Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About hl
hl
Path Finder
Member since:
06-23-2025
4m ago
Community Statistics
| Posts | 17 |
| Solutions | 3 |
| Karma Given | 5 |
| Karma Received | 2 |
| Member Since | 06-23-2025 |
Activity Feed
- Karma Re: How to see all source and sourcetype list for wrangler2x. 4 hours ago
- Got Karma for Re: Query using multiple lookups. Wednesday
- Posted Re: Query using multiple lookups on Splunk Enterprise Security. Wednesday
- Posted Query using multiple lookups on Splunk Enterprise Security. Wednesday
- Posted Re: Compare query to lookup table but don't print if the results are in the lookup table. on Splunk Search. 11-03-2025 11:43 AM
- Karma Re: Compare query to lookup table but don't print if the results are in the lookup table. for richgalloway. 11-03-2025 11:42 AM
- Posted Compare query to lookup table but don't print if the results are in the lookup table. on Splunk Search. 11-03-2025 10:11 AM
- Posted Palo Alto apps and add-ons for splunk on Splunk Enterprise Security. 09-02-2025 08:02 AM
- Posted Re: Only execute if greater than or equal to x mins on Splunk Search. 08-20-2025 11:52 AM
- Posted Re: Only execute if greater than or equal to x mins on Splunk Search. 08-20-2025 10:03 AM
- Posted Re: Only execute if greater than or equal to x mins on Splunk Search. 08-20-2025 09:29 AM
- Posted Only execute if greater than or equal to x mins on Splunk Search. 08-20-2025 09:26 AM
- Got Karma for Re: [URGENT] All splunk forwarders upgraded to 10.0 version are crashing. 08-08-2025 08:11 AM
- Posted Re: [URGENT] All splunk forwarders upgraded to 10.0 version are crashing on Splunk Enterprise. 08-08-2025 08:07 AM
- Posted [URGENT] All splunk forwarders upgraded to 10.0 version are crashing on Splunk Enterprise. 08-08-2025 05:36 AM
- Posted Re: Show a count of all failures from VPN traffic on Splunk Enterprise. 08-06-2025 05:53 AM
- Karma Re: Show a count of all failures from VPN traffic for PrewinThomas. 08-06-2025 05:44 AM
- Posted Re: Show a count of all failures from VPN traffic on Splunk Enterprise. 08-06-2025 05:08 AM
- Posted Show a count of all failures from VPN traffic on Splunk Enterprise. 08-05-2025 06:12 PM
- Tagged Show a count of all failures from VPN traffic on Splunk Enterprise. 08-05-2025 06:12 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
Wednesday
1 Karma
I figured it out now , `|lookup CrowdStrike_asset_lookup ip AS src_ip OUTPUT nt_host, dns`
... View more
Wednesday
Hello, Looking for a way to query network traffic and search for IP's that have remote connection software i.e. ms-rdp and compare those ip's to the CrrowdStrike_lookup and print out the nt_host of the user and dns of the user. Everything works expect the CrowdStrike lookup. | tstats `security_content_summariesonly` count min(_time)
as firstTime max(_time) as lastTime values(All_Traffic.dest_port)
as dest_port latest(All_Traffic.user) as user from datamodel=Network_Traffic
where sourcetype="pan:*" All_Traffic.action="allowed"
by All_Traffic.action All_Traffic.app All_Traffic.bytes
All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.src_port
All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port
All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version
All_Traffic.src All_Traffic.src_ip All_Traffic.transport All_Traffic.user
All_Traffic.signature
All_Traffic.vendor_product
| `drop_dm_object_name("All_Traffic")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| lookup remote_access_software remote_appid AS app OUTPUT
isutility, description as signature, comment_reference as
desc, category
| lookup CrowdStrike_asset_lookup nt_host AS src OUTPUT dns as ip
| search isutility = True
| `remote_access_software_usage_exceptions`
| `detect_remote_access_software_usage_traffic_filter`
... View more
Labels
- Labels:
-
using Enterprise Security
11-03-2025
11:43 AM
Ok so within a |where clause the nt_host does have to be actually "null" , null could mean don't use also?
... View more
11-03-2025
10:11 AM
index=web
host!="*TEST*"
| rare limit=10 http_user_agent,c_ip,src,X_Forwarded_For,host
```|lookup static_assets ip as c_ip OUTPUT nt_host```
|table http_user_agent,c_ip,src_X_Forwarded_For,host,nt_host I have a lookup table with three fields , - category - IP - nt_host I would like to compare the results from the search to the lookup table IP and nt_host and only print out the query that isn't in the lookup table.
