Activity Feed
- Posted Re: dashboard SLA time calculation on Splunk Search. 03-07-2024 01:52 AM
- Posted dashboard SLA time calculation on Splunk Search. 02-28-2024 06:05 AM
- Posted Re: complex stats to trigger on count of events on Splunk Search. 02-28-2024 05:42 AM
- Posted Re: complex stats to trigger on count of events on Splunk Search. 02-28-2024 04:17 AM
- Posted complex stats to trigger on count of events on Splunk Search. 02-28-2024 03:56 AM
- Posted Re: How to append /write only new results to outputlookup file on Splunk Enterprise. 02-26-2024 12:49 AM
- Tagged Re: How to append /write only new results to outputlookup file on Splunk Enterprise. 02-26-2024 12:49 AM
- Posted Data not being populated from SplunkDB Connect on Splunk Search. 02-06-2024 11:45 PM
- Posted Re: cim vladiator % DM coverage on Other Usage. 02-06-2024 01:43 AM
- Posted cim vladiator % DM coverage on Other Usage. 02-06-2024 01:21 AM
- Posted Re: SLA reporting in SPL on Splunk Search. 02-05-2024 06:19 AM
- Karma Re: SLA reporting in SPL for ITWhisperer. 02-05-2024 05:54 AM
- Posted Re: SLA reporting in SPL on Splunk Search. 02-05-2024 05:24 AM
- Karma Re: SLA reporting in SPL for ITWhisperer. 02-05-2024 01:40 AM
- Posted Re: SLA reporting in SPL on Splunk Search. 02-05-2024 01:39 AM
- Posted Re: SLA reporting in SPL on Splunk Search. 02-05-2024 01:02 AM
- Posted Re: SLA reporting in SPL on Splunk Search. 02-01-2024 07:52 AM
- Posted Re: SLA reporting in SPL on Splunk Search. 02-01-2024 07:49 AM
- Posted Re: SLA reporting in SPL on Splunk Search. 02-01-2024 04:52 AM
- Posted Re: SLA reporting in SPL on Splunk Search. 01-31-2024 06:33 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-07-2024
01:52 AM
I did not get results.. I have to calculate average time for closing alerts by severity, so in this case I am calculting "medium" severity alerts, so the equation should be total medium alerts / total time of "closing" medium alerts
... View more
02-28-2024
06:05 AM
I have two different queries, one calculates total critical alerts and the second one calculates total time critical alerts where "opened". I need to calculate the average between them time/count, how can i achieve it?
... View more
Labels
- Labels:
-
stats
02-28-2024
05:42 AM
I saying that the rule needs to trigger when events > 4, and the 'Trigger Condition' did not work. This is the rule that triggered (triggered on one event):
... View more
02-28-2024
04:17 AM
| stats count dc("File Name") as "File Name Count" first(_time) as _time, values(host) as host, values("File Type") as "File Type", values(Policy) as Policy, values(SHA256) as SHA256, values("Block Reason") as "Block Reason", values(Blocked) as Blocked by "File Name"
... View more
02-28-2024
03:56 AM
I have this rule, I need it to trigger when results / count of events is greater than 4 but the "Trigger Condition" did not work. Is there something I can add to the query ?
... View more
Labels
- Labels:
-
stats
02-26-2024
12:49 AM
Hi, I have the same issue but its not working for me.. I first created the lookup and save the search as a report, and then i need to edit my query to append ONLY new values. The current query does not push values at all. index="rapid7_threat_intelligence" type="Domain" |table _time, source, type, value |outputlookup DOMAIN_IOC_ACTIVE.csv append=true | append [ | inputlookup append=true DOMAIN_IOC_ACTIVE.csv] | dedup value
... View more
- Tags:
- lookup
02-06-2024
11:45 PM
Hi, I have a connection on Splunk DB Connect on my HF (connected to my SH and I know connection is stable and other sources reach my SH from the HF) but data is not populated on my index (I also tried connecting to a new index=database on my SH and HF and restarting and did not work)
... View more
02-06-2024
01:21 AM
Hi, I installed SA_CIM_Vladiator and when running % checks to see DM coverage I do see gaps between extracted fields or fields that are found on specific indexes and the app does not return them in the results
... View more
02-05-2024
06:19 AM
How can I sum all the time together ? stats sum did not work for me, and in addition, I need to add also | stats count(event_id) and get the count of critical alerts in order to do Event Count / Total Time and get an average of how much time takes to close alert by severity.
... View more
02-05-2024
01:02 AM
Hi, Can you help with this one? time_difference remains empty after the calculation
... View more
02-01-2024
07:52 AM
I tried the same concept for a different query and did not run: This one calculates how much time took the alert to be closed on the incident manager
... View more
02-01-2024
07:49 AM
WORKED! And this is my final query. TY `notable_by_id("*")` | search status_end="false" | where severity IN ("high", "critical") | eval timenow=now() | eval nowstring=strftime(now(), "%H:%M:%S %p") | eval diff=now()-_time | eval diff=tostring(diff, "duration") | table _time, diff, rule_name, owner, status_label, "Audit Category", urgency | rename status_label as Status | rename diff as time_difference
... View more
02-01-2024
04:52 AM
Exactly, This is my search
`notable_by_id("*")`
| search status_end="false"
| where severity IN ("high", "critical")
| eval time_difference=tostring(now() - _time)
| eval time_difference = strftime(time_difference, "%H:%M:%S")
| table _time, time_difference, rule_name, owner, status_label, "Audit Category", urgency
| rename status_label as Status
... View more
01-31-2024
03:12 AM
Hi, I have this query that calulates how much time the alerts are open, so far so good, but unfortunatelly if the rule name repeats (duplicate rule name) in a new event, then now() function does not know how to calculate the correct time for the first rule that triggered. How can I calculate SLA time without deleting duplicates and keeping the same structure as showed in the picture ?
... View more
01-14-2024
03:58 AM
I have this query in my report scuedhled to run every week, but results are for all time, how can i fix ? index=dlp user!=N/A threat_type=OUTGOING_EMAIL signature="EP*block" earliest=-1w@w latest=now | stats count by user _time | lookup AD_enrich.csv user OUTPUTNEW userPrincipalName AS Mail, displayName AS FullName, wwwHomePage AS ComputerName, mobile AS Mobile, description AS Department, ManagerName, ManagerLastName | table _time, Users, FullName, Mail, Mobile, ComputerName, Department, ManagerName, ManagerLastName, count
... View more
Labels
- Labels:
-
timechart
