Just trying to find way to get src or dst info for matching signature group by values   | tstats allow_old_summaries=true count from datamodel=Intrusion_Detection by IDS_Attacks.signature | `drop_dm_object_name("IDS_Attacks")` | search [|inputlookup org_applicationattack.csv| fields signature ] | xswhere count from count_by_signature_1h in ids_attacks by signature is above minimal | where count >50 | fields signature count source ids_type vendor action ... View more

Hello, I have request to collect all network data based allowed denyed and dropped traffic info from various network feeds. Unfortunately my network data model is not set only 15 days worth of data so i have to run manual searches to collect data so any help will be much appreciated . I have tried with below one but not showing all data and any help will be much appreciated | tstats summariesonly=t allow_old_summaries=f count FROM datamodel=Network_Traffic.All_Traffic WHERE index=* BY sourcetype All_Traffic.action _time span=1h | rename All_Traffic.* AS * | stats count As total_connections count(eval(action=="allowed")) AS allowed count(eval(action=="blocked" OR action=="dropped")) AS blocked BY _time, sourcetype | eval pct_blocked = 100 * blocked / total_connections ... View more

Hello Splunkers, Can you help me below case to build splunk search. I have firewall data coming to index=firewall so i need to filter based on results from my external lookups fields IP as well matching domain name from the indexed data. index=firewall | lookup url.csv | fields url | lookup domain.csv | fields domain | .. etc any of the matching fields from indexed data. ... View more

Hello Splunkers, Im posting this answers here since lack of documentation from splunk side to get fire-eye data using HEC method. Step1 - Generate HEC token in your splunk side as normal way and select index and sourcetype etc.. Step2 - Go fire-eye console and use below settings to update a. Under Appliance Settings > Notifications > HTTP, configure a new HTTP Server as follows..  URL: https:// /services/collector/raw  Auth: True  Username: x  Password: Splunk token generated in Step 1  SSL Enable: True Test the Integration Run a test on an endpoint that would trigger an XPLT, EXC or PRS alert Alternatively, you can also test with the following curl command: curl -k -u "x:" https://10.xx.250.12:8088/services/collector/raw -d '{"event":"Basic Auth!"}' I hope this answer will help other splunkers on fire-eye data issues through HEC method. ... View more

Happy Splunking, We have a situation on our search head cluster nodes and one of the peer node KVstore is filling up, so not sure we can clean manually or is there any process to backup and clean? What are the limitations if we clean all the data? /opt/splunk/var/lib/splunk/kvstore -190GB ... View more

Hello splunkers, Just trying to add appropriate tags and map to data model in ES for AWS log sourcetype -aws:s3:accesslogs Any one had any luck what data model fits fr this log sources and what types of tag i can add it. ... View more

when i run below search its extracting data from AWS bucket so how ican convert this to search time in splunk cloud add to permanently. index=test "aws.guardduty" | rename "BodyJson.detail."* as "detail."* | rename "BodyJson."* as ""* ... View more

Hello, Any one have any luck with extracting jason format data for sourcetype foraws:sqs:securityhub. Currently that sorcetype not extracting properly . Any help will be appreciated .. ... View more

Hello, following ES CS was triggering lot of notable events "Geographically Improbable Access Detected " did any one had luck to tune this and whit listed unwanted stuff. Please share your experience to fix this one. any alternative search we can use ? let me know your thoughts . TIA ... View more

Hello Splunkers. I have following sample data with more then 1000 ids .. so what im looking is when radio status down i want include near radio id information also in my alert search radioid=101 radiostatus=down region=Europe radioid=102 radiostatus=up region=Europe radioid=103 radiostatus=down region=Europe radioid=104 radiostatus=down region=America For example if radioid 103 was down then i need status of radio id 102 as well 104 status like near range radio id status info also i want to add in search . ... View more

Hello Looking for some help for Geo stats command. I have following fields showing splunk index time - name,host,State,region_id,longitude,latitude,info,geo,status (up/down value) I need help to construct search query like with geostats showing maps. Like host status down(RED)/up (Blue) with pie chart with info showing in maps. All im trying to do is use Geostats command to show my fields info in maps. some thing like below. index=test status="*" | dedup host | iplocation host| geostats latfield=latitude longfield=longitude count by status | eval redCount = if(status=Down, Down, 0) | eval greenCount = if(status=UP, TOTAL,0) | fields - TOTAL ... View more

Hello Splunkers, I have inputlooku test.csv and containing fields host region I have indexed data under test index containing fields host location status area DC So what i need take input from look up table field host and search with in indexed data for status . I was trying below one but not sure this is correct . index=test  status="Down"  [| inputlookup test.csv | fields host] | dedup host | table host status DC any thing is fine either before filter or after filter goal is to just show the results for host which are in my list. ... View more

Hello Splunkers, I have following uniq fields in search results radioid, radiostatus, region I need to write alerts to like this Action: 1.) If only one radio status changed to “down” within the same geographic area. Open Ticket with severity “Major” and proceed with Troubleshooting. 2.) If two or more radio status changed to “down” within the same geographic area. Open Ticket with severity “Critical” and proceed with Troubleshooting. any help will be much appreciated . ... View more

Hello Splunkers we have splunk managed cloud ES and i have enabled all correlation searches as per doc the way we do on Prem ES. Nothing showing ES posture dashboards and notable events are empty no data under notable index we mapped data models and we validated data with data model fields every thing is there but ES and notable index is empty BW this is splunk managed cloud product ... View more