Splunk Enterprise Security

Discussions

Thread Info

Incident Review | Search is waiting for input...

Hello all! I'm having trouble with Enterprise Security => Incident Review page. all time "Search is waiting for input...

by Explorer in

Matching value from two multi-value field

I am working with MS-Exchange data. I am taking recipient email value and matching with user lookup for other details...

by Communicator in

Sparkline after Join Command Problem

Hello Fellow Splunkers, I have been trying the following query to pull the ES notified hosts and bring a sparkline...

by Path Finder in

No data sent to Splunk while debug logs show successful connections to Microsoft graph API, and 'None' content length

In an attempt to bring in some additional Azure AD data we have begun using the Microsoft Azure Add-on for Splunk, ho...

by Explorer in

tstats isn't displaying search

| tstats count where index=proxy AND sourcetype=dns earliest=-7d by _time, ComputerName span=1h | xyseries _time, Com...

by Path Finder in

Error in 'lookup' command: Could not construct lookup

I have the following scheduled search that updates a lookup (simple_identity_lookup) by adding new entries that aren'...

by Explorer in

Create token in SPL to be used later in SPL

Hello, I am attempting to create a workflow action that allows a risk modifier to be adjusted. I have the command ...

by Explorer in

umbrella is not assigning data to the network resolution dns data model

How do I go about editing the data have the data from umbrella dns logs update the network resolution dns data model

by Path Finder in

How to size Splunk deployment for 1800 clients

Hello, I've been using Splunk for less than a year and I'm trying to know how to size Splunk deployment(hardware r...

by Engager in

How may I change MM/DD/YYYY HH:MM:SS to epoch time?

Situation: - I have some records with a human readable field "Creation Date" (MM/DD/YYYY HH:MM:SS). - I'd like to so...

by Communicator in

Splunk Enterprise Security Notable Event Title Not Working

Hello all, I'm currently stumped in trying to figure out why my notable event token is not working. I verified th...

by Path Finder in

Splunk inputs.conf - Read from all files in a directory except one file

Need to read from all files present in /temp/logs/ directory except one file abc.log Directory looks like xyz.log ...

by New Member in

What provides data to inputlookup:system_version_tracker

I'm trying to figure out what provides data to the inputlookup:system_version_tracker for ES. Currently its only popu...

by Path Finder in

how to write search query to get notable events based on last modified time for a correlation rule?

How do we write search query to get notable events based on last modified time for a correlation rule ? I want to ...

by New Member in

Regex not giving right results

Hi Community members. I need your help to identify where I am doing wrong in regex field extraction. Actually t...

by New Member in

What should I do when I accidentally deleted "DA-ESS-IdentityManagement" and "SA-Utils", "splunk_metrics_workspace" applications.

I was removing different application and accidentally removed these Splunk ES supported and other application. It wil...

by Explorer in

I need to know how to pass multiple fields of subsearch to main search?

Hi Team, My question is i have antivirus events and firewall traffic and i want to run antivirus search as a subse...

by New Member in

Recorded future app missing session key

When searching for sourcetype=recorded future IOCS, i receive the following error. I updated the API key and that fix...

by Explorer in

My search isnt showing data from lookup list

What my search is trying to do is whenever the search matches an item in the lookup list it should display the result...

by Path Finder in

Where I have to configure limits.conf in a distributed environment?

Hi all, I have a distributed multisite architecture, with a single Search Head, 2 indexers and, 2 Forwarders a Clu...

by Explorer in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Incident Review | Search is waiting for input...

Matching value from two multi-value field

Sparkline after Join Command Problem

No data sent to Splunk while debug logs show successful connections to Microsoft graph API, and 'None' content length

tstats isn't displaying search

Error in 'lookup' command: Could not construct lookup

Create token in SPL to be used later in SPL

umbrella is not assigning data to the network resolution dns data model

How to size Splunk deployment for 1800 clients

How may I change MM/DD/YYYY HH:MM:SS to epoch time?

Splunk Enterprise Security Notable Event Title Not Working

Splunk inputs.conf - Read from all files in a directory except one file

What provides data to inputlookup:system_version_tracker

how to write search query to get notable events based on last modified time for a correlation rule?

Regex not giving right results

What should I do when I accidentally deleted "DA-ESS-IdentityManagement" and "SA-Utils", "splunk_metrics_workspace" applications.

I need to know how to pass multiple fields of subsearch to main search?

Recorded future app missing session key

My search isnt showing data from lookup list

Where I have to configure limits.conf in a distributed environment?

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

How to duplicate Notables in ES Incident Review?

How to add new field for filtering in Splunk ES in...

Enterprise Security - Correlation Search - Notable...

Enterprise Security Incident Review Default Filter...

Threat Intelligence Management - Wrong threat matc...