I want to monitor AWS logs sources with various account when ever logs stopped coming for particular sourcetype i need alert for specific  accounts i have tried some thing like this but its not picking right away so any suggested SPL will be apricated ( not sure we can use Tstat so it will be much faster )       index=aws sourcetype="aws:cloudtrail" aws_account_id IN(991650019 55140 5557 39495836 157634 xxxx9015763) | eval now=now() | eval time_since_last=round(((now-Latest)/60)/60,2) | stats latest(_time) as last_event_time, earliest(_time) as first_event_time count by sourcetype aws_account_id | eval time_gap = last_event_time - first_event_time | where time_gap > 4000 | table aws_account_id first_event_time last_event_time time_gap | convert ctime(last_event_time)   ... View more

Hello,  looks like Microsoft Graph Security add all tags to all event type so its not correctly CIM mapped , any one filtered events based on alerts data  and map to correct data models?  for example i need to sort out based on events and map to below data models Malware - IDS - Endpoint - Alert Thx  ... View more

Just trying to find way to get src or dst info for matching signature group by values   | tstats allow_old_summaries=true count from datamodel=Intrusion_Detection by IDS_Attacks.signature | `drop_dm_object_name("IDS_Attacks")` | search [|inputlookup org_applicationattack.csv| fields signature ] | xswhere count from count_by_signature_1h in ids_attacks by signature is above minimal | where count >50 | fields signature count source ids_type vendor action ... View more

Hello, I have request to collect all network data based allowed denyed and dropped traffic info from various network feeds. Unfortunately my network data model is not set only 15 days worth of data so i have to run manual searches to collect data so any help will be much appreciated . I have tried with below one but not showing all data and any help will be much appreciated | tstats summariesonly=t allow_old_summaries=f count FROM datamodel=Network_Traffic.All_Traffic WHERE index=* BY sourcetype All_Traffic.action _time span=1h | rename All_Traffic.* AS * | stats count As total_connections count(eval(action=="allowed")) AS allowed count(eval(action=="blocked" OR action=="dropped")) AS blocked BY _time, sourcetype | eval pct_blocked = 100 * blocked / total_connections ... View more

Hello Splunkers, Can you help me below case to build splunk search. I have firewall data coming to index=firewall so i need to filter based on results from my external lookups fields IP as well matching domain name from the indexed data. index=firewall | lookup url.csv | fields url | lookup domain.csv | fields domain | .. etc any of the matching fields from indexed data. ... View more

Hello Splunkers, Im posting this answers here since lack of documentation from splunk side to get fire-eye data using HEC method. Step1 - Generate HEC token in your splunk side as normal way and select index and sourcetype etc.. Step2 - Go fire-eye console and use below settings to update a. Under Appliance Settings > Notifications > HTTP, configure a new HTTP Server as follows..  URL: https:// /services/collector/raw  Auth: True  Username: x  Password: Splunk token generated in Step 1  SSL Enable: True Test the Integration Run a test on an endpoint that would trigger an XPLT, EXC or PRS alert Alternatively, you can also test with the following curl command: curl -k -u "x:" https://10.xx.250.12:8088/services/collector/raw -d '{"event":"Basic Auth!"}' I hope this answer will help other splunkers on fire-eye data issues through HEC method. ... View more

Happy Splunking, We have a situation on our search head cluster nodes and one of the peer node KVstore is filling up, so not sure we can clean manually or is there any process to backup and clean? What are the limitations if we clean all the data? /opt/splunk/var/lib/splunk/kvstore -190GB ... View more

Hello splunkers, Just trying to add appropriate tags and map to data model in ES for AWS log sourcetype -aws:s3:accesslogs Any one had any luck what data model fits fr this log sources and what types of tag i can add it. ... View more

when i run below search its extracting data from AWS bucket so how ican convert this to search time in splunk cloud add to permanently. index=test "aws.guardduty" | rename "BodyJson.detail."* as "detail."* | rename "BodyJson."* as ""* ... View more

Hello, Any one have any luck with extracting jason format data for sourcetype foraws:sqs:securityhub. Currently that sorcetype not extracting properly . Any help will be appreciated .. ... View more

Hello, following ES CS was triggering lot of notable events "Geographically Improbable Access Detected " did any one had luck to tune this and whit listed unwanted stuff. Please share your experience to fix this one. any alternative search we can use ? let me know your thoughts . TIA ... View more

Hello Splunkers. I have following sample data with more then 1000 ids .. so what im looking is when radio status down i want include near radio id information also in my alert search radioid=101 radiostatus=down region=Europe radioid=102 radiostatus=up region=Europe radioid=103 radiostatus=down region=Europe radioid=104 radiostatus=down region=America For example if radioid 103 was down then i need status of radio id 102 as well 104 status like near range radio id status info also i want to add in search . ... View more

Hello Looking for some help for Geo stats command. I have following fields showing splunk index time - name,host,State,region_id,longitude,latitude,info,geo,status (up/down value) I need help to construct search query like with geostats showing maps. Like host status down(RED)/up (Blue) with pie chart with info showing in maps. All im trying to do is use Geostats command to show my fields info in maps. some thing like below. index=test status="*" | dedup host | iplocation host| geostats latfield=latitude longfield=longitude count by status | eval redCount = if(status=Down, Down, 0) | eval greenCount = if(status=UP, TOTAL,0) | fields - TOTAL ... View more

Hello Splunkers, I have inputlooku test.csv and containing fields host region I have indexed data under test index containing fields host location status area DC So what i need take input from look up table field host and search with in indexed data for status . I was trying below one but not sure this is correct . index=test  status="Down"  [| inputlookup test.csv | fields host] | dedup host | table host status DC any thing is fine either before filter or after filter goal is to just show the results for host which are in my list. ... View more

Hello Splunkers, I have following uniq fields in search results radioid, radiostatus, region I need to write alerts to like this Action: 1.) If only one radio status changed to “down” within the same geographic area. Open Ticket with severity “Major” and proceed with Troubleshooting. 2.) If two or more radio status changed to “down” within the same geographic area. Open Ticket with severity “Critical” and proceed with Troubleshooting. any help will be much appreciated . ... View more

Hello Splunkers we have splunk managed cloud ES and i have enabled all correlation searches as per doc the way we do on Prem ES. Nothing showing ES posture dashboards and notable events are empty no data under notable index we mapped data models and we validated data with data model fields every thing is there but ES and notable index is empty BW this is splunk managed cloud product ... View more

I have following fields in my splunk radioStatus,bitChange,DeviceChange,Temp,Humidity. index=test | table radioStatus: Running or Down bit Change: 0=Closed & 1=Open deviceChange 0=Normal or 1=Moved Temp: 90 degrees or below= Normal Above 90 degrees = Abnormal --( regular values in between 1-90) Humidity: 0-80% = Normal, Above 80%= Abnormal ( regular values in between 1-80) Case 1)create alert if Radio status down and with respective to "Temp" change is above 90 Case 2)create a alert if Radio status running "Humidity" Above 80%= Abnormal Case 3)create a alert if "Temp"changes Above 90 degrees = Abnormal for radios Case 4) Create a alet if "Device" change 1=Moved with "Temp" Above 90 degrees = Abnormal ... View more