×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
rajashekar_s
Path Finder
Member since: ‎03-13-2017
‎10-20-2022
Community Statistics
Posts 13
Solutions 1
Karma Given 2
Karma Received 2
Member Since ‎03-13-2017
Activity Feed
View All

Re: How to display only certain fields from data s...

by in Dashboards & Visualizations
‎11-30-2025 05:18 PM
‎11-30-2025 05:18 PM
Hi, I was going to reply and ask if you ever solved this, but I just did myself. Name your field _something and untick "show hidden fields". By default the only hidden field that shows is _time, doing this effectively hides your other fields. ... View more

Re: CIM help

by in Splunk Enterprise Security
‎01-07-2021 08:31 AM
1 Karma
‎01-07-2021 08:31 AM
1 Karma
Per documentation, for example the action field in network traffic datamodel, prescribed values are allowed, blocked and teardown. But you have many values under action field. As suggested above, you can create a calculated field like | eval action=case((action="xxx" OR action="yyy"),"allowed",1=1,"blocked") Doing this on all recommended fields will increase you compliance % ... View more

Re: How to fetch configured correlation data, quer...

by in Splunk Enterprise Security
‎01-07-2021 07:57 AM
‎01-07-2021 07:57 AM
@sacumen see if the following rest query gives what you are looking for   | rest /servicesNS/-/-/saved/searches | search title=* | table title cron_schedule eai:acl.owner actions dispatch.earliest_time dispatch.latest_time search ... View more

Re: Multiple incident creation on servicenow throu...

by in Splunk Enterprise Security
‎01-07-2021 07:10 AM
‎01-07-2021 07:10 AM
After creating the correlation search and alert action to be service now incident, goto setting-> search,reports and alerts, find you search. Click on it, scroll down and change the trigger to each result from once and it should create one incident per row of your result ... View more

Re: CIM compliance of data from two different sour...

by in Splunk Enterprise Security
‎02-20-2020 01:09 AM
‎02-20-2020 01:09 AM
Yes. You got the problem correct. The issue is both indexes are very huge in data (win event viewer logs and db logs). So we will have a problem creating schedule search and doing auto lookup. We have tried it and its causing issues. We have tested using collect to dump it to db index from winevent viewer index. So I have my data in two events now which again has to be merged to make it CIM compliant. This is where I am looking for some help. ... View more

Re: Difference of two columns with dynamic names

by in Dashboards & Visualizations
‎03-20-2018 12:37 AM
‎03-20-2018 12:37 AM
That worked. Thanks a lot ... View more

Re: How do I get first match from lookup with mult...

by in Splunk Search
‎12-17-2017 11:20 PM
‎12-17-2017 11:20 PM
Thanks. Not sure how I missed this one. ... View more

Re: How can an alert script be run as a local user...

by in Splunk Enterprise
‎03-15-2017 02:03 AM
‎03-15-2017 02:03 AM
Thank you. Will try that out. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-20-2022 04:39 PM
Karma from
View All
Karma given to
View All