Splunk Enterprise Security

Discussions

Thread Info

How to create a correlation search from a threat intelligence feed

I wanted to take malicious IP's/URL's that the threat Intel feeds provides and compare them against logs/traffic we s...

by New Member in

New Security Domain

I want to add a new Security Domain called "Email" in Enterprise Security (ES) App and later map it to notables. Righ...

by Explorer in

ES Upgrade 4.7.1 to 5.2.0 (customized .xml, .json files functionality)

Hi Team, We are performing Splunk ES upgrade from 4.7.1 to 5.2.0. Post upgrade, I have few .xml, .json files that ...

by Path Finder in

Custom Alerts in SPLUNK Enterprise

We have recently installed Enterprise Security and have enabled a few use cases. This was done with the guidance of S...

by Contributor in

[ES Managed Lookup] error: "An error occurred" in popup window when clicking "Stop managing"

When creating a managed lookup and the destination app is chosen to be a custom app we made (that ES inherits), it cr...

by Splunk Employee in

How do I determine why a Correlation Search isn't creating a notable event when I expected one?

I have a Correlation Search that didn't generate notable events in a couple where I think it should have. How can I d...

by Champion in

Splunk Enterprise Security: How to exclude indexes from Authentication Data Model

How to exclude some indexes from authentication data model? We have some indexes such as lastchanceindex, but eventty...

by Path Finder in

Searching notable events in ES to match user field

Folks, I'm trying to match a field (user) from a search to see if any previous notable events ES have been generated ...

by New Member in

Linux encryption

We're looking into full disk encryption and was looking in Linux full disk encryption. Any concerns you can think of?

by New Member in

Enterprise Security: How can I trace the notable events?

I created a correlation search that should have produced notable events. How can I trace these notable events?

by Motivator in

We are attempting to setup local lookup file as a threat intelligence download

( as per https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Addthreatintelcustomlookup) . and are unable to use thi...

by Splunk Employee in

Problem on Changing Syslog Sourcetype

The problem is on changing syslog sourcetype into another one. I read all splunk answer about it. I am following the ...

by New Member in

How to track inbound and outbound traffic from firewall logs

Hi helpful people, I am trying to create a use case which will monitor source and destination traffic(like both co...

by Engager in

add variables into serach name

under correlation search can we add certain variables like $src$ | $dest$ into search name: actually we are sendi...

by Path Finder in

Help with regex to print the value Total_bytes_recv and Total_bytes_send from log

Log: Aug 28 17:46:20 192.168.111.14 08/28/2019:16:46:18 GMT 0-PPE-0 : default TCP OTHERCONN_DELINK 1091143 0 : Sou...

by New Member in

How to get correlation searches to trigger on older data?

We had an incident on a device that we had not had a chance to ingest logs into Splunk. That incident occurred 2 week...

by New Member in

How do I merge two searches into one, and have all the fields filled in?

I have two seperate searches that I appended together, but I only need one field out of the second search. My problem...

by New Member in

How can end user help improve overall Splunk Enterprise Security speed?

My Splunk Admin is the landlord and I'm the tenant. Let's say the landlord is dealing with personal matters and canno...

by Communicator in

Datamodel status building since long

I have Email datamodel that ships alongwith Splunk ES. It's in building status and it's accelerated too. How to troub...

by Communicator in

How to Add Workflow Search Action under notable event

From a Splunk custom App, I need to add the workflow action which should be displayed under the Actions menu for the ...

by Explorer in

Difference between Palo alto all indecent and ES notable events?

Hi Splunkers, We are getting critical incidents in Palo alto All incidents dashboard. We configured ES threat act...

by Champion in

Help with Suspect IP hits to my web.

Hello, I have WEB IIS Logs. we have IP addresses in the web logs and want to know when web hits from suspect IP'...

by Communicator in

Can a Splunk Heavy Forwarder send data via UDP or does it have to be TCP?

Can a Splunk Heavy Forwarder send data via UDP or does it have to be TCP? We need to implement a one-way transfer...

by Explorer in

Current User Variable within Adaptive Response

We're using an adaptive response rule to create tickets for our notable events. One item that I need is the current l...

by Path Finder in

Enterprise Security: why don't the events get indexed to the notable index?

This one is, in a sense, a continuation of Enterprise Security: How can I trace the notable events? Running - inde...

by Motivator in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

How to create a correlation search from a threat intelligence feed

New Security Domain

ES Upgrade 4.7.1 to 5.2.0 (customized .xml, .json files functionality)

Custom Alerts in SPLUNK Enterprise

[ES Managed Lookup] error: "An error occurred" in popup window when clicking "Stop managing"

How do I determine why a Correlation Search isn't creating a notable event when I expected one?

Splunk Enterprise Security: How to exclude indexes from Authentication Data Model

Searching notable events in ES to match user field

Linux encryption

Enterprise Security: How can I trace the notable events?

We are attempting to setup local lookup file as a threat intelligence download

Problem on Changing Syslog Sourcetype

How to track inbound and outbound traffic from firewall logs

add variables into serach name

Help with regex to print the value Total_bytes_recv and Total_bytes_send from log

How to get correlation searches to trigger on older data?

How do I merge two searches into one, and have all the fields filled in?

How can end user help improve overall Splunk Enterprise Security speed?

Datamodel status building since long

How to Add Workflow Search Action under notable event

Difference between Palo alto all indecent and ES notable events?

Help with Suspect IP hits to my web.

Can a Splunk Heavy Forwarder send data via UDP or does it have to be TCP?

Current User Variable within Adaptive Response

Enterprise Security: why don't the events get indexed to the notable index?

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Log ingestion delay

Palo Alto apps and add-ons for splunk

Dashboard PNG schedule export setting is not viewa...

Incident_updates_lookup not updating urgency and r...

Create Investigation SOAR

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions