Hi, depending on specific field values I would like to perform different actions per event in one search string with the map command. I will try to create a simple example: 1. If there is an event that includes field=value_1, I would like to remove rows from a lookup that have field=value_1 2. If there is an event that includes field=value_2, I would like to add a row to another lookup. Here is how I create my sample data: | makeresults format=csv data="field value_1 value_2" | eval spl=case(field="value_1","| inputlookup test.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv", field="value_2", "| makeresults | eval field=\""+$field$+"\" | outputlookup test_2.csv") The easiest way I thought of was adding | map search="$spl$" But Splunk seems to put quotes around the value. Avoiding that with the approach described here (https://community.splunk.com/t5/Installation/How-do-you-interpret-string-variable-as-SPL-in-Map-function/m-p/385353) does not work, because I can not use the search command this way. Do you have ideas how to achieve my goal? ... View more

Hi, I want to prevent alerts from being skipped and I'm fine, that the alerts don't run at a specific time. I prefer to be notified with a delay than not at all.  One option is to set a schedule window. First of all, I'm wondering why the Alert Editing does not offer this option like reports do. I have to navigate to the Advanced Edit Mode to configure the schedule window. When it is configured, we allow the scheduler to delay the dispatch time. But at some point the search will be skipped anyway. Another option is to use the scheduling mode "continuous".  As far as I understand it, an alert with mode "continuous" is never skipped, which sounds reasonable to have a security monitoring without gaps.  I assume the scheduler will try to run the search as soon as possible. Is the continuous mode a best practice to avoid gaps or are there valid reasons not to use it? If the mode is used it might be a good idea to observe the scheduler lag more closely to determine "how late" alerts run and if the scheduler is building a huge backlog of delayed searches. I don't know how the scheduling_mode interacts with the schedule window. Does the schedule window have any effect, when the mode is "continuous"? ... View more

Hi, I'm testing the Security Essentials app with just onboarding Linux logs. Nevertheless the Content Overview shows "available content" for multiple sources, e.g. Windows. Within the dashboard Security Content windows content is listed as well, when I select data availability "good". When I open such a windows detection rule, the status under perequisites is red (as expected). Why is so much content marked as available without data? Cheers 🙂 ... View more

Hi, I'm using the rest command to get a list of all knowledge objects: | rest /servicesNS/-/-/directory Is there an endpoint to add the info whether it is stored in local/default/both? ... View more