Hi guys. I'm currently working to fix all "real-time" jobs running on my company and I came across one job that I can't find it's original parent.. It's running every 10/15 minutes and takes resources. I was hoping you could assist me with finding the original parent of this job. This is what I have: - Owner - The query itself - Sharing (global) - Job inspect page - The app it's running on (Security Enterprise)   Thank you for your time!  ... View more

Hi. I'm looking to make a table/stats of all fields in a search to display all values inside of each field. Similar to stats count, but instead of counting the amount of values, I want to display all values inside. ... View more

Hi all. I have a running query I see on the jobs page on Splunk but I cannot find the related alert/dashboard it's coming from. There is no name like when an alert is running, but just the search query instead. Is there a query I can reverse search this search query in order to find the alert/dashboard? ... View more

Hi all. My company is working with GlobalScope and I wish to enter their error code description to Splunk. As of right now, I only get the error number and I need to go to their website and check what is each code. I was wondering if I can import the data from the website into my Splunk and include it on my queries. Here's the url: https://kb.globalscape.com/Knowledgebase/10142/FTP-Status-and-Error-Codes ... View more

Hi all. I'm working with a FTP server which include a session number with each status and I wish to exclude the session number to be separate value to use later. Example of the fields are: [12345156]quit [14365361]pass I tried using replace "[*]" with * in cs_status but it won't remove the session number (inside the [] is the session number). Basic search query: "index=application sourcetype=FTPlogs"     Thank you for the assistance! ... View more

Hi all. I currently experiencing an issue where simple strings won't provide any events while two weeks ago I had. Doesn't matter the time frame. Tried "All time" and still zero events. So, I wish to see if there is an issue with an index being disable or not working properly.   Is there a search query I can use to find these indexes? ... View more

Hi all. I use Splunk on my workplace and recently I feel like it's performance is decreasing. Basic search queries like my username or email address would provide results, now it wouldn't. Doesn't matter the time frame I choose, zero events. I was told that an app called "estreamer" was down and one of the infrastructure worker fixed it and claimed to restore all missing data. It was last Thursday. Sadly, he's not familiar with this system so I need to address the issue when I talk with him. Today, I still cannot search these basic strings, it gives zero events.   Any idea how I check what's wrong so I can tell the infra worker to fix certain issue/index/app? ... View more

Hi all. It might sound weird but I need assistance converting Azure Sentinel queries to SPL. The main goal is to use Microsoft's new exchange vulnerability detection methods. So if you got one ready to use, please share 🙂 These are the codes I wish to have in SPL: https://github.com/Azure/Azure-Sentinel/blob/08a8d2b9c5c9083e341be447773a34b56b205dee/Detections/W3CIISLog/ProxyShellPwn2Own.yaml https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/WebShellActivity.yaml https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/MaliciousAlertLinkedWebRequests.yaml https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/exchange-iis-worker-dropping-webshell.yaml https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/PotentialWebshell.yaml source: https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/     Thank you!! ... View more

Hi. I'm trying to get only failed login attempts but while I could find the correct field, it's not as accurate as there might be a successful login after the session. The only way I can think off to bypass this is to use "if" argument but I don't know how to involve "if" in SPL. Here's the fields I currently use: index=application sourcetype=globalscape cs_method="*user*" sc_status=530 - provides all failed logins. index=application sourcetype=globalscape cs_method="*pass*" sc_status=230 - provides all successful logins.   Thank you for assisting! ... View more

Hi all. I want to create an alert for hosts file modification. Found the build in one here on the forums but I would like to add a filter that can read inside the file and when it's being modified by Docker, it would ignore and won't activate the alert.   Appreciate the assistance! ... View more