Does anyone know of a rest call that can be used to kill all adhoc queries for a user?  I do not wish to all users searches, nor do I want to kill schedule searches for that user. I have the following rest query to identify the current running query for Running_man. | rest /services/search/jobs/ | search author=Running_man dispatchState=RUNNING | search NOT id=*scheduler* | table title id normalizedSearch runDuration I just would like to be able to kill/stop the results found versus having to go into the job manager. ... View more

Our Splunk instance is being overhauled and I need to update all of the content that has been built. We have some indexes that are changing name, and I am looking for a query that I can run to find all Dashboards, Reports and Alerts that are based of specific indexes. I.E. index=main is changing to index=core. I need to search for all Dashboards, Reports and Alerts that reference index=main so I can change them to index=core. ... View more

I have a report "CheckPoint Blocks" that has a time span of 1 hour. I have accelerated that report for 1 month. I have a Dashboard and have added from Reports "CheckPoint Blocks". The dashboard panel shows data for the 1 hour of the original report. How do I show data from the Accelerated Report for 1 month in the dashboard? ... View more

I am trying to make sure that I am doing this correctly, because it doesn't appear to be working. I have a report for last 24 hr of CheckPoint drops. i.e. index=CheckPoint action=dropped | timechart count by action I then select Report Acceleration and select 1 month. I then create a dashboard that uses the same Report query with a time span of 30 days. i.e. index=CheckPoint action=dropped | timechart count by action Report Acceleration completes. The dashboard should use Report Acceleration to populate, correct? ... View more

I am using report acceleration. My orginal report was for 1 hr. index=ckpfw002 sourcetype=opsec action=blocked OR action=dropped | timechart count I accelerated the report for 30 days. Now that it is 100% completed, when I run the report for say 7 days, it says "Dispatch Command: The search processs with sid=1554406128.97404_37C9C149-435D-43B6-AA71-9D2A5518DF5F was forcefully terminated because its physical memory usage (28177.609000 MB) has exceeded the 'search_process_memory_usage_threshold' (24000.000000 MB) setting in limits.conf." When I look at the job inspector, it is using the accelerated report --> [splunk-idx-1023] Using summaries for search, summary_id=C67F4BC3-E7CF-4AC4-9CF9-090758F478F6_search_u621929_NS000f0d20f92d3c54, maxtimespan=30m I am trying to do a timechart for the entire month, but it fails even when I select 7 days. Any Suggestions? ... View more

I have a lookup with 4 fields per record. I want to update one of the fields, a timestamp with the last seen event time per host. How do I have the search query find the results and update just the timestamp field in the lookup table? I.E Lookup.csv CLM_pair Firewall_name Logging_Device Last_Seen Here is what I am trying but doesn't work. | inputlookup CheckpointFW.csv | append [ search index=ckpfw002 sourcetype=opsec | rex "CN=(?P \S+)," | fields _time FW | stats values(FW) as "Firewall_Name" latest(_time) as "Last_Seen" by FW | convert ctime("Last_Seen") ] | stats count by Firewall_Name Last_Seen | outputlookup append=true CheckpointFW.csv ... View more

We are having issues with a OPSEC LEA connector. The Checkpoint firewall is showing say 5,000,000 events per hour. Using Metrics from Splunk; index=_internal host="splunk-fwd-1 component=Metrics | stats sum(ev) as Total | eval Total_Events=round(Total) | fields - Total | fieldformat Total_Events=tostring(Total_Events,"commas") Shows 5,500,000 events for the time frame process by the forwarder. Using TSTATS; | tstats count where index=checkpoint by host,_time span=1m | search splunk_forwarder=splunk-fwd-1 | chart sum(count) AS Total_Event_Count | fieldformat Total_Event_Count=tostring(Total_Event_Count,"commas") Shows 3,000,000 events for the time frame indexed Where are the events? We see that using index data that the event count vs what is seen on the firewall is significant less than expected. Even if we go back say a month, it isn't like the events are delay coming in. Are we really losing 2 million events per hour? ... View more

I am running 2 searches from 2 different source types. Search 1 Search for sidewinder traffic that went through attempting to make an FTP connection [search index=sdwfw001 fac=f_http_proxy url=* request_command=CONNECT |stats count by dest_IP url | rename dest_IP as dest_ip | fields dest_ip ] Search 2 Search the checkpoint firewall traffic for the previous traffic adding the policy that fired. index=checkpoint rule=* My search: index=checkpoint rule=* [search index=sdwfw001 fac=f_http_proxy url=* request_command=CONNECT |stats count by dest_IP url | rename dest_IP as dest_ip | fields dest_ip ] | stats count by dest_ip policy_name My search works, but I don't know how to bring the URL from the sub search, because when I do it then searches for it in the 2nd search and URL is not there. In the end I would like a stats count by dest_ip policy_name url ... View more

We have multiple people making changes to the content in Splunk Enterprise Security and I need to be able to track down when someone changed content. ... View more

We would like to add domains to the current threat list. I would think I could add to local_intel_domain or local_intel_http to have the domains be found. However, after attempting to add to either, and rebuilding the data model, nothing is found. Thanks ... View more

I recently upgraded Optiv Threat Intel app and all of my proxy information disappeared. I have been searching around but can't find where to put the proxy settings? ... View more

I have downloaded and installed OPTIV on my search head. It is installed in /opt/splunk/etc/apps. When the dashboards populate, the ones that reference dnslookups shows the following error: Error in 'dnslookup' command: Cannot find program 'dnslookup' or script 'dnslookup'. ... View more