Hi team I have been working on assigning a custom urgency level to all notables triggered through our correlation searches using  (ES). Specifically, I aimed to set the severity to "high" by adding eval severity=high in each relevant search. However, despite implementing this change, some of the notables are still being categorized as "medium."   Could you please assist with identifying what might be causing this discrepancy and suggest any additional steps required to ensure all triggered notables reflect the intended high urgency level?   Thank you for your assistance ... View more

i have a sample xml which looks like this   script_family>Amazon Linux Local Security Checks</script_family> <filename>al2023_ALAS2023-2025-816.nasl</filename> <script_version>1.1</script_version> <script_name>Amazon Linux 2023 : runfinch-finch (ALAS2023-2025-816)</script_name> <script_copyright>This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.</script_copyright> <script_id>214620</script_id> <cves> <cve>CVE-2024-45338</cve> <cve>CVE-2024-51744</cve> </cves> <bids> </bids> <xrefs> </xrefs> <preferences> </preferences> <dependencies> <dependency>ssh_get_info.nasl</dependency> </dependencies> <required_keys> <required_key>Host/local_checks_enabled</required_key> <required_key>Host/AmazonLinux/release</required_key> <required_key>Host/AmazonLinux/rpm-list</required_key> </required_keys> <excluded_keys> </excluded_keys> <required_ports> </required_ports> <required_udp_ports> </required_udp_ports> <attributes> <attribute> <name>exploitability_ease</name> <value>No known exploits are available</value> </attribute> <attribute> <name>cvss3_temporal_vector</name> <value>CVSS:3.0/E:U/RL:O/RC:C</value> </attribute> <attribute> <name>vuln_publication_date</name> <value>2024/11/04</value> </attribute> <attribute> <name>cpe</name> <value>p-cpe:/a:amazon:linux:runfinch-finch cpe:/o:amazon:linux:2023</value> </attribute> <attribute> <name>cvss3_vector</name> <value>CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N</value> </attribute i want to extract few fields from search using spath or similar methods field value payer should look somthing like key                                                               value exploitability_ease                             No known exploits are available cvss3_temporal_vector                  CVSS:3.0/E:U/RL:O/RC:C solution                                                    Run 'dnf update runfinch-finch --releasever 2023.6.20250123' to update        i tried something similar to this but no luck | spath input=_raw path="attributes.attribute[*].name" output=name | spath input=_raw path="attributes.attribute[*].value" output=value | table name value ... View more

Hi    trying to build a dashboard for user gateaccess, How to visualise this in a live data.   I am looking for some inbuilt visuaisations that helps for this, something like a missilemap but for user moving from one gate to other ... View more

We have two separate splunk instances with ES (standalone not clustered) . Consider it as a HO DR   when i try to move to DR instance of splunk and copy /etc/apps , After restarting DR instance all the notables are in new status . Those notables which are closed in HO splunk is also showing as new. What could be the reason?   I do know that this is managed as a kv store. If we have to migrate KV store related to this. What are the best practises in this case     ... View more

  I have logs indexed like this. How to break entries based on each lines . i need each line as a seperate entry.   I tried to do this via line breaker but didnt succeed. Any method to do it via search after indexing   ... View more

Hi Splunkers The idea is to pull any new file creations on a particular folder inside C:\users\<username>\appdata\local\somefolder i wrote a batch script to pull and index this data. its working but the issue is i cannot define a token for users. eg: In script if i mention the path as C:\users\<user1>\appdata\local the batch script will run as expected an data will be indexed to splunk but if i mention the user1 as %userprofile% or %localappdata% the batch script is not running. How to resolve this     ... View more

Hi  Is it possible to restore archive data from one single host consider we have an index=windows ,we want to restore archive data only for one host ie;index=windows host=xxx . Is it possible someway?   Thanks in advance ... View more

Hi    I have a lookup which looks like this no  name     student     rollno 1      john           yes           12 2       George     no             2345 3      jin                yes          111   How can i iterate through this lookup by the 'no' field and display each entry as a result . I only need one result at a time so when i first run the search the result should be no  name     student     rollno 1      john           yes           12   When i run the same search after a minute the result should be   no  name     student     rollno 2       George     no             2345     Please help ... View more

Hi Team I want to collect source ip from an alert triggered /search ran and then add that to a .txt file exposed on a separate server.(https://urlofserver/ipfile.txt)   What is the best way to achieve this   ... View more

Hi I have an extracted field from regex, ie Time_extract which gives hour. Now I want to get the logs between a period of time, ie time_extract>=10 AND time_extract<23 ..how to go about that? Current search: Date_extract="10/29/16" | stats count by severity | where Time_extract>=12 AND Time_extract<23 ... View more

Hi Team My Splunk Enterprise Security Incident Review is not loading...It just shows "loading" for a long time. I created a notable event and also tried copying the same code to create a separate incident review button, but no luck...please help Thanks in advance ... View more