Splunk Enterprise Security

Discussions

Thread Info

How to query for similar events from aggregated data and few other criteria.

Hi, I'm trying to find/create a splunk query for the following. My log is something like below: time=2018...

by Explorer in

In Splunk Enterprise Security, how come the Incident review dashboard isn't returning events intermittently?

In the Splunk incident review dashboard, when the customer is clicking on the submit button, they can see the event c...

by Splunk Employee in

It is possible to group notable events in Incident Review for Splunk Enterprise Security?

I have a couple searches that trigger in Incident Review and I want to group them up by count. And than let the drill...

by Explorer in

How do I change the first and last time to actual timeformat="%y-%m-%d %H:%M"?

I am looking to take the default datamodel search -- | tstats summariesonly max(_time) as lastTime from datamodel...

by New Member in

Cannot jump to Ad-Hoc AR action result, 'orig_action_name' changed when 'tag=modaction_result' is applied

Splunk Enterprise Version: 7.1.2 Enterprise Security Version: 5.1.0 Build: 12 When testing our AR action addon ...

by Explorer in

User Not listed in Enterprise Security's Owner list

In my environment, i have configured authentication on Splunk via SAML in our organization. There's one user which is...

by Path Finder in

Can you help me with the following Enterprise Security 5.11 Install error?: "Unable to initialize modular input"

I just installed Splunk Enterprise 7.2.0, which shows that it is a supported platform for Enterprise Security 5.11. ...

by New Member in

Splunk Enterprise Security: How do you stop emails from a suppressed alert in a correlation search?

I have a search that monitors alerts created by an IDS. I have begun going through the triggered alerts to suppress t...

by Explorer in

How do you create a correlation search in Splunk Enterprise from a simple search of an index?

I have a simple search alert such as (index=A src_user=userA) which uses lookup tables to filter data. I'd like these...

by New Member in

What is the best way to learn how to use Splunk Enterprise?

So this post is more of a question in relation to how people have gained knowledge of using Splunk Enterprise as well...

by Path Finder in

How come I'm unable to disable a correlation search nor able to save the changes made on it?

Hi All, This is a two fold question. Specs: Splunk Enterprise Security Version 6.6.1 Problem 1: I'm trying t...

by Communicator in

Splunk Security Essentials : Data Exfiltration

Hi, SSE use case maps to the MITRE ATT&CK tactics. As we can see from MITRE ATT&CK, each tactic has various techn...

by Explorer in

Why can't I see most of the dashboards after migration from ES 4.7.1 to Splunk Enterprise Security 5.1.1?

Splunk Enterprise is migrated from 6.5.3 to 7.1.2 and also Splunk Enterprise Security App has been upgraded from 4.7...

by Splunk Employee in

REST API "nearby events'

I'm trying to automate a search using the REST API to provide a list of events that occur x seconds before and after ...

by Path Finder in

Can you help me with a problem i'm having with my pie chart?

So I'm having a strange issue that I'm hoping someone can help me with. I have a pie chart with two goals: 1. Show...

by Path Finder in

Can you help me build a query which would generate a list of enabled usecases in Splunk Enterprise Security App along with the last triggered time?

Hey Guys, Could anyone suggest me a query for the below scenario. I need a Splunk query to show the list of ena...

by Explorer in

How come I can't find the Splunk Add-on builder in the Splunk Enterprise Sandbox?

In my Splunk Enterprise sandbox (cloud evaluation), I cannot find the Splunk Add-on Builder app in the Apps > Browse ...

by Explorer in

An error while exporting a Data Model to Phantom

Hello, I'm trying to export a Data Model from Splunk Free to Phantom using Phantom App. After configuring the nece...

by New Member in

Perfmon Dashboard/Report Help

Hello All, We've been expanding what gets into Splunk and have added Perfmon data. I'm looking for some documentat...

by Path Finder in

How do I create a multivalue field with an eval function?

I need to create a multivalue field using a single eval function. I'm using Splunk Enterprise Security and a numb...

by Contributor in

Splunk ESS index does not have any data

Hi all, I am new to splunk. I have installed splunk ESS(5.2) on search head. Splunk environment has one search hea...

by Path Finder in

Same Licence over multiple instances

Hi, We have an enterprise version of Spunk and are running numerous instances of Splunk with LicenceMaster. We have o...

by New Member in

Can you help me come up with the regex to extract multiple format events?

2018-09-28 14:33:23,Virus found,IP Address: 127.0.0.1,csk name: abcd012018-09-25T09:07:02.240377+00:00 0.0.0.0 Sep 25...

by Path Finder in

ES Health "unshipped" audit

Hi there, Is the ES health audit upgrade, "unshipped" section entirely accurate? Asking as there have been multipl...

by Builder in

How can I use an inputlookup command to return results that are not limited to one file?

I want to use inputlookup to search only a certain set of hosts. These are in a .csv file. I have the query and it's ...

by Communicator in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

How to query for similar events from aggregated data and few other criteria.

In Splunk Enterprise Security, how come the Incident review dashboard isn't returning events intermittently?

It is possible to group notable events in Incident Review for Splunk Enterprise Security?

How do I change the first and last time to actual timeformat="%y-%m-%d %H:%M"?

Cannot jump to Ad-Hoc AR action result, 'orig_action_name' changed when 'tag=modaction_result' is applied

User Not listed in Enterprise Security's Owner list

Can you help me with the following Enterprise Security 5.11 Install error?: "Unable to initialize modular input"

Splunk Enterprise Security: How do you stop emails from a suppressed alert in a correlation search?

How do you create a correlation search in Splunk Enterprise from a simple search of an index?

What is the best way to learn how to use Splunk Enterprise?

How come I'm unable to disable a correlation search nor able to save the changes made on it?

Splunk Security Essentials : Data Exfiltration

Why can't I see most of the dashboards after migration from ES 4.7.1 to Splunk Enterprise Security 5.1.1?

REST API "nearby events'

Can you help me with a problem i'm having with my pie chart?

Can you help me build a query which would generate a list of enabled usecases in Splunk Enterprise Security App along with the last triggered time?

How come I can't find the Splunk Add-on builder in the Splunk Enterprise Sandbox?

An error while exporting a Data Model to Phantom

Perfmon Dashboard/Report Help

How do I create a multivalue field with an eval function?

Splunk ESS index does not have any data

Same Licence over multiple instances

Can you help me come up with the regex to extract multiple format events?

ES Health "unshipped" audit

How can I use an inputlookup command to return results that are not limited to one file?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

How to handle Defender Incidents/Alerts with ES No...

Splunk Enterprise Security API support for update ...

Clarification on UBA Capability in Splunk Enterpri...

KV Store communication fails with TLS errors after...

Findings Comments

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions