Activity Feed
- Posted es_notable_events Query on Splunk Enterprise Security. 01-22-2025 09:21 AM
- Tagged es_notable_events Query on Splunk Enterprise Security. 01-22-2025 09:21 AM
- Posted Re: Splunk Test Server License Issue on Alerting. 01-14-2025 05:03 AM
- Posted Splunk Test Server License Issue on Alerting. 01-14-2025 02:06 AM
- Tagged Splunk Test Server License Issue on Alerting. 01-14-2025 02:06 AM
- Tagged Splunk Test Server License Issue on Alerting. 01-14-2025 02:06 AM
- Posted Setting up email alerts for Enterprise Security on Alerting. 01-14-2025 01:46 AM
- Tagged Setting up email alerts for Enterprise Security on Alerting. 01-14-2025 01:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
01-22-2025
09:21 AM
Hi folks,
Looking to use es_notable_events as a way of building out a panel that will get info on ES events for the past 7 days, specifically how many alerts were closed by the team and what the alert name is. The search I am using is as follows:
| `es_notable_events` | search timeDiff_type=current | stats sparkline(sum(count),30m) as sparkline,sum(count) as count by rule_name | sort 100 - count | table rule_name, count
This works perfectly for the past 48 hours but it doesn't go back as far as a week (a known limitation when using es_notable_events apparently!). My question is, are there any altenative searches that I can run that will get these results?
... View more
- Tags:
- es_notable_events
Labels
- Labels:
-
notable event
01-14-2025
05:03 AM
It is the admin acc that I am trying to log in with and the issue is still persisting.
... View more
01-14-2025
02:06 AM
I am getting the following error message whenever I try to login to my Splunk test environment: user=************** is unavailable because the maximum user count for this license has been exceeded. I think this is because of a new license I recently uploaded to this box. As the old license was due to expire I recently got a new free Splunk license (10GB Splunk Developer License). I received/uploaded it to the test box on Friday, 3 days before the old one was due to expire. I then deleted the old license that day despite it having a few additional days. On Sunday (the day the old license was due to expire), I started getting this login issue. As I can't get past the login screen I can't try and reupload a different license, etc. Any suggestions?
... View more
01-14-2025
01:46 AM
Hi there, I'm looking to setup an automated email that will trigger any time a new alert comes into Incident Review in Splunk ES (using Splunk>enterprise). The idea is for the team to be notified without having the Incident Review page open and improve response time. I know I can set emails individually when a alert triggers, but this would be for every 'new' alert (there are some alerts that are autoclosing) that comes in or with an option to only target high urgency alerts based on volume. Any advice would be appreciated!
... View more
- Tags:
- alert action
Labels
- Labels:
-
email
