×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
7thdrxn
Splunk Employee
Member since: ‎09-14-2021
‎09-05-2024
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎09-14-2021
Activity Feed
Topics I've Started
No posts to display.
View All

Re: Event Time vs Index Time

by Splunk Employee in Alerting
‎09-05-2024 08:44 AM
‎09-05-2024 08:44 AM
When you've got ES control, but have to file a ticket that will take months to respond to from a Splunk core admin team for data issues, sometimes you just do what you gotta do. 🙂 ... View more

Re: Event Time vs Index Time

by Splunk Employee in Alerting
‎09-04-2024 04:23 PM
1 Karma
‎09-04-2024 04:23 PM
1 Karma
Actually indextime has a WONDERFUL, very security relevant use case and that's for events with potentially delayed data. A great example is EDR data; if a user is off network for awhile and the agent can't report, when they do finally log on, their events may flow in with the proper timestamps for when the event occurred *however* because we are running our detections on our most recent events, detections will completely miss these. In almost every other case, I'd recommend normal _time. But _indextime is very useful for this usecase. Also can be handy with RBA so notables don't fire as events from the beginning of the time window roll off the detection window despite having already fired a notable and APPEAR unique but throttling can't account for; explained here - https://splunk.github.io/rba/searches/deduplicate_notables/#method-ii ... View more

Re: Is there a quick way to list all fields in a d...

by Splunk Employee in Other Usage
‎09-13-2023 04:01 PM
‎09-13-2023 04:01 PM
Finding this much later and love it. I made some slight edits to include calculated fields (the mvfilter NOT match is for the sub-model names that start with capital letters and the is_/is_not_ stuff for each sub-model): | datamodel | rex field=_raw "\"modelName\"\s*\:\s*\"(?<modelName>[^\"]+)\"" | spath output=fieldList objects{}.calculations{}.outputFields{}.displayName | spath output=fieldList2 objects{}.fields{}.displayName | eval fieldList = mvappend(fieldList,fieldList2) | where modelName!="Splunk_CIM_Validation" | table modelName fieldList | eval fieldList = mvdedup(mvfilter(NOT match(fieldList,"is_.*|^[A-Z]")))  The check index/sourcetype is a handy addition. I also highly recommend Outpost's Data Model Mechanic for troubleshooting DMs. ... View more

Re: Correlation sources in Search filter Role Acce...

by Splunk Employee in Splunk Search
‎09-14-2021 08:13 AM
‎09-14-2021 08:13 AM
The search looks solid but I feel like something is up with your coalesce. From this example, the same event will not have both "indexA_agentB" and "indexB_agentB" so a coalesce will not do anything. I think what you're trying to do is rename the field they share so that they are the same, and then your stats by that field will accurately show which comes from two sourcetypes. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-05-2024 12:05 PM
Karma from
View All
Karma given to
View All