Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About shravankumarkus
shravankumarkus
New Member
Member since:
05-26-2019
06-05-2020
Community Statistics
| Posts | 18 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 05-26-2019 |
Activity Feed
- Posted Re: how to write search query to get notable events based on last modified time for a correlation rule? on Splunk Enterprise Security. 08-02-2019 12:02 AM
- Posted Re: how to write search query to get notable events based on last modified time for a correlation rule? on Splunk Enterprise Security. 08-01-2019 11:50 PM
- Posted Re: how to write search query to get notable events based on last modified time for a correlation rule? on Splunk Enterprise Security. 08-01-2019 11:03 PM
- Posted how to write search query to get notable events based on last modified time for a correlation rule? on Splunk Enterprise Security. 08-01-2019 12:30 AM
- Tagged how to write search query to get notable events based on last modified time for a correlation rule? on Splunk Enterprise Security. 08-01-2019 12:30 AM
- Tagged how to write search query to get notable events based on last modified time for a correlation rule? on Splunk Enterprise Security. 08-01-2019 12:30 AM
- Tagged how to write search query to get notable events based on last modified time for a correlation rule? on Splunk Enterprise Security. 08-01-2019 12:30 AM
- Posted Re: How to create Search via REST api in verbose mode ? on Getting Data In. 06-06-2019 10:26 PM
- Posted Re: How to create Search via REST api in verbose mode ? on Getting Data In. 06-06-2019 10:13 PM
- Posted Re: How to create Search via REST api in verbose mode ? on Getting Data In. 06-06-2019 10:12 PM
- Posted Re: How to create Search via REST api in verbose mode ? on Getting Data In. 06-06-2019 10:06 PM
- Posted Re: How to create Search via REST api in verbose mode ? on Getting Data In. 06-06-2019 05:34 AM
- Posted Re: How to create Search via REST api in verbose mode ? on Getting Data In. 06-06-2019 05:32 AM
- Posted Re: How to create Search via REST api in verbose mode ? on Getting Data In. 06-06-2019 05:25 AM
- Posted Re: How to create Search via REST api in verbose mode ? on Getting Data In. 06-06-2019 05:25 AM
- Posted Re: How to create Search via REST api in verbose mode ? on Getting Data In. 06-06-2019 05:24 AM
- Posted How to get all fields of event with 'sid' via REST endpoint ? on Splunk Search. 06-06-2019 05:20 AM
- Tagged How to get all fields of event with 'sid' via REST endpoint ? on Splunk Search. 06-06-2019 05:20 AM
- Posted How to create Search via REST api in verbose mode ? on Getting Data In. 06-06-2019 03:20 AM
- Tagged How to create Search via REST api in verbose mode ? on Getting Data In. 06-06-2019 03:20 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-02-2019
12:02 AM
basically all fields from notable index, fields *
yes i will calculate last modified from code, so it would be kind of hardcoded in search query
basically i'm firing a REST query from our code
... View more
08-01-2019
11:50 PM
thanks 🙂
i would need all fields from notable index for a notable event and having ( last modified timestamp greater than some configurable time ), basically i have to pass configurable time
... View more
08-01-2019
11:03 PM
Thanks @jawaharas
can you please give me a query using incident_review macro to get based on last modified timestamp and to get all the fields of notable event? I'm very new to this and it's difficult for me to understand the expansion
basically i have to get notable events modified for a correlation rule
... View more
08-01-2019
12:30 AM
How do we write search query to get notable events based on last modified time for a correlation rule ?
I want to see notable events based on modifications to the notable event like status update, comment, priority change etc.
Is there a way to get notable events based on modified time instead of earliest and latest times and i would need all fields from notable index?
i found review_time field get updated when we change some field via incident review tab in Splunk ES ?
how do we we write query to get review_time > some epoch time
<field k='review_time'>
<value>
<text>1564640460.15607</text>
</value>
<value>
<text>1564638955.786255</text>
</value>
<value>
<text>1564638489.151153</text>
</value>
</field>
... View more
06-06-2019
10:26 PM
thanks a lot
... View more
06-06-2019
10:13 PM
thanks, that solves my problem
... View more
06-06-2019
10:12 PM
thanks @jkat54
I'm using this for splunk enterprise security, can you please point out the cases where search can fail,
how can we change the app context to get the results everytime
any suggestions on which endpoint for search to use with proper app context so that search won't fail ?
