×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Denorsmith
Engager
Member since: ‎03-26-2021
‎08-21-2021
Community Statistics
Posts 3
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎03-26-2021
Activity Feed
View All

Re: Edit Action Dropdown on a notable event

by in Splunk Enterprise Security
‎09-21-2021 03:00 AM
‎09-21-2021 03:00 AM
BePe is correct. In the main menu bar, click Settings -> Fields -> Workflow actions -> search on keyword "Investigator". You can also search from "All Configurations" if desired. You will see a number of workflow actions from the DA-ESS-IdentityManagement app, such as identity_investigator_user. Click this link to see the options required to link to the desired dashboard. Use this as a template to create a New Workflow action in the app of your choosing, ensuring that the workflow action is shared globally to be accessible from within Enterprise Security. Label: <your choice> Apply only to the following fields: <your choice> Apply only to the following event types: <your choice> Show action in: Fields menus Action type: link URI: /app/$@namespace$/dashboard_name?form.target_field=$@field_value$ Open link in: New window Link method: get This will create the appropriate stanza entries in the workflow_actions.conf for the container app. ... View more

Re: Timeline creation using eval case function

by SplunkTrust in Dashboards & Visualizations
‎08-12-2021 10:06 PM
1 Karma
‎08-12-2021 10:06 PM
1 Karma
Hi @Denorsmith , Please try below; (I also index="stuff" sourcetype="things" src_ip="1.1.1.1" dest_ip="2.2.2.2" TERM(attack_vector) | eval Status = case(response_code>="400" OR response_code="0", "Blocked", response_code>="202" AND response_code<="226", "Partial", response_code>="300" AND response_code<="399", "Redirect", response_code="200" OR response_code="201", "Success") | timechart count by Status removed search term before TERM for faster results)     ... View more

Re: stats count(eval(recipient="@thing.com*")) not...

by SplunkTrust in Splunk Search
‎03-26-2021 05:04 PM
‎03-26-2021 05:04 PM
Since you are already filtering on whether recipient is @thing.com, why do you need to filter again in the stats? index=emails | search recipient="*@thing.com*" OR Recipient="*@thing.com*" | stats count AS @thing BY email_response However, if you still feel you need it, you could use the like function (note that % are used for wildcards) index=emails | search recipient="*@thing.com*" OR Recipient="*@thing.com*" | stats count(eval(like(recipient,"%@thing.com%") OR like(Recipient,"%@thing.com%"))) AS @thing BY email_response   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-21-2021 06:52 PM
Karma given to
View All