Hi, I have installed the virustotal add-on for Splunk. When I enter the dashboards that are already pre-built I find that the data is related to .csv files. When I enter one of the panels to see how the query is constructed I see that it is indeed a list of IP address values and a reputation level given by virustotal. | inputlookup vt_ip_cache | search vt_detections > 0 | where "1" = "1" OR _first_seen_in_events >= relative_time(now(), "1") | stats count   I am currently on a license of X amount of GB which I am using to ingest logs from many windows machines and some Azure services so I am getting the firewall logs in Elasticsearch and I use the command | ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="*" fields="SourceIP" Each query independently brings me results, but what I need is to correlate the virustotal source logs on the IP addresses where the field is called vt_id and show only the ones that match the logs from the paloalto under the SourceIP field I am not very skilled with this type of queries and for this reason I ask for your help, I managed to build this query, which does not bring me results either because there are no matches or because it is incorrect, what do you think? | inputlookup vt_ip_cache | search vt_detections > 0 |table vt_id vt_collections_names |append [| ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="*" fields="SourceIP" |table SourceIP] |where vt_id==SourceIP |table SourceIP vt_id vt_collections_names Would you help me to adjust or improve it?   thanks ... View more

  Hello I am currently managing a hybrid between Splunk and ELK (Elastisearch Logstash Kibana). Logs supporting syslog protocol are sent to ELK and logs from other sources directly to windows via agent. A plugin called Elasticsplunk has been installed and is stored in the path /splunk/splunk/etc/apps/elasticsplunk/. Currently I am getting the following error message and I would like you to please help me if you know in which configuration file I increase the timeout     External search command 'ess' returned error code 1. Script output = "error_message=ConnectionTimeout at "/var2/splunk/splunk/etc/apps/elasticsplunk/bin/elasticsearch/connection/http_urllib3.py", line 155 : ConnectionTimeout caused by - ReadTimeoutError(HTTPConnectionPool(host=u'localhost', port=9200): Read timed out. (read timeout=60)) ".”   ... View more

Hello to all I would like to know the default time set for hot, warm, cold and frozen buckets. I also want to know what the retention policy is. When I go to "Settings" -> "Monitoring Console" -> "Indexing" -> "Indexes and Volumes" -> "Index Detail: Instance" I find the following retention policy When I enter the path $SPLUNK_HOME/etc/system/local/default/web.conf I can see some information about the buckets thanks if someone can solve my question       ... View more

Hi, I hope that asking this question will not cause controversy. I currently manage a hybrid between Splunk and ELK, some of the sources come directly to Splunk where we pay for the licensing but as there are sources that send very large volumes of information (As we know Splunk is very good but very expensive), we send them to ELK and what we do is that from Splunk we use this type of queries to display data from ELK | ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="src_ip:198.7.62.204" fields="*" now, making clear that these logs are not arriving directly to Splunk, and what Splunk is doing is an external query to ELK I would like to know if it is possible to correlate two sources, in this case I need to correlate the palalto logs type THREAT with the type TRAFFIC This is what I have tried but it does not work   | ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="Type:TRAFFIC AND Threat_ContentType:end AND Action:allow AND NOT SourceLocation:172.16.0.0-172.31.255.255 AND NOT SourceLocation:192.168.0.0-192.168.255.255 AND NOT SourceLocation:Colombia" fields="GeneratedTime,Threat_ContentType,Action,SourceIP,DestinationIP,DestinationPort,NATDestinationIP,SourceLocation,DestinationLocation,SourceZone,DestinationZone" |table GeneratedTime Threat_ContentType Action SourceIP DestinationIP DestinationPort NATDestinationIP SourceLocation DestinationLocation SourceZone DestinationZone * | append [ ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="type:THREAT" fields="threat" |table threat ] |table threat Action *         ... View more

Our client is asking us for information that is stored in the Splunk cloud, and I am not aware of how to access a copy of the information, either because they simply want to have it or because they want it to be backed up from time to time. The second part of the question is if there is such a way to have a copy of that information how is the restore process? ... View more