Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About kausar
kausar
Path Finder
Member since:
06-06-2016
06-05-2020
Community Statistics
| Posts | 28 |
| Solutions | 1 |
| Karma Given | 7 |
| Karma Received | 4 |
| Member Since | 06-06-2016 |
Activity Feed
- Karma Re: Why am I getting a "404 Not Found Page not found!" error when an app is invisible? for rphillips_splk. 06-05-2020 12:48 AM
- Karma Re: Can I do string search inside case() func? for lguinn2. 06-05-2020 12:48 AM
- Got Karma for How to remove custom correlation searches in Splunk Enterprise Security?. 06-05-2020 12:48 AM
- Got Karma for How to remove custom correlation searches in Splunk Enterprise Security?. 06-05-2020 12:48 AM
- Karma Dump Command - How to Save Files on Remote Path and Question About maxlocal for steverimar. 06-05-2020 12:47 AM
- Karma Re: Why is my configuration for index-time field extractions of CSV data not working? for martin_mueller. 06-05-2020 12:47 AM
- Got Karma for Re: Dump Command - How to Save Files on Remote Path and Question About maxlocal. 06-05-2020 12:47 AM
- Got Karma for Re: How to display dashboard panels dynamically?. 06-05-2020 12:47 AM
- Karma Re: Query to retrieve Saved Search String for Ayn. 06-05-2020 12:46 AM
- Karma Re: Query to retrieve Saved Search String for rmorlen. 06-05-2020 12:46 AM
- Karma Re: Sendemail to recipient from a field for rthakalapally1. 06-05-2020 12:46 AM
- Posted Re: Do field extraction that involves more than just a regex on Splunk Enterprise. 06-07-2017 12:58 PM
- Posted Re: Do field extraction that involves more than just a regex on Splunk Enterprise. 05-30-2017 01:18 PM
- Posted Re: Do field extraction that involves more than just a regex on Splunk Enterprise. 05-30-2017 12:37 PM
- Posted Re: Do field extraction that involves more than just a regex on Splunk Enterprise. 05-30-2017 11:53 AM
- Posted Do field extraction that involves more than just a regex on Splunk Enterprise. 05-30-2017 11:36 AM
- Posted threat_intelligence_manager as input in the inputs.conf file on Getting Data In. 04-07-2017 08:35 PM
- Tagged threat_intelligence_manager as input in the inputs.conf file on Getting Data In. 04-07-2017 08:35 PM
- Posted Re: Any way to notify users when their scheduled searches fail? on Alerting. 02-23-2017 03:57 PM
- Posted Any way to notify users when their scheduled searches fail? on Alerting. 02-23-2017 11:06 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 0 |
06-07-2017
12:58 PM
@lguinn
The "value" is just a string that I want the field 'newfield' to have finally. Of course this is based on query unlike a rex field extraction and therefore I am trying to figure out how to do..
... View more
05-30-2017
01:18 PM
I think rex wouldn't work either cause this one involves transaction command.
... View more
05-30-2017
12:37 PM
Is it safe to assume that you mean there is no way I can do field extraction for this specific case? Any work around?
... View more
05-30-2017
11:53 AM
@rphillips
Yes the data exist in the raw event. Sample spl:
index=myindex sourcetype=mysourcetype "keyword1" OR "keyword2" | transaction field1 field2 maxpause=2s | search "keyword1" keyword2" | eval newfield="value"
(Doing two time keyword search to filter out before transaction for efficiency and after transaction for finally extracting those two events only,
event 1 has keyword1
event 2 has keyword2)
The desired output is creating that newfield, that would have been easier if it just involved one event and I could use regex.
... View more
05-30-2017
11:36 AM
I want to do a field extraction but its not a simple regex that can do it, instead the query has | search , | transaction and | eval commands . With this query in hand, looks like I can't use 'field extractions', 'calculated fields' or 'field transformations'. What is the best way to tackle?
... View more
- Tags:
- splunk-enterprise
04-07-2017
08:35 PM
I see the following stanza in my SplunkEnterpriseSecurity app's inputs.conf file. (added by splunk professional)
[threat_intelligence_manager://]
...
What is that and where is it coming from? I can't find any details on any this input in the inputsconf documentation. https://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/Inputsconf. Where would I find stuffs to read further about it?
... View more
- Tags:
- splunk-enterprise
02-23-2017
03:57 PM
Thanks but I want to put a monitoring in place and this would again be set as a scheduled search. Scheduling a search to detect failed scheduled searches is not a good idea... hoping to see it as an option during scheduled search configuration that when checked notify users if it fails to run. Would that be a feature request?
... View more
02-23-2017
11:06 AM
Is there a way to send the users (and admin too) email notification when their scheduled searches fail e.g. due to quota issue? Error - "Search not executed: Your maximum number of concurrent searches has been reached."
... View more
12-22-2016
03:43 PM
I have multiple queries for same index and therefore trying to avoid subsearches. Looking for right syntax, trying to do something like:
index=abc sourcetype=xyz | eval w=case("keyword1", "k1", "keyword2" OR "keyword3", "k23", "keyword3" AND "keyword4", "k34")
OR
index=abc sourcetype=xyz | eval w=case(_raw == "*keyword1*", "k1", _raw==("*keyword2*" OR "keyword3"), "k23", _raw=="*keyword3*" AND "*keyword4*", "k34")
Though, I can use multiple subsearches and append the results but it doesn't seem to be very efficient.
... View more
11-23-2016
01:16 PM
If an event is expanded in Splunk, there is button 'Event Actions'. Its good and handy if I want to apply it on a single event but cases where I have a bunch of events, how to apply it simultaneously on all of them?
... View more
11-17-2016
12:18 PM
I am looking for advices on how to plan the backup and storage of "My Investigations" data in the Splunk Enterprise Security (ES).
Two questions regarding this:
1- How to configure and manage the disk space and retention of data in KV store?
2- For the items we save in "My Investigations" inside the Splunk ES app such as notes, action history, raw_events, notable events etc. Do they all get saved in the kvstore and all I need to worry is to save the kv store OR for events, does it depend on the retention period of the original index and sourcetype?
Thanks!
... View more
11-09-2016
12:03 PM
I don't see deleted saved searches when run the query,
| rest /servicesNS/-/-/saved/searches | search title="*correlation rule*" | table title, search
OR used btool,
./splunk cmd btool --debug savedsearches list | grep -i "correlation rule"
But I do see them in index=_audit .
Filed a ticket as suggested. Thanks!
... View more
11-08-2016
06:56 PM
Hi David,
Thanks your reply. This is not something I tried today or yesterday, it has been at least a week since I suppressed all the notables, cleaned/removed the rules from the savedsearches.conf and correlationsearches.conf files and restarted splunk many time after that.
It is very weird that these notables are still being generated (I search for past 24 hours everyday).
I noticed that this is the issue with custom correlation rules of which some were RT but mostly scheduled.
... View more
11-07-2016
01:08 PM
2 Karma
I've been trying to remove some custom correlation searches, but they are still generating notables. So far I've tried:
disabling them in savedsearches.conf, but didn't work
removing them from the savedsearches.conf and correlationsearches.conf files, still didn't help
What am I missing? I see the names of these correlation rules in ./SA-ThreatIntelligence/lookups/correlationsearchmeta.csv and ./SA-ThreatIntelligence/local/eventtypes.conf files, any idea what they are for and should I delete the entries from here as well? Thanks
... View more
10-25-2016
09:09 AM
If nothing is set, does this mean that it is unlimited or is there any default max age?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
