@phil_wong  You would probably want to check the source- threat list activity for the duration that had unknown and find out which event is causing this? its most likely sending 'null' and causing this. If you can fix that, that could avoid 'unknown's coming in the rule/correlation searches. hope this helps. ... View more

Where in Incident Review dashboard, do you see the issue? In title, description, notable?  Generally all these should work with $fieldname$.  If its in the Incident review field values pane, then ensure the field is available as described in https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Customizenotables  Hope this helps. ... View more

UBA monitors the CPU and memory (perf data) of each of the nodes on which the UBA software is installed. However, if you are looking at perf data of workstations in your organisation, you should probably lookup Splunk apps/add-ons like - Splunk for nix, windows and the newer app - https://docs.splunk.com/Documentation/InfraApp/2.2.3/Install/About . Hope this helps. If this helps, pls accept the answer to mark the query resolved. ... View more

Pls ensure the underlying correlation search returns a valid value for UserId, as this will be used in the Incident review screen. ... View more

Hi @VijaySrrie,  we don't need to explicitly define conf_replication_include.lookups = true, as this is already defined in etc/system/default/server.conf . You would need to ensure the collections.conf and transforms.conf have the correct/required conf - Have a look at the docs and https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/usingconfigurationfiles/  ... View more

I don't think there is an option in the inputlookup/outputlookup to exclude a lookup from replicating across the Search head cluster members. I believe this is by design, as you would want the lookup available across SHs.  However, I understand the need for excluding a file/e.g. backup. Could be a good candidate for Splunk Ideas - https://docs.splunk.com/Documentation/Community/1.0/community/SplunkIdeas  ... View more

One approach you could follow  1.using the LDAP/AD addon that you have pull all the required fields for asset and identity. On to a temp index  2. Using the events from temp index, create, format and validate the fields and create required lookups. 3. Update asset/identity inputs/macros to your custom lookups             ... View more

You would surely need to check license entitlement and support ticket/discussion with your splunk account team for your scenario. Having said that, if site A and site B are subsidiaries of your organisation and if there is a possibility of subnet/ip overlap, you cannot use Splunk ES as it doesn't support multi-tenancy at the moment.  ... View more

If you have web proxy logs, you can see the urls clicked by the user. You can then link the phishing url/user in proxy logs with the email events to understand how many users have clicked the malicious link ... View more

As @richgalloway  says, you would need to consult the lookup file that you have [ with priority assets], before finalizing them for asset/identity. Alternatively, as you know the assets that are critical/high/medium/low priority for you, you can do also something like  |ldapsearch ..... <your search to extract fields> | <format/change to the fields required by asset> | eval priority = < apply your logic to add priority for each asset or default to low> | outputlookup <your_org_assets.csv> However, if you have 2 lookup files  - i.e. one is the output of the ldapsearch and other is your list with priority, you could try to merge them using  [ appears to be new, i haven't tried, but should work ]- https://docs.splunk.com/Documentation/ES/6.3.0/Admin/Overwritewithentitymerge  ... View more

For dashboards, you would need to create the search matching your need and save it as a view. I would also suggest you completing https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html  and looking at Splunk dashboards example app and Splunk unix app in splunk base - https://splunkbase.splunk.com/app/273/   ... View more

Pls follow the process outlined in - https://dev.splunk.com/enterprise/docs/developapps/testvalidate  ... View more

Have you updated updateCheckerBaseURL=0  in local/app.conf for all the apps  in etc/apps or one off in the etc/system/local/app.conf in your Search head(s)?  Sometime, we may have to do this in all apps as anyone could try to reach internet. ... View more

Your scripted input (test1.sh) runs every 5mins and writes the content to a file in tmp (everytime the script runs, it overwrites the content. Not sure if this is what you need). Now, your monitor stanza reads the contents off the file, as and when it sees entries and send them to indexer. As the content of the file could be similar (the first 256 chars, without CRCSalt, it can get ignored - you can see an error/warning in splunkd log about this. Check props.conf for CRCSalt). One option would be to not override the contents, but append to the file and then have a logrotation to manage the size of the file. If you indeed want to override (as in your current approach), when the command returns no json/results, how will you know if the command returned results or not? so perhaps adding some entry to indicate writing to the file and completion status could be helpful. ... View more

As @soutamo suggested, keep the upgrade windows as small as possible. Ideally if you could upgrade all indexers in site 1 on day 1, and site 2 on day 2, that would be good. You only need to put the clusters in mtce mode during the upgrade. After the upgrade of site 1, allow time for bucket fixes /health of the cluster to be back to normal [ SF/RF factors ] and then upgrade the site 2. Use the docs and if possible, test in a diff env. ... View more

One option would be to create a custom adaptive action (AR), which can be manually invoked by the responder. [ Your AR code would need to then collect the required information from the correlation search/search events and send/email as needed] ... View more

In a distributed setup, generally node 1 / ubanode1 is the master node.  ( You can also see them in /etc/hosts file).   In the caspida-deployment.conf file referred in the above link, look for 'container.master.host' and that should indicate your master node and match with node1 in /etc/hosts. Additionally, if you go to UI, System->Cluster->Cluster services, search for UI and that will give the node as well [ assuming UI is setup on master, which is normally the case] ... View more

To my understanding, only Adaptive Actions (AR) written to work within the 'CIM modactions' framework will appear under the 'Adaptive Responses' pane of the incident review dashboard. You could use the Add-on builder (if not using already) to create your custom AR and that could address your need to view/list your AR ... View more

Rather than trying to increase Adaptive Response (AR) timeout, I would try to simplify your correlation search and the other searches required to feed inputs to AR, so they complete quickly. E.g you may pre-process known data/searches, to be used in correlation and/or AR invocations. ... View more

Whats your splunk core and ES version? The searches do get updated (if there is an update, in the default/savedsearches.conf of the respective app). However, if you had overwritten them and have a copy in your local/savedsearches.conf, you would need to validate/reconcile them. ... View more

Generally the TA should means to extract required eventtype (s) to map to Email data model. If it isn't and you are writting custom TA or updating existing TA, I would suggest not combine all events to get full email transaction, but have one or more events only for inbound email and one or more outbound. This way you can create eventtypes for inbound and outbound and then map them to Email datamodel. ... View more