS). - I'd like to so...

by Communicator in