Activity Feed
- Posted Curl request tp admin config service on Splunk ITSI. 02-13-2024 11:56 AM
- Posted Heavy forwarder upgrade on Splunk Enterprise. 12-01-2023 06:51 AM
- Posted What is the fastest way to run a query to get an event count on a timechart per host? on Splunk Search. 09-28-2023 12:14 PM
- Posted Re: Query for events within 2 minutes of the first event for the same host on Splunk Search. 05-09-2023 10:26 AM
- Posted How to write events within 2 minutes of the first event for the same host? on Splunk Search. 05-09-2023 08:24 AM
- Posted How to create a query for alerting two different events from the same host? on Splunk Search. 03-08-2023 11:28 AM
- Posted Re: How to monitor deviation to log volume? on Splunk Search. 02-09-2023 12:00 PM
- Posted How to monitor deviation to log volume? on Splunk Search. 02-09-2023 07:29 AM
- Posted How do I correlate across two log sources? on Splunk Search. 02-03-2023 03:54 PM
- Posted How would I be able to exclude source_ip and destination_ip combination? on Alerting. 01-10-2023 11:05 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-13-2024
11:56 AM
Anyone know how and what path to query on splunkcloud instance to pull existing SAML configuration details and certificate? I can view the information by browsing to settings -> authentication method -> SAML -> SAML configuration. I want to be able to export that information if it is captured in a file as a backup prior to migrating to different authentication method. Thanks in advance.
... View more
Labels
- Labels:
-
administration
12-01-2023
06:51 AM
I am working on upgrading an instance of heavy forwarder that is running an out of support version of 7.3.3. In order to upgrade this to 9.0.1, is there another version level this must be upgraded to prior to bringing it to version 9.0.1? I searched for upgrade path and no luck. Thanks.
... View more
Labels
- Labels:
-
upgrade
09-28-2023
12:14 PM
What is the fastest way to run a query to get an event count on a timechart per host? This is for windows events and I want to get a list of how many events each device is logging per month so that I can identify the increase/decrease.
They are all ingested in one index. A query like this will take a while to run if run for about a year. Is there a faster way to get this data?
index=<index_name> | timechart count by Computer span=1mon
Thanks.
... View more
Labels
- Labels:
-
timechart
05-09-2023
10:26 AM
Running this query and not quite getting the desired results. I have test events generated within a 2 minute window. Expanded maxspan to 5 minutes to capture a larger window.
... View more
05-09-2023
08:24 AM
I am working on a query to report on events generated within 2 minutes of the first event for the same host.
In the following example, I need a query to look for any occurrence of EventType 4697 within two minutes of EventType 4624 for the same ComputerName
ComputerName=x (This is a unique field)
EventType=4624
EventType=4697
Thanks.
... View more
Labels
- Labels:
-
eval
03-08-2023
11:28 AM
I am working on a query to report on host/s that have triggered two different event types. For example windows event IDs 4697 and 4698, if triggered by the same host, rule must alert.
EventType =4697
EventType =4698
HostName=What is the best way to imply host name being unique to the eventtypes.
To further clarify, if the same host triggers 4697 and 4698 in a 5 minute window, I want to report on that.
Thanks in advance.
... View more
Labels
- Labels:
-
stats
02-09-2023
12:00 PM
What I am looking for might be something even simpler. If I can get the total log volume per day and set up a threshold for alerting that will work. I was thinking log volume for most indexes (log sources) do tend to drop on the weekends. Perhaps there is a threshold that can be set up based on the day of the week. Weekends vs week days. Any such way to accomplish this?
... View more
02-09-2023
07:29 AM
I am trying to monitor drop in events per index. What is the best way to get a baseline and detect deviation to the volume? I am more interesting in drop in events and not increase.
... View more
- Tags:
- monitor
- splunk-search
Labels
- Labels:
-
stats
02-03-2023
03:54 PM
I am writing a query to correlate across two different indexes. One index has userID field. I want the query to match a field in the second index and output additional fields from the second index.
index 'idx1' has field name usr. For the sake of this example, there is a user called 'jdoe'
index 'idx2' has a field name called user, which contains 'jdoe' along with another field called account ID, which has the name spelled out 'John Doe'. I want the query to use the usr field content from idx1 and use that info to pull the contents of 'account ID' field in index.
What's the best way to accomplish this?
... View more
Labels
- Labels:
-
eval
01-10-2023
11:05 AM
I have a look up table with two columns. They are for source IP and destination IP addresses. I want to be able to search for firewall traffic logs and filter out any source IP and destination IP combination from the results.
The following query allows for excluding source_ip from the lookup table. How would I be able to exclude source_ip and destination_ip combination?
index=firewall sourcetype=<source_type> NOT [ | inputlookup test.csv
table source_ip]
| table _time, source_ip, destination_ip, action, protocol
Thanks.
... View more
Labels
- Labels:
-
alert condition
