That's what I thought.  Thank you for confirming. ... View more

Not sure if you are still looking into this, but I ran into a similar issue and aggregate several searches into Assets.  Either the CMDB is missing items or some other agent has additional information for an asset.   Very basic instructions: 1. Create search that returns info you want 2. https://docs.splunk.com/Documentation/ES/7.0.1/Admin/Formatassetoridentitylist for table in search. You may have to rename some fields to match 3. Save As - Report 4. Schedule it 5. Title and description 6. Settings-Lookups-lookup definitions 7. Create new definition 8. Dest App = SA-IdentityManagement 9. name it 10. File-based 11. Lookup file = name of the outputlookup csv you had in search. If it's not in the list manually re-run the saved search. 12. Open Enterprise security app 13. Configure-Data Enrichment-Asset&Identity 14. New Configuration 15. Choose source -- will be the lookup name 16 Save.   You are correct in letting Asset and Identity Management manage the merge.  You can set the rank of all of the sources on that page as well. ... View more

1. Those are built-in OOB macros.  You can view them in "Settings-Advanced Search-Search Macros" 2. Sorry, I don't unless you look at "Settings-Data Models".  The ones with yellow lightning bolts are the accelerated ones.  You can expand those in there and see some details. ... View more

I'd be interested in this as well.  However, you could have a scheduled job to export the logs to a file on the windows machine, the put a Monitor stanza in the inputs.conf to go to another index as a workaround.  Just trying to think of other ways just in case. ... View more

It's difficult without seeing your data.  For just eps, try: index=_internal source=*metrics.log earliest=-1h group=per_host_thruput series=* component=Metrics | timechart span=1m avg(eps) as avg_eps ... View more

Not exactly sure what you are looking for, but maybe some information from the _internal index can help.  Like this: index=_internal host=* group=per_index_thruput | stats sum(kbps) as kbps sum(ev) as ev by series | eval ev=round(ev,0) ... View more

Not that I know of.  You can manually create a notable event from any indexed search using "Event Actions" but I think you are looking not just for the actual events but just the Adaptive Action enabled. ... View more

This search will list out your correlation searches and what action is associated with each (risk/notable). | rest splunk_server=local count=0 /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | where disabled=0 | eval actions=split(actions, ",") | table title,actions ... View more

Not sure you can from that Incident Review dashboard.  You should be able to export from a regular search using index=notable.  Just specify time frame and fields you need. ... View more

Would ingestion summary help?  I haven't used Phantom in a long time so I may be totally off base. System Health > Ingestion Summary. ... View more

Here is the spec doc for the serverclass.conf file. https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Serverclassconf   I have not run into any limits on the number of items.  Especially when I use a csv file to specify 100s of servers for a specific class.  You should be good. ... View more

MS has some pwershell things to look for in your environment.  Eith on-prem Exchange or Cloud-based.   https://github.com/microsoft/CSS-Exchange/blob/a4c096e8b6e6eddeba2f42910f165681ed64adf7/docs/Security/CVE-2023-23397.md ... View more

That's probably the best plan.  However, say I have 15 normal IIS servers, 5 SFTP servers, and 5 SSRS servers.  All 25 run on IIS so the app the server class pushes out will go to one index.  But all 3 log types parse differently from an identical location.  This sounds like I would have to manually specify hosts for separate classes, right? ... View more