... View more
06-06-2019
10:06 PM
thanks that works
... View more
06-06-2019
05:34 AM
two ways i'm firing query
method 1:
/services/search/jobs/?output_mode=json
request params:
search= search notable
earliest_time=-hr
latest_time=now
adhoc_search_level=verbose
exec_mode=oneshot
method 2:
/services/search/jobs/export?output_mode=json
request params:
search= search notable
earliest_time=-hr
latest_time=now
adhoc_search_level=verbose
both endpoints are not returning all fields of notable event but its working if i get first and then get the events with ?
i don't want to fire another query with sid if i can get in one API request
... View more
06-06-2019
05:32 AM
two ways i'm firing query
method 1:
/services/search/jobs/?output_mode=json
request params:
search= search notable
earliest_time=-hr
latest_time=now
adhoc_search_level=verbose
exec_mode=oneshot
method 2:
/services/search/jobs/export?output_mode=json
request params:
search= search notable
earliest_time=-hr
latest_time=now
adhoc_search_level=verbose
both endpoints are not returning all fields of notable event but its working if i get first and then get the events with ?
i don't want to fire another query with sid if i can get in one API request
... View more
06-06-2019
05:25 AM
thanks for the response
adhoc_search_level is not working if i use exec_mode=oneshot or if i use search/jobs/export endpoint to directly get the results instead of getting and then firing one more request to /search/job/sid/events
i want to directly get results with exec_mode=oneshot or /export endpoint
will adhoc_search_level work with above two cases
... View more
06-06-2019
05:25 AM
thanks for the response
adhoc_search_level is not working if i use exec_mode=oneshot or if i use search/jobs/export endpoint to directly get the results instead of getting and then firing one more request to /search/job/sid/events
i want to directly get results with exec_mode=oneshot or /export endpoint
will adhoc_search_level work with above two cases
... View more
06-06-2019
05:24 AM
Hi guys,
thanks for the response
adhoc_search_level is not working if i use exec_mode=oneshot or if i use search/jobs/export endpoint with POST to directly get the results instead of getting and then firing one more request to /search/job/sid/events
i want to directly get results with via exec_mode=oneshot or /export endpoint
will adhoc_search_level work with above two cases
... View more
06-06-2019
05:20 AM
/servicesNS/nobody/search/search/jobs/ sid /results -- this endpoint is not giving all fields of events for the searchid and even in dashboard when i view results of triggered alert its returning the results in 'fast mode', so some fields are missing.
how to get all field of eventss via REST api with <sid> ?
... View more
- Tags:
- splunk-enterprise
06-06-2019
03:20 AM
I'm firing search query via REST api to get notable events, but the search is not returning all fields available in the event , I see It is running in fast mode.
How to change the search mode when invoking search via REST api
... View more
05-27-2019
09:40 PM
thanks for the response
i guess you are saying to rerun the search with same time range that the original correlation search ran
there is a field 'drilldown_search' which has the search criteria, can it be used ?
<field k='drilldown_search'>
<value>
<text>| from datamodel:"Threat_Intelligence"."Threat_Activity" | search threat_match_field="$threat_match_field$" threat_match_value="$threat_match_value$"</text>
</value>
</field>
orig_sid field is below
<field k='orig_sid'>
<value>
<text>scheduler__admin_REEtRVNTLVRocmVhdEludGVsbGlnZW5jZQ__RMD5ae7062088f029cdf_at_1558764000_9257</text>
</value>
</field>
... View more
05-27-2019
09:29 PM
thanks for the response
but drilldown search field has many escaped characters and it also has some values to be substituted like $threat_match_field$ , $threat_match_value$
<field k='drilldown_search'>
<value>
<text>| from datamodel:"Threat_Intelligence"."Threat_Activity" | search threat_match_field="$threat_match_field$" threat_match_value="$threat_match_value$"</text>
</value>
</field>
... View more
05-26-2019
11:01 PM
I want get contributing events for a particular notable event programatically.
Is there anyway that we can get from any splunk endpoint ?
i thought of a way by using drilldown search field in notable event and firing a search query ?
i see a field 'orig_sid' in notable event, any way that we can use this field and get
Any other ways that we can get contributing events for a notable event programatically ?
Any suggestions would really help me
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
