Since it seems to me that this isn't currently available I have created an idea on Splunk Ideas. I would appreciate it if you could give it your votes: https://ideas.splunk.com/ideas/ESSID-I-256 ... View more

INDEXED_EXTRACTIONS = CSV is not supported by modular inputs according to https://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileswithstructureddata Input types that the indexed field extraction feature supports This feature works with the following input types: File-based inputs only (such as monitoring files, directories, or archives.) Inputs that use the   oneshot   input type (or through the "Upload" feature in Splunk Web.) It does not work with modular inputs, network inputs, or any other type of input.   You should instead use delimited field extractions to achieve the same result. See:  https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Knowledge/FXSelectMethodstep https://www.splunk.com/en_us/blog/tips-and-tricks/quick-n-dirty-delimited-data-sourcetypes-and-you.html     ... View more

Hi, As the enrichment you want to do is based on very ephemeral data, you may want to do this at Ingest Time instead of at Search Time. Splunk 8.1 introduced a feature called Ingest-Time Lookups. The idea is to do a lookup based on a given field in the event, get lookup results returned that you then store in an indexed field in the event at index time. Your use case sounds like a proper fit for Ingest-Time Lookups. A way to achieve what you want is the following: Scheduled search that stores the results containing " Container Name / Start Time / End Time / IP address" in a CSV file ip_container_mapping.csv. Set up a INGEST_EVAL in props.conf for your Flow/firewall log sourcetypes using Ingest-Time Lookups (this should be done on the Indexers/Heavy Forwarder)   You may want to synchronize the ip_container_mapping.csv file from the Search Head that generates it to the indexers/or HF to keep your CSV up to date. If you are pulling the flow logs in with a Heavy Forwarder the easiest way to do this would be to let the HF query the Splunk indexers and save the CSV on the HF, then set up the INGEST_EVAL on the HF.   Example for point 2 which will give you an indexed field asset_name being looked up based on the src_ip in the event, returning a column in the CSV file called container_name :   <your_sourcetype_name> INGEST_EVAL = asset_name=json_extract(lookup("ip_container_mapping.csv",json_object("src_ip", src_ip), json_array("container_name")), "container_name")     ... View more

I just submitted a pull request to the original add-on with the changes you highlighted. I am hoping the original author includes it and gets a new version uploaded to Splunkbase. https://github.com/pdoconnell/TA-microsoft-windefender/pull/4 ... View more

After a bit of troubleshooting where we first thought the issue was with missing role permissions in Splunk, it turned out the KV Store was not running due to an expired certificate. We recreated the certificate using the splunk createssl command, restarted and voila, the Create Output Group button reappeared. ... View more

This has been filed as a bug and is slated to be fixed in 8.0.4, according to SPL-183467. Splunk UF should use the python in your PATH. ... View more

Hi, I'm the author of the App. Not sure why you are having issues with the dashboards, but this part indicates you have made local customizations to the App: | lookup dnslookup clientip as src_ip | top clienthost as the original app does not have this query. You may also try to clear any client side caches if you recently upgraded to Splunk 8. ... View more

You're welcome. You should be able to filter out users in the base search as well as in the end of the SPL using | search . Can you paste the exact search you are trying as well as a screenshot of your data and possibly also the fields returned? ... View more

Add the index name as index=something to the stanza called cisco_ios You will see that one referenced in the other stanzas ... View more

There is a base eventtype you can adapt in the app. I believe it is the first one in eventtypes.conf. Just add your index name to that macro. A different approach would be to change your roles to automatically search that index by default. ... View more