... View more
Labels
- Labels:
-
lookup
09-02-2025
08:02 AM
Hello, Current setup is Palo Alto firewall and using Sc4s (splunk connect for syslog) , so far getting all logs for Palo Alto except for wildfire. Can someone tell me do we need the apps or add-ons to be able to create good detections for the firewall ? if so Can someone tell me what apps and add-ons should be used and do they have to be configured? Getting my information for here: https://pan.dev/splunk/docs/ Regards,
... View more
Labels
- Labels:
-
using Enterprise Security
08-20-2025
11:52 AM
Actually I think I figured this out! index=netfw sourcetype=pan:*
action="blocked" OR action="failure"
|stats count min(_time) as firstTime max(_time) as lastTime by src_ip |where count >= 10
|eval diff=floor((lastTime-firstTime))
|eval "Difference in Mins" = floor((diff / 60))
|eval SortbyMins="Difference in Mins"
|fields - diff,SortbyMins
|sort - SortbyMins
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
... View more
08-20-2025
10:03 AM
Created this instead, index=net* sourcetype=pan:*
action="blocked" OR action="failure"
|stats count min(_time) as firstTime max(_time) as lastTime by src_ip |where count >= 10
|eval diff=toString(lastTime-firstTime, "duration")
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` but still trying to figure out how to only show results if greater than x mins. ?
... View more
08-20-2025
09:29 AM
I just wanna make variable and assign it but I know I can't do that and you can't create boolean on an eval
... View more
08-20-2025
09:26 AM
Hello looking for way to create an alert based off the difference between times and only execute if the time is greater than or equal to x mins. Code: index=net* sourcetype=pan:*
action="blocked" OR action="failure"
|stats count min(_time) as firstTime
max(_time) as lastTime
by src_ip,dest,dest_port,rule,tag,log_subtype,transport |where count >= 10
|eval diff=lastTime-firstTime
```|eval diff=strftime(diff, "%d %H:%M:%S") ```
|eval diff=strftime(diff, "%M:%S")
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` Regards,
... View more
Labels
- Labels:
-
eval
08-08-2025
08:07 AM
1 Karma
Disabled the evt_resolve_ad_obj = 0 in Splunk_TA_windows app , logs have now ceased.
... View more
08-08-2025
05:36 AM
We upgraded from 9.4.3 to 10.0 and now all the splunk forwarders are crashing because of the splunk-winevtlog service. How can I fix this? is there a fix? Is anyone else experiencing these issues? I have had to disable all splunk instances because the service is a memory leak.
... View more
Labels
- Labels:
-
administration
-
installation
08-06-2025
05:08 AM
Thanks for the reply , yes I do get counts by time, but how can I can just VPN data that has a signature="WebVPN" and action="failure" ?
... View more
08-05-2025
06:12 PM
Query: | tstats count from datamodel=Network_Sessions.All_Sessions where nodename=All_Sessions.VPN action=failure vpn.signature="WebVPN" by _time span=1h I'm not understanding something with this datamodel but my output is always 0 but when I look at in pivot table I can see data from it.
... View more
- Tags:
- Network_Sessions
Labels
- Labels:
-
other
-
using Splunk Enterprise
07-29-2025
02:11 PM
Thanks for the info, yes I have gone through ESCU and the Detections on the Splunk page. Looks like I'm going to have to create my own detections I guess, if I have something solid I will contribute for sure. Thanks again for replying.
... View more
07-29-2025
12:59 PM
Same , I see that there are missing models also. When I event went to the ONNX github I still can't find the models that the splunk query is using for the mltk. ``` | tstats `summariesonly` dc(All_Traffic.src) as src_count,count as total_count from datamodel=Network_Traffic.All_Traffic | apply app:network_traffic_src_count_30m [|`get_qualitative_upper_threshold(extreme)`] | apply app:network_traffic_count_30m [|`get_qualitative_upper_threshold(extreme)`] | search "IsOutlier(src_count)"=1 OR "IsOutlier(total_count)"=1 ``` Where is this located ?
... View more
07-29-2025
10:23 AM
Hello, I see there are lots of Cisco event based detections and not many palo alto or checkpoint (fw, ids/ips, threats) events. Is everyone just creating their own event based detections for these two vendors? I do have all the TA apps installed and connectors for both vendors. Just not seeing any event based detections that have already been setup.
... View more
- Tags:
- checkpoint
- Palo Alto
Labels
- Labels:
-
using Enterprise Security
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
4m ago
|
