Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About ThuLe
ThuLe
Explorer
Member since:
09-05-2023
12-29-2025
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 3 |
| Karma Received | 1 |
| Member Since | 09-05-2023 |
Activity Feed
- Posted Re: Custom report list all investigations and the associated findings (notable events) on Splunk Search. 12-28-2025 11:13 PM
- Posted Re: Custom report list all investigations and the associated findings (notable events) on Splunk Search. 12-28-2025 07:51 PM
- Posted Custom report list all investigations and the associated findings (notable events) on Splunk Search. 12-25-2025 11:15 PM
- Tagged Custom report list all investigations and the associated findings (notable events) on Splunk Search. 12-25-2025 11:15 PM
- Tagged Custom report list all investigations and the associated findings (notable events) on Splunk Search. 12-25-2025 11:15 PM
- Tagged Custom report list all investigations and the associated findings (notable events) on Splunk Search. 12-25-2025 11:15 PM
- Tagged Custom report list all investigations and the associated findings (notable events) on Splunk Search. 12-25-2025 11:15 PM
- Posted The TCP output processor has paused the data flow. Forwarding to splunk cloud indexers has been blocked on Getting Data In. 12-22-2025 11:18 PM
- Karma Re: Forwarder to Splunk cloud suddenly stop: error tcpoutputfd 1158951 connection to host 9997 failed ssl error = no err for PickleRick. 12-08-2025 06:44 PM
- Karma Re: Forwarder to Splunk cloud suddenly stop: error tcpoutputfd 1158951 connection to host 9997 failed ssl error = no err for livehybrid. 12-08-2025 06:44 PM
- Karma Re: Forwarder to Splunk cloud suddenly stop: error tcpoutputfd 1158951 connection to host 9997 failed ssl error = no err for PrewinThomas. 12-08-2025 06:44 PM
- Posted Forwarder to Splunk cloud suddenly stop: error tcpoutputfd 1158951 connection to host 9997 failed ssl error = no error on Getting Data In. 12-05-2025 07:44 PM
- Posted Best practice to send FortiMail Cloud logs to Splunk Cloud on Splunk Cloud Platform. 08-09-2025 06:08 PM
- Tagged Best practice to send FortiMail Cloud logs to Splunk Cloud on Splunk Cloud Platform. 08-09-2025 06:08 PM
- Tagged Best practice to send FortiMail Cloud logs to Splunk Cloud on Splunk Cloud Platform. 08-09-2025 06:08 PM
- Tagged Best practice to send FortiMail Cloud logs to Splunk Cloud on Splunk Cloud Platform. 08-09-2025 06:08 PM
- Got Karma for Why is Splunk send email function not working (version 9.1.0.2)?. 10-26-2023 03:17 PM
- Posted Why is Splunk send email function not working (version 9.1.0.2)? on Other Usage. 09-20-2023 09:47 PM
- Posted Re: Adding key indicator search to custom dashboard in Splunk Enterprise Security on Splunk Search. 09-12-2023 03:51 AM
- Posted Adding key indicator search to custom dashboard in Splunk Enterprise Security on Splunk Enterprise Security. 09-12-2023 03:03 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
12-28-2025
11:13 PM
Right now, I’m not fully sure how the mc_investigations_lookup is managed or updated. My goal is simply to build a report that shows both findings and investigations together. The only data sources I’ve been able to identify so far are the `notable` (raw notable events) and the mc_investigations_lookup (KV store lookup used by Mission Control) I compared the fields between `notable` and mc_investigations_lookup and couldn’t find a key that would link them directly. Because Mission Control can group findings inside an investigation in the UI, I assumed there must be some relationship stored somewhere — either in another lookup, index, or hidden mapping — but I haven’t been able to locate it yet. Since we’re on Splunk Cloud, I’m also not sure whether we’re allowed to modify the KV store or extend it with our own fields. So at this point, I’m mainly trying to understand: Where the relationship between findings and investigations is actually stored Whether there is any supported way to expose that relationship for reporting Any guidance or pointers would be really appreciated.
... View more
12-28-2025
07:51 PM
Hi @yuanliu Our current practice is: When we configure event detection in ES, we set it up to extract entities and threats. The detection job runs on a schedule, and each time it runs we receive a single email notification that includes all matching cases. However, findings are still generated individually for each entity or threat. During investigation, we usually group all related findings into one investigation so they align with the email alert. But for reporting purposes, we need to submit the list of finding, investigation and include information whether a finding has already been investigated and which investigation it belongs to. Ideally, after a finding is added to an investigation, there should be a visible link between the two datasets — for example, an investigation ID in the finding details (or vice-versa). The mission control UI does not have export function so we are trying to write SPL to do the export. However, there isn’t any field that can be used to link the two datasets, `notable` and mc_investigations_lookup.
... View more
12-25-2025
11:15 PM
Hello everyone, I am trying to create a custom report that lists Investigations alongside the Notable Events (Findings) associated with them since the Mission Control UI currently lacks a native export function for this data. Investigation data: using mc_investigations_lookup to get the list of investigations Finding (notable event) data: using the `notable` macro to pull the list of findings However, I cannot find a common field or a bridge table to associate these two datasets. I am using Splunk cloud with ES version 8.2 Any advice on how to bridge these two sources so I can generate an exportable report would be greatly appreciated. Best regard!
