Splunk Enterprise Security

Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Community Activity
jkay2016

What is Macro : modular_action_invocations(Apps: Splunk_SA_CIM)?

Hi I noticed a quite a number job running in the background attributed to the macro "modular_action_invocations". Fro...
by jkay2016 Engager in Splunk Enterprise Security 07-22-2022
2 3
2
3
yourfriend

Process Injection related query

Hello Team,                          We are using Enterprise security in our environment and we have created correlat...
by yourfriend Loves-to-Learn in Splunk Enterprise Security 07-21-2022
0 0
0
0
swagner1965

Best way to move windows logs via portable media from stand alone systems

Hi, We use a few stand alone systems for scanning media and other tasks in our group. We are required to retrieve a...
by swagner1965 Path Finder in Splunk Enterprise Security 07-21-2022
0 3
0
3
warsaw

Why is variable Substitution not working in drill down searches?

I have a correlation search where 'dest' field is present, and in drilldown search I have mentioned      | search des...
by warsaw Loves-to-Learn Lots in Splunk Enterprise Security 07-20-2022
0 7
0
7
Azeemering

How to resolve Threat Artifacts report false postives in Threat Activity

An Example:We have defined two malicious urls in the local_http_intel This triggers false positives in the Threat Ac...
by Azeemering Builder in Splunk Enterprise Security 07-19-2022
0 0
0
0
mdicenzo

How to use variable names in notable events?

I am trying to include dynamic names for a notable event that I have triggering. When I try to use $variable$ it just...
by mdicenzo Explorer in Splunk Enterprise Security 07-11-2022
0 0
0
0
yourfriend

Is there anyway to verify how many repeated alerts are being suppressed by Throttling.?

Hi Team,                    We are reviewing the use cases in our Splunk Enterprise security, We have given Throttlin...
by yourfriend Loves-to-Learn in Splunk Enterprise Security 07-08-2022
0 7
0
7
SIEMStudent

Eval command with check on sourcetype does not work with Data Model

Hi Splunkers,I have an issue with the use of Data Model, eval command and sourcetype as filter. Let me explain better...
by SIEMStudent Path Finder in Splunk Enterprise Security 07-05-2022
0 1
0
1
schandrasekar

Getting errors messages Health Check: msg="A script exited abnormally with exit status:1" input="../configuration_chekc.py" after upgrading from Splunk Enterprise Security 5.1.1 to 6.1.0

We have upgraded Splunk Enterprise recently to 8.0.2.1 and all the apps in our environment to the latest version. One...
by schandrasekar Loves-to-Learn in Splunk Enterprise Security 07-01-2022
0 8
0
8
dtccsundar

How to achieve the transpose or xyseries

Hi ,I have  4 fields and those need to be in a tabular format .Out of which one field has the ratings which need to b...
by dtccsundar Path Finder in Splunk Enterprise Security 07-01-2022
0 4
0
4
Valen1

What parameter can I modify in limits.conf to solve delayed searches?

What parameter can i modify in limits.conf to solve that? The percentage of non high priority searches delayed (80%) ...
by Valen1 Engager in Splunk Enterprise Security 07-01-2022
1 3
1
3
kkrises

Why is notable suppression not working?

Hello Splunkers, I configured a new Notable suppression in ES for a repeated notable based on source IP. I could see ...
by kkrises Path Finder in Splunk Enterprise Security 07-01-2022
0 4
0
4
Abhi89

What is the use drop_dm_object_name() clause in a query with tstats.?

I am trying to find out what purpose drop_dm_object_name() serves.
by Abhi89 New Member in Splunk Enterprise Security 06-30-2022
0 4
0
4
JD_Sample

Can you customize Additional Fields in Notable Events?

Is there a way to customize which additional fields to show for which Notable event /Co-relation search without affec...
by JD_Sample Engager in Splunk Enterprise Security 06-29-2022
1 3
1
3
Treize

How do I Add a cidr filter to the existing correlation rule?

Hi, I am a beginner.I have a correlation rule that :- searches for IP addresses that are port scans- search in the lo...
by Treize Path Finder in Splunk Enterprise Security 06-28-2022
0 3
0
3
sssinqiry5

Splunk ES: Best way to do a Yes/No or simple indicator for acceptance of an alert?

Hi all,My team needs to clear an alert with a totally different department before we consider it "published" for the ...
by sssinqiry5 Engager in Splunk Enterprise Security 06-23-2022
0 1
0
1
ksahu

One or more SHs in a SHC seem to go down frequently- Any suggestions?

I have a SHC consisting of 4 SHs (Splunk on-prem on AWS). One or the other SHs seem to go into down state. The only i...
by ksahu New Member in Splunk Enterprise Security 06-21-2022
0 1
0
1
Lowell

How do you update lookups on a SHC while running Splunk Enterprise Security?

Splunk Enterprise Security is deployed to a Search Head Cluster, along with a bunch of applicable TAs. Deployments ar...
by Lowell Super Champion in Splunk Enterprise Security 06-20-2022
4 13
4
13
bhargavg

PCI Compliance- Why is Incident Review blank?

Hi All, We are facing a weird issue where we are unable to see any new incidents on PCI compliance >Incidents review....
by bhargavg New Member in Splunk Enterprise Security 06-18-2022
0 0
0
0
muhammadalavi19

Create Notable Event Error (reading 'value')

Hi We are using Splunk ES 7.0 in our SOC environment. After upgrading to ES 7.0 we are getting the following issue du...
by muhammadalavi19 Loves-to-Learn in Splunk Enterprise Security 06-18-2022
0 0
0
0
Agent31

Using relative_time to filter results before writing to index

I'm using searches which are relatively noisy and difficult to simply write exclusions for, so one way that I've been...
by Agent31 Engager in Splunk Enterprise Security 06-16-2022
0 0
0
0
dmuley

How to remove specific xml element with attribute (only start tag)?

I have the event that looks like below    2022-06-15 19:59:57.489 threadId=L4GFP2275S1K class="ActiveSession" mname="...
by dmuley Explorer in Splunk Enterprise Security 06-15-2022
0 4
0
4
residualfail

How do I find VMware Horizon View Agent EventType AGENT_UNREACHABLE

Hello, I found a ton of eventtypes for the vmware agent module like AGENT_CONNECTED, AGENT_RECONNECTED, AGENT_SHUTDOW...
by residualfail New Member in Splunk Enterprise Security 06-14-2022
0 0
0
0
deodeshm

How to search Notable Events By Owner and Severity older than 48 hours?

As I understand es_notable_events is KVStore and it stores notable event information for last 48 hours/ also there is...
by deodeshm Explorer in Splunk Enterprise Security 06-09-2022
0 1
0
1
sheamus69

How to convert Active DIrectory AccountExpires field into a date code

The AccountExpires field in an AD log is described as: The date when the account expires. This value represents the...
by sheamus69 Communicator in Splunk Enterprise Security 06-07-2022
0 2
0
2
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...
Top Solution Authors
View All