@ITWhisperer What caused the creation of these "D:\Splunk\var\spool\splunk\99ec742c0c976c35_events.stash_new" files? Instead of spool files, that should be the name of the report. Do stash-spool ...
See more...
@ITWhisperer What caused the creation of these "D:\Splunk\var\spool\splunk\99ec742c0c976c35_events.stash_new" files? Instead of spool files, that should be the name of the report. Do stash-spool files get created when a saved search is used ad hoc or backfill? When there are no spool files being created by scheduled?
I tried this query but it's showing something like this. But when i checked with an excel for this number 45123 - it's showing as 07/16/23. @ITWhisperer
It is not clear whether there is an issue - to me it looks like the reports that were run on Feb 29th were done manually / ad hoc to back-fill the summary index for the earlier weeks before the sched...
See more...
It is not clear whether there is an issue - to me it looks like the reports that were run on Feb 29th were done manually / ad hoc to back-fill the summary index for the earlier weeks before the schedule was set up and running correctly.
ep_winevt_ms* - This index is mapped in Data Model Macros. I want to exclude all other indexes in (ep_winevt_ms*) and take the count as 1 to know the unique indexes. @ITWhisperer
I have 10 indexes starts with "ep_winevt_ms" . So i am using * here "index=ep_winevt_ms*". But while taking the | stats count i want only 1 count for the entire "ep_winevt_ms*". I don't want 10 coun...
See more...
I have 10 indexes starts with "ep_winevt_ms" . So i am using * here "index=ep_winevt_ms*". But while taking the | stats count i want only 1 count for the entire "ep_winevt_ms*". I don't want 10 count for "ep_winevt_ms*". Please help
MDI logs are generated on security.microsoft.com portal and are not present locally on the servers where Splunk forwarders and MDI sensor are installed. There is a possibility with Sentinel [ https:/...
See more...
MDI logs are generated on security.microsoft.com portal and are not present locally on the servers where Splunk forwarders and MDI sensor are installed. There is a possibility with Sentinel [ https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration ] but we want to do this to Splunk. We might not be able to install anything on the portal. Do we have a set of documentation available as to how to send the MDI logs from security.microsoft.com portal to Splunk ?
So, you need to configure the inputs for the forwarders so that they know where to look for the MDI logs https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Admin/IntroGDI
What are MDI logs? Where are they stored? Do you have Splunk forwarders on there too? There are a lot of unanswered questions about your environment and the potential ways that data can be ingeste...
See more...
What are MDI logs? Where are they stored? Do you have Splunk forwarders on there too? There are a lot of unanswered questions about your environment and the potential ways that data can be ingested into Splunk. Have you ingested other data sources? Can you modify these to include the MDI logs?