... View more
12-22-2025
11:18 PM
Hello everyone, We are using a Universal Forwarder (UF) as an intermediate forwarder to send logs from other UFs in our on-premises environment to Splunk Cloud. Whenever Splunk performs maintenance on our Splunk Cloud instance, the intermediate forwarder and all downstream UFs are unable to connect to Splunk Cloud. As a result, the forwarding queues on the forwarders become full. After the maintenance is completed and the Splunk Cloud instance is back online, the queued logs do not resume forwarding automatically. The data remains stuck in the queue until we manually restart the forwarders. We have tried increasing the [queue] maxSize settings in server.conf on IF, but this did not resolve the issue. Has anyone else experienced this behavior, or have suggestions on how to handle it properly? Thank you very much.
... View more
Labels
- Labels:
-
universal forwarder
12-05-2025
07:44 PM
Hello, I have HF and UF act as intermediate forwarders and forward logs to Splunk Cloud. We installed the credentials (.spl file) download from Splunk Cloud, and the forwarders were working fine until November 28, they have stopped sending the log to Splunk cloud. The error in splunkd.log is: Network team confirm that they not change anything on the FW We have searched and tried re-downloading the credentials (.spl file) from Splunk Cloud and reinstalled them on the forwarders, but the same errors persist. The errors only disappear when we disable the credentials app 100_<cloud instance>_splunkcloud. Has anyone experienced this issue? Please help Thank you very much
... View more
Labels
08-09-2025
06:08 PM
Hi, We’re looking for guidance on the best way to ingest FortiMail Cloud logs into Splunk Cloud. Our current environment includes: Cloud: Splunk Cloud, Fortimail Cloud - Hosted On-premise: SC4S serve, Heavy Forwarder and FortiAnalyzer on-prem FortiMail Cloud is hosted by Fortinet, so we can’t just point it at our SC4S like we would for an on-prem appliance. We do have the option to send logs to our on-prem FortiAnalyzer, but we’re unsure if it’s better to: Route FortiMail Cloud logs → FortiAnalyzer on-prem → SC4S/HF → Splunk Cloud, Send FortiMail Cloud logs directly to SC4S via an external connection, or Use another recommended method (e.g., Fortinet APIs, log download scheduling, etc.) Has anyone implemented a similar setup for FortiMail Cloud? Any best practices or pitfalls to avoid—especially regarding secure transport, parsing, and CIM compliance? Thanks in advance!
... View more
Labels
- Labels:
-
configuration
-
using Splunk Cloud
09-20-2023
09:47 PM
1 Karma
Hello,
We're using Splunk Enterprise version 9.1.0.2 and trying to configure Splunk to send email alerts but cannot make it work. We've tried both Gmail and O365, here are the errors:
1. Email settings: Mail host: smtp.gmail.com:587, Enable TLS, enter Username and password (we use app password for smtp.gmail.com)
--> Error: sendemail:561 - (530, b'5.7.0 Authentication Required. Learn more at\n5.7.0 https://support.google.com/mail/?p=WantAuthError 5-20020a17090a1a4500b00274e610dbdasm2199058pjl.8 - gsmtp', 'sender@gmail.com') while sending mail to: receive@....
2. Email settings: Mail host: smtp.office365.com:587, Enable TLS, enter Username and password (username and password can login to Outlook successfully)
--> Error: sendemail:561 - (530, b'5.7.57 Client not authenticated to send mail. [SGAP274CA0001.SGPP274.PROD.OUTLOOK.COM 2023-09-21T02:01:45.399Z 08DBB9CB1E03821B]', 'sender@senderdomain.com') while sending mail to: receive@....
Please support.
Thank you.
... View more
- Tags:
- splunk search
Labels
- Labels:
-
alert action
-
email
-
Python
09-12-2023
03:51 AM
Hi @gcusello Default dashboards such as Security Posture have the button "Add Key Indicator" but the custom dashboard does not have it. security posture custom dashboard Thanks.
... View more
09-12-2023
03:03 AM
Hello, I'm trying to add new/existing key indicator searches to my dashboard in ES, but the edit toolbar does not have the "Add Key Indicator" button. My custom dashboard: My custom dashboard Default dashboard with Key Indicators: Default dashboard with Key Indicator I also tried to clone the default "Email Activity" dashboard (which has existing key indicators in it), but the clone dashboard cannot be loaded. What should I do? If this is a bug, which log files do I need to check? Thank you.
... View more
Labels
09-12-2023
03:00 AM
Hello,
I'm trying to add new/existing key indicator searches to my dashboard in ES, but the edit toolbar does not have the "Add Key Indicator" button.
My custom dashboard:
My custom dashboard
Default dashboard with Key Indicators:
Default dashboard with Key Indicator
I also tried to clone the default "Email Activity" dashboard (which has existing key indicators in it), but the clone dashboard cannot be loaded.
What should I do?
If this is a bug, which log files do I need to check?
Thank you.
... View more
- Tags:
- splunk search
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-29-2025
06:28 PM
|
