Hello, I have two saved searches saved in the same app in a SH with EnterpriseSecurity: from Splunk ES Content Management section, one has type "Saved Search", the other has type "Correlation S...
Does it make sense to turn data model acceleration on for the Incident Management data model (default summary range is "None")? Of concern in this case is the Expired Entity Activity search inSplunk...
We are using datamodel_summary heavily for SplunkEnterpriseSecurity and its quite slow in datamodel acceleration. Are there any good practices to speed up this acceleration from a design point of v...
...ight after getting SplunkEnterpriseinstalled on their local machine. It can be daunting to log into Splunk for the first time and know what the heck you should do. A person can get through the in...
im trying to setupsplunk to find suspicious traffic inincoming and outgoing traffic. right now im trying to exclude traffic that comes from places that are not suspicious (whitelist) like social m...
I've used Splunk Stream app to get DNS logs from a Windows DNS server. I got the logs to a Search Head instance that has the EnterpriseSecurity app. However, I can't seem to the data, which is in...
Phantom version 4.1.94
Splunk version 6.6.5
Splunk Phantom App 2.5.23
ES version 4.7.1
When go to Splunk ES Notables, there also not able to see "Send to Phantom" action in "Run Adaptive R...
We have SplunkEnterpriseSecurity and use the correlation searches along with notable events for incident handling. We also have alerts setup. However, the alerts don't have the incident h...
...owards: Running at least two instances of SplunkEnterprise, so that we have redundancy and load balancing and can transparently upgrade The instances would not have any indexer or search head f...
...in / Nix TAs)
it seems that there was a lookup to filter default account in the previous version of ES (see : https://answers.splunk.com/answers/120628/manage-splunk-app-for-enterprise-security-d...