Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About peterschloenske
peterschloenske
Explorer
Member since:
01-10-2019
09-20-2024
Community Statistics
| Posts | 12 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 01-10-2019 |
Activity Feed
- Posted Schedule window vs scheduling mode on Other Usage. 08-18-2023 02:17 AM
- Tagged Schedule window vs scheduling mode on Other Usage. 08-18-2023 02:17 AM
- Tagged Schedule window vs scheduling mode on Other Usage. 08-18-2023 02:17 AM
- Tagged Schedule window vs scheduling mode on Other Usage. 08-18-2023 02:17 AM
- Posted Security Essentials - Available Windows content although Windows logs are not onboarded? on Splunk Enterprise. 11-04-2021 07:15 AM
- Tagged Security Essentials - Available Windows content although Windows logs are not onboarded? on Splunk Enterprise. 11-04-2021 07:15 AM
- Tagged Security Essentials - Available Windows content although Windows logs are not onboarded? on Splunk Enterprise. 11-04-2021 07:15 AM
- Posted Re: Alert Manager App - How to create a incident per result (row) on Alerting. 03-08-2021 04:10 AM
- Posted Alert Manager App - How to create a incident per result (row) on Alerting. 03-07-2021 04:01 AM
- Tagged Alert Manager App - How to create a incident per result (row) on Alerting. 03-07-2021 04:01 AM
- Tagged Alert Manager App - How to create a incident per result (row) on Alerting. 03-07-2021 04:01 AM
- Tagged Alert Manager App - How to create a incident per result (row) on Alerting. 03-07-2021 04:01 AM
- Karma Re: How to extract unusual time information? for PavelP. 06-05-2020 12:51 AM
- Karma Re: How to list all lookup files from an app? for pradeepkumarg. 06-05-2020 12:49 AM
- Posted How to find out whether objects are stored in local/default by | rest ? on Getting Data In. 05-28-2020 03:27 AM
- Tagged How to find out whether objects are stored in local/default by | rest ? on Getting Data In. 05-28-2020 03:27 AM
- Tagged How to find out whether objects are stored in local/default by | rest ? on Getting Data In. 05-28-2020 03:27 AM
- Tagged How to find out whether objects are stored in local/default by | rest ? on Getting Data In. 05-28-2020 03:27 AM
- Posted Re: SAI - Windows entity does not show up on All Apps and Add-ons. 05-07-2020 04:50 AM
- Posted Re: SAI - Windows entity does not show up on All Apps and Add-ons. 05-07-2020 04:42 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-18-2023
02:17 AM
Hi, I want to prevent alerts from being skipped and I'm fine, that the alerts don't run at a specific time. I prefer to be notified with a delay than not at all. One option is to set a schedule window. First of all, I'm wondering why the Alert Editing does not offer this option like reports do. I have to navigate to the Advanced Edit Mode to configure the schedule window. When it is configured, we allow the scheduler to delay the dispatch time. But at some point the search will be skipped anyway. Another option is to use the scheduling mode "continuous". As far as I understand it, an alert with mode "continuous" is never skipped, which sounds reasonable to have a security monitoring without gaps. I assume the scheduler will try to run the search as soon as possible. Is the continuous mode a best practice to avoid gaps or are there valid reasons not to use it? If the mode is used it might be a good idea to observe the scheduler lag more closely to determine "how late" alerts run and if the scheduler is building a huge backlog of delayed searches. I don't know how the scheduling_mode interacts with the schedule window. Does the schedule window have any effect, when the mode is "continuous"?
... View more
11-04-2021
07:15 AM
Hi, I'm testing the Security Essentials app with just onboarding Linux logs. Nevertheless the Content Overview shows "available content" for multiple sources, e.g. Windows. Within the dashboard Security Content windows content is listed as well, when I select data availability "good". When I open such a windows detection rule, the status under perequisites is red (as expected). Why is so much content marked as available without data? Cheers 🙂
... View more
Labels
- Labels:
-
using Splunk Enterprise
03-08-2021
04:10 AM
I did not recognize that I saved it as report instead as an alert. As an alert, I can set "trigger for each result" to get it work
... View more
03-07-2021
04:01 AM
Hi, I'm trying to create an incident within the Alert Manager App per result row of the generating search. Let's say I have a search "Failed transactions by host". The result table looks like this: _time host failed_transactions 2021-03-07 12:55:01 host_a 100 2021-03-07 12:55:01 host_b 200 It is easy to create an incident for "failed transactions" in general. But I would like to create incidents per host, that can be tracked individually. I tried to achieve it by using $result.host$ as the title, but this did not work. Does anyone know whether this is possible?
... View more
Labels
- Labels:
-
alert action
05-28-2020
03:27 AM
Hi,
I'm using the rest command to get a list of all knowledge objects:
| rest /servicesNS/-/-/directory
Is there an endpoint to add the info whether it is stored in local/default/both?
... View more
05-07-2020
04:50 AM
The os:: is set in the inputs.conf, I did not change anything after using the install script.
... View more
05-07-2020
04:42 AM
Processor.* are not disabled in the inputs.conf
Maybe something needs to be configured in Windows.
... View more
04-21-2020
10:54 PM
There are only Process.* metrics available so far.
The latest timestamp with data for this host is 1min ago.
I have SAI 2.0.3 in use.
Sidenote:
In another environment the similar problem occured and here the increase of "monitoring_calculation_window" did the trick. Could you explain what is exactly done with this value?
... View more
04-21-2020
01:14 AM
Unfortunately this did not help. I'm still receiving metrics for both hosts, but only the linux host appears in | inputlookup em_entities.
... View more
04-19-2020
05:28 AM
Hi,
in the App for Infrastructure this search returns results for 1x Linux and 1x Windows host. So I assume data is coming in as expected:
| mstats latest(_value) WHERE index=em_metrics metric_name=* BY host, entity_type
However, the windows host does not show up as entity in the investigate tab while the linux host does.
And it is missing here as well:
| inputlookup em_entities
Anyone has an idea what could be wrong here?
Cheers
... View more
02-03-2020
09:47 AM
Hello,
I have events without a timestamp like epochtime or a format like 2020-02-03 18:41:00.
The needed information is kind of split up in the raw event. Raw events look like this sample:
sometext, date,20200203, some text, some text, time,184100, some text
Is it possible to create a useful timestamp extraction of out this during the data onboarding?
Best regards
... View more
09-10-2019
10:39 PM
Hi,
I am wondering when my search artifacts/shown results will be deleted.
Default ttl for ad-hoc searches is 10min. I would expect the results of my opened & completed search to disappear after this time. Currently they don't and the expiration time is updated every time I refresh the jobs manager.
Cheers
... View more
- Tags:
- splunk-enterprise
- ttl
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-20-2024
11:59 AM
|
