Hi @splunky_diamond, yes it's the latest! open a case to Splunk Support, as I said this is an old resolved bug. Ciao. Giuseppe ... View more

Hi @splunky_diamond , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hello @splunky_diamond , I am unsure if there are any apps/TAs available for Fudo PAM data. The best would be to write magic 8 props for parsing the data. You can find the relevant documentation links below: - https://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkdoeswithyourdata - https://docs.splunk.com/Documentation/Splunk/latest/Data/Overviewofeventprocessing - https://docs.splunk.com/Documentation/Splunk/latest/Data/Createsourcetypes - https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Configuring_new_source_types   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated. ... View more

Hi @splunky_diamond , it's always a pleasure! Ciao. Giuseppe ... View more

Hi @splunky_diamond , there's one general answer to all your questions: it depends on your internal procedures (or playbooks), in other words, it depends on how you work. Answering to your questions: 1) the take in charge action is usually the first action, so I always saw that investigations were started after a SOC analyst took in charge one or more Notables (often more Notables are take in charge and associated to an investigatin in block). 2)  usually I saw that SOC Anaysts change the status on their Notables by themselves. 3) as I said it depends on your internal procedures, anyway, the closing is tracked. Ciao. Giuseppe ... View more

Update: it actually did work! I just opened the dashboard in a search and the time-picker is indeed applied. ... View more

Hi @splunky_diamond , good for you, see next time! let me know if I can help you more, or, please, accept one answer (eventually your last) for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

This is the document you might want to read to understand how Splunk reads the configs. Also @gcusello 's remark about system/local vs. configured in app is valid. ... View more

Thank you so much for such a detailed addition @PickleRick !  ... View more

@splunky_diamond  your welcome  Here's 's some more security tips to help you discovery some more. 1. Many Security people use this app to help them with there Security Use cases, I use it myself - so many good features, it can also make use case recommendations based on on your data sources. https://splunkbase.splunk.com/app/3435  2. ESCU - Provides regular Security Content updates to help security SOC / analysts to address ongoing time-sensitive threats, attack methods, and other security issues. https://splunkbase.splunk.com/app/3449  3. Here you will find so many use cases for reference - great place to baseline your security monitoring strategy. https://research.splunk.com/  ... View more

1. In order to run DB connect you need to run it on a Heavy Forwarder, as it contains many component’s that are pre-requisites. Use the below link for more details https://docs.splunk.com/Documentation/DBX/3.16.0/DeployDBX/HowSplunkDBConnectworks   2. In short yes, Splunk  has in built functions to be able to send data to different destinations, using the UF, so simple example, if you have Splunk on premise and Splunk in cloud, you can send to both if desired. Parsing the data, has performance gains if going via the HF, it will examine the data, and transform it, there are many sub parts to the pipeline process. In terms of the fast mode when you parse data before indexing, the extracted fields are available for use in searches, regardless of whether you're using fast mode or not, the fast mode is one of three modes, allows you to search for available data using a different criterion.   See the three below links for more details:  https://docs.splunk.com/Documentation/Splunk/9.0.4/Forwarding/Routeandfilterdatad https://docs.splunk.com/Documentation/Splunk/9.2.1/Deploy/Datapipeline https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Search/Changethesearchmode      3. If you data source can only send API data to Splunk, then this is a good option (it’s basically agentless) and called the HTTP event collector. https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsetheHTTPEventCollector       ... View more

Thank you very much kprior201! The issue was that I was executing the search not within the ES app when I was testing it, but in the Search and Reporting app. I did not have some of the manually extracted fields in my ES app, once I added them, the correlation search worked well!  ... View more

Hello @splunky_diamond, As stated by 2 folks, resource consumption depends on multiple factors. If you are planning to enable ~15 use cases in ES for learning purpose with all-in-one test environment, 32 GB RAM, 32 vCPU, and 200 GB hard disk should be enough. Base configuration for ES is as below -  https://docs.splunk.com/Documentation/ES/7.3.1/Install/DeploymentPlanning ... View more