×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Zorghost
Loves-to-Learn
Member since: ‎07-27-2024
‎02-11-2025
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-27-2024
View All

Re: A splunk query to fetch Admin activity inside ...

by in Security
‎02-11-2025 05:31 AM
‎02-11-2025 05:31 AM
Hi @gcusello and thanks again for your reply ! What I want is a query that I can use to fetch only the important fields from the _audit index to get visibility on the admin activity events. What I currently have is : index=_audit sourcetype="audittrial" action=edit* OR action=create* OR action=delete* OR action=restart* I want to get the least possible amount of data volume while getting the needed information to construct the audit events. ... View more

Re: A splunk query to fetch Admin activity inside ...

by in Security
‎02-10-2025 11:39 PM
‎02-10-2025 11:39 PM
Thank you again for the support @gcusello  I currently don´t have visibility on _audit index in splunk. Do you maybe know if it is possible as well to filter the data based on the user type ? like for example : user=admin ? what other users in splunk would exist with administrative privileges as well ? Are there any standard fields that exist in the _audit index that you think are enough to be archived while delivering the important details of the audit event ? I would really appreciate any help ! ... View more

Re: A splunk query to fetch Admin activity inside ...

by in Security
‎02-07-2025 05:32 AM
‎02-07-2025 05:32 AM
Thank you for the reply @gcusello , I want to extract the data from that index -> process it -> send it to a file share. The issue is that I can´t work with data that is more than 20 MB in the platform that I am using to automate this process. Therefore, I m looking for a more specific query to get smaller size data. ... View more

A splunk query to fetch Admin activity inside splu...

by in Security
‎02-07-2025 05:10 AM
‎02-07-2025 05:10 AM
Hello everyone, I am planning to automate a process where we need to archive admin activity for splunk application. For that I would require a query to fetch all the privileged actions conducted by admins inside splunk application. My first thought is to use the following query: index=_audit sourcetype="audittrial" action=edit* OR action=create* OR action=delete* OR action=restart* Unfortunately, this query is emitting a lot of data ( around 900MB per day ) which the platform that I am using for automation can´t work with.  => Is there maybe any query that I can use to get the data I need in a more specific way to the point where it reduces the size to 20 MB or something ? I would appreciate any help and thank you in advance !   ... View more
Labels

Optimally archive notable events

by in Splunk Enterprise
‎07-27-2024 05:57 PM
‎07-27-2024 05:57 PM
Hello Splunk Community, For compliance reasons, I need to figure out an efficient way to archive notable events that is generated from the correlation searches in enterprise security. My first thought is to create an index for these notable events and configure dynamic data self storage. Is this a good solution and feasable in splunk enterprise ? I would appreciate any support here and thank you in advance ! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-11-2025 08:57 AM