×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
TamasDubicz
Engager
Member since: ‎10-13-2020
‎03-12-2026
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎10-13-2020
View All

Re: Access Finding/Investigation notes in ES 8

by in Splunk Enterprise Security
‎03-12-2026 11:10 AM
‎03-12-2026 11:10 AM
For some reason as I see in case of updates of the old events Splunk writes the change into the _audit index. You can access to it by this search index=_audit source=mc_notes | rex "(?<timestamp>[\d.]+),(?<incident_id>[\w-]+),(?<user>[\w_]+),(?<model>[\w]+),(?<command>[\w]+),(?<diff>.+)" | eval time=_time | table time, user, incident_id, diff, command | rex field=diff mode=sed "s/\\\\//g" | rex field=diff mode=sed "s/^\"//g" | rex field=diff mode=sed "s/\"$//g" | spath input=diff ... View more

Re: Why is the ES Incident Review page still lists...

by in Splunk Enterprise Security
‎05-05-2023 05:10 AM
‎05-05-2023 05:10 AM
We have faced with the same issue. The solution was to change ESCU permission level to "App" from "Global". ... View more

Alert action for sending data to summary index

by in Alerting
‎03-01-2021 03:25 AM
‎03-01-2021 03:25 AM
Hey Everybody,   We started to work with multiple summary indexes. We are filling them up with scheduled searches and what are end with the "collect" command and this cause a lot of inconvenience. Now we are thinking about that we would like to use alert action for the send-to-the-summary-index step, like when we write out data to a lookup with the "Output results to lookup" alert action.   Do you know any plug and play solution / downloadable alert action what we can use to improve our Splunk infra?    Thank you in advance! ... View more
Labels

What will happen when I change an already existing...

by in Deployment Architecture
‎10-13-2020 08:23 AM
‎10-13-2020 08:23 AM
Hey Everybody, We just started a SmartStore migration project and we were warned to not migrate indexes with buckets with auto_high_volume.  So we would like to change the maxDataSize settings in case of several already existing index from auto_high_volume to auto in an IDX cluster. What will be the impact of this change?  Will it cause increased I/O or other resource usage right after the change, will it “cut” the already existing high_volume buckets into 750 MB pieces? Aka. Will it be applied retrospectively? What will happen a hot bucket what is more than 750 MB at the time when I apply the change?   Thank you in advance, Tamas ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-12-2026 11:07 AM