...ctive for the period I searched:
| tstats allow_old_summaries=true count from datamodel=Intrusion_Detection by IDS_Attacks.signature | `drop_dm_object_name("IDS_Attacks")` | xswhere count from c...
...orrelation search around this searching. this user in a given hour had 2972 and checking with | xsWhere identity_id FROM email_count_per_1h_by_user IN email_count_per_1h_by_user by identity_id is above h...
Hello,
some correlation searches don't trigger. when I copy the search and tried to run on search window, I am getting error: "command="xswhere", [Errno 13] Permission denied". is this related t...
I can not find anything in the docs regarding "xswhere" and this "is above high"
Here is the query :
| tstats allow_old_summaries=true count as web_event_count from datamodel=Web by Web.src, W...
...eb.http_method
| `drop_dm_object_name("Web")`
| xswhere web_event_count FROM count_by_http_method_by_src_1d in web by http_method is above high
What makes it a correlation search?
...uthentication" | stats values(tag) as tag,values(app) as app,count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success by src | search success>0 | xswhere failure from f...
...etwork_Traffic.All_Traffic by All_Traffic.dest_port
| `drop_dm_object_name("All_Traffic")`
| xswhere count from count_by_dest_port_1d in network_traffic by dest_port is extreme
Was able to add the "a...
...uthentication")` | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium | `settags("access")`
What I am trying to do is use this to build a Splunk Enterprise S...
...llow_old_summaries=true count from datamodel=Network_Traffic by All_Traffic.dest_port
| `drop_dm_object_name("All_Traffic")`
| localop
| xswhere count from count_by_dest_port_1d in network_traffic by dest_port i...
...uccess > 0 | xswhere failure from failures_by_src_count_1d in authentication is above medium | `settags("access")`
^ this search shows success/failed authentication only by remote (and i need i...