Hi, I am trying to build a query to monitor the IOCs in the lookup which has the time field in it. Attached the screenshot. Based on the time field the rows should be automatically deleted. For example: the rows meets the condition "_time < 7 Oct 2019" should be deleted. Do anyone have an idea on how to create saved search to delete the rows based on the condition. ... View more

Hey Guys, Could anyone suggest me a query for the below scenario. I need a Splunk query to show the list of enabled usecases in Enterprise Security App along with the last triggered time of the usecase. To check the enabled usecases I'm using the below query. | rest splunk_server=local count=0 /services/saved/searches | search disabled=0 AND ( action.risk=1 OR action.notable=1 ) | table title Along with this, I need the last triggered time of the use case in the same table. Is it possible? if yes kindly help me by posting the query. ... View more