Activity Feed
- Karma Re: Splunk Enterprise Security: Is there a way to write a search to identify when there is already an existing notable event? for haley_swarnapat. 06-05-2020 12:48 AM
- Karma Re: I want to use "$result." in my alert messages, but it doesn't work. for davidpaper. 06-05-2020 12:47 AM
- Posted Re: How to throttle Scheduled Alerts from spamming my inbox by just receiving one email related to all matching events? on Alerting. 12-15-2016 08:46 AM
- Posted Re: How to throttle Scheduled Alerts from spamming my inbox by just receiving one email related to all matching events? on Alerting. 12-15-2016 07:14 AM
- Posted How to throttle Scheduled Alerts from spamming my inbox by just receiving one email related to all matching events? on Alerting. 12-15-2016 06:40 AM
- Tagged How to throttle Scheduled Alerts from spamming my inbox by just receiving one email related to all matching events? on Alerting. 12-15-2016 06:40 AM
- Tagged How to throttle Scheduled Alerts from spamming my inbox by just receiving one email related to all matching events? on Alerting. 12-15-2016 06:40 AM
- Tagged How to throttle Scheduled Alerts from spamming my inbox by just receiving one email related to all matching events? on Alerting. 12-15-2016 06:40 AM
- Tagged How to throttle Scheduled Alerts from spamming my inbox by just receiving one email related to all matching events? on Alerting. 12-15-2016 06:40 AM
- Posted Re: How do I close 'My Investigations' after I am done with notable events? on Knowledge Management. 09-20-2016 09:52 AM
- Posted How do I close 'My Investigations' after I am done with notable events? on Knowledge Management. 09-20-2016 07:36 AM
- Tagged How do I close 'My Investigations' after I am done with notable events? on Knowledge Management. 09-20-2016 07:36 AM
- Posted Re: Splunk Enterprise Security: Is there a way to write a search to identify when there is already an existing notable event? on Splunk Enterprise Security. 09-16-2016 05:37 AM
- Posted Re: Splunk Enterprise Security: Is there a way to write a search to identify when there is already an existing notable event? on Splunk Enterprise Security. 09-15-2016 06:35 AM
- Posted Splunk Enterprise Security: Is there a way to write a search to identify when there is already an existing notable event? on Splunk Enterprise Security. 09-14-2016 10:27 AM
- Tagged Splunk Enterprise Security: Is there a way to write a search to identify when there is already an existing notable event? on Splunk Enterprise Security. 09-14-2016 10:27 AM
- Tagged Splunk Enterprise Security: Is there a way to write a search to identify when there is already an existing notable event? on Splunk Enterprise Security. 09-14-2016 10:27 AM
- Tagged Splunk Enterprise Security: Is there a way to write a search to identify when there is already an existing notable event? on Splunk Enterprise Security. 09-14-2016 10:27 AM
- Tagged Splunk Enterprise Security: Is there a way to write a search to identify when there is already an existing notable event? on Splunk Enterprise Security. 09-14-2016 10:27 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
12-15-2016
07:14 AM
Thanks someoni2. Let me try that and get back to you for credit ^_^
... View more
12-15-2016
06:40 AM
Hello, I've search around and haven't found an answer on Splunk answers so maybe someone can help answer or give me a link with answer. Thanks
Scenario: I've scheduled an alert to report on web-based attacks to a specific website (it's a temp fix until we can get it moved behind F5). The cron is set to run every 24hrs at 8am. My trigger is set 'for each result' because I want the alerts separated when they fire. Triggering is suppressed for 24hrs to prevent alerting on event values with identical fields. Trigger action is set to email.
Challenge: Inbox overflowing with individual alerts. Rather than to receive an individual email for each result within the last 24 hr period, I'd like to receive one email with all of those matching events related to the one alert at 8 am. To be very clear, I want all of the alerts that come in (currently like almost 200 a day) to be on one email. I don't want 200 individual emails.
Thanks in advance!
... View more
09-20-2016
09:52 AM
It sounds like this may be an area for feedback and improvement. Thank you Sarah, you've confirmed our suspicions and concerns.
^_^
... View more
09-20-2016
07:36 AM
I can see where we can create 'New Investigations', track or manage current investigations, delete or edit or remove existing investigations, but nothing to close the investigation. When you actually go into one of your investigations there is additionally a button to 'Create New Entry' that drops down to create a 'Note' or view 'Action History' (all cool features btw), but nothing to say ok "this event or this investigation is resolved or closed".
Splunk Version 6.4.1.2
App: ES Version 4.2.0
Thanks!
... View more
- Tags:
- splunk-enterprise
09-16-2016
05:37 AM
I think we can work with this, thank you very much. Now all we'll have to do is figure out exactly how we can use it to accomplish our goals.
Thanks again guys appreciate your help!
... View more
09-15-2016
06:35 AM
Yeah that'd be great, can someone take a look at this? Anything with the notable event for the new version of ES (and we're currently using Splunk 6.4.1.2 and ES version 4.2.0).
... View more
09-14-2016
10:27 AM
If this has already been covered, please provide a link, but I haven't seen anything. My organization uses Splunk Cloud and we have Enterprise Security installed. Does anyone know if there is a way to configure a search to identify when there is already an existing created notable event? As we identify things of interest or things that we'd like to pursue on a day-to-day basis in our logs, we'd like to prevent multiple investigations of the same targets and would like to configure a search to include or exclude those events.
Thanks!
... View more
