I have another question. I tired to post it through "ask a question" but due to my reputation points problem (currently have only 24) I am not able to post it.
hope you understand the situation and help me out to understand properly.
===================
I am new to splunk. I have one correlation rule. For some I got the understanding but for most I am unable to interrupt. below is the correlation rule:
| tstats allow_old_summaries=true
dc(Malware_Attacks.date) as "day_count",
count from datamodel=Malware where nodename=Malware_Attacks by "Malware_Attacks.dest","Malware_Attacks.signature"
| rename "Malware_Attacks.dest" as "dest","Malware_Attacks.signature" as "signature"
| where 'day_count'>3
i will be grateful if someone help me to decode that
Thanks
=========================
can you please advise me on that because after that I need to amend that rule little bit.[I need to add Malware_Attacks.action=blocked] in the query.
... View more