Splunk Enterprise Security

Ask a Question

Discussions

Thread Info

Empty 'sourcetype' field in Authentication data model if tstats query used

Hello, In order to detect excessive failed logins we use the correlation search below: | tstats summariesonly=t...

by Communicator in

Query to detect activity from inactive account

Hi Folks, I want to create a correlation for inactive account activity including last login with timestamp and app...

by New Member in

Recommended CPU for client workstation accessing Splunk Enterprise Security

Is there a recommended number of CPU cores for client workstation accessing Splunk ES? The company is running virtual...

by Explorer in

Tweek Enterprise Security when having few log inputs

Hello everyone, i am using Splunk Enterprise Security but at the moment because I don't have enough logs (only fro...

by Communicator in

How to Write query for TCP port activity in splunk ES

Hi, We are trying to analyze traffic on TCP ports both inbound and outbound in Splunk ES excluding the ports 80,44...

by Path Finder in

Phantom: How to run Splunk search and add data to artifact rather than widget

I am able to send data to Phantom and create containers with valid Artifacts but I want to enrich the artifact itself...

by Path Finder in

how do i calculate the average of logs received from a sourcetype over last 30 days and then compare if percentage dip is is more than 70% in last 24 hours

how do i calculate the average of logs received from a sourcetype over last 30 days and then compare if percentage di...

by Explorer in

How to leverage multiple lookup tables in a search

I have two lookup tables: notablesIp.csv and criticalAsset.csv notableIP.csv ip attack 1.1.1.1 Ransomware 1.1.1...

by Path Finder in

Splunk Ignores my cron and sets his own daily

Hello I am having an issue when scheduling some reports which i set cron as : 0 6 3 * * which is “At 06:00 on day-...

by Explorer in

ms:o365:reporting:messagetrace props.conf settings for timestamp recognition

Hi Splunkers Does anyone know the correct settings for the props.conf file of the TA-MS_O365_Reporting add-on that...

by New Member in

How to extract the following fields?

Hi, I am having the following event and I am trying to extract the URI and FileSHA256 field, but not using the se...

by New Member in

How to setup custom admin password for Splunk on Kubernetes

I am currently trying to deploy a splunk cluster on kubernetes. While I can successfully deploy the standard yaml fr...

by New Member in

Radiobutton issue: have to reselect it every time to be able to resubmit the search

Hello, We'd like to provide a basic dashboard to our analysts to help them to search the information in an asset l...

by Communicator in

New file with extension (dot).lock

Hi Folks, Does anyone have idea of files with extension (dot).lock Thanks

by New Member in

calculate the difference between current time and Last event time and then display the difference in days

I have the below query to calculate events not reporting for last 24 hours. I want to calculate the difference betwee...

by Explorer in

Issue with field value update in lookup cache file

The Lookup cache has been generated with 90 days baseline before Search 2 in which "dest" field is not "null" for any...

by New Member in

Do Splunk Partners offer employment on a vocational basis?

Many companies looking for candidates with expertise and experience using Splunk products. I have earned my Splunk Ce...

by New Member in

Does Splunk support double NIC interfaces on the private network to improve performance?

First, some background info on our Splunk system. We are setting up a 2-site cluster with a replication factor of 2. ...

by Explorer in

How can I merge multiple fields per event and separate them using a delimiter, but keep each event separate in my table/stats results?

EXAMPLE TABLE/STATS: field_1 field_2 012 blah1 345 blah2 ABC blah3 678 blah4 ...

by Engager in

Eval for passing String format Time value to Number format to drill down panel trough tokens $row.time$

While using the drill-down from dashboard panel1 to panel2, I want to pass the Time from panel1 to panel1 when a user...

by Path Finder in

Adaptive Response - Log Event

Hello all, I'm using a Correlation Search to create a Log Event as below: hxxps://docs.splunk.com/Documentation/Sp...

by New Member in

Field Extraction - Nothing is happening

To cut a long story short, i'm looking to extract a CVE number for my Vulnerabilities Data Model for ES. An example o...

by Engager in

How to create report of excessive failed login user with head 5?

Hi Team, I want to create a report of excessive failed login users who have more than 5 failed login attempts from...

by New Member in

How to change frequency of messages received in splunk

I am receiving lot of messages in Splunk. I want to change the frequency of the messages receiving in splunk. Kindly ...

by Contributor in

Splunk Add-on for Microsoft Office 365

Hi, I receive all the data from different tenants, but my data is not tagged to be able to use it in my Enterprise...

by New Member in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Empty 'sourcetype' field in Authentication data model if tstats query used

Query to detect activity from inactive account

Recommended CPU for client workstation accessing Splunk Enterprise Security

Tweek Enterprise Security when having few log inputs

How to Write query for TCP port activity in splunk ES

Phantom: How to run Splunk search and add data to artifact rather than widget

how do i calculate the average of logs received from a sourcetype over last 30 days and then compare if percentage dip is is more than 70% in last 24 hours

How to leverage multiple lookup tables in a search

Splunk Ignores my cron and sets his own daily

ms:o365:reporting:messagetrace props.conf settings for timestamp recognition

How to extract the following fields?

How to setup custom admin password for Splunk on Kubernetes

Radiobutton issue: have to reselect it every time to be able to resubmit the search

New file with extension (dot).lock

calculate the difference between current time and Last event time and then display the difference in days

Issue with field value update in lookup cache file

Do Splunk Partners offer employment on a vocational basis?

Does Splunk support double NIC interfaces on the private network to improve performance?

How can I merge multiple fields per event and separate them using a delimiter, but keep each event separate in my table/stats results?

Eval for passing String format Time value to Number format to drill down panel trough tokens $row.time$

Adaptive Response - Log Event

Field Extraction - Nothing is happening

How to create report of excessive failed login user with head 5?

How to change frequency of messages received in splunk

Splunk Add-on for Microsoft Office 365

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Editing the alert that is sent to PagerDuty

Is it possible to make it mandatory to assign Owne...

Throttling Notables - Do Underlying Alerts Need to...

How long are asset list field values stored in the...

Documentation for SA-AccessProtection / DA-ESS-Acc...