Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About maheshnc
maheshnc
Path Finder
Member since:
09-08-2025
Thursday
Community Statistics
| Posts | 37 |
| Solutions | 1 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 09-08-2025 |
Activity Feed
- Posted Re: ADAudit plus integration with Splunk Enterprise on All Apps and Add-ons. Thursday
- Posted Re: o365 add-on upgrade on Getting Data In. 01-02-2026 03:12 AM
- Posted Re: o365 add-on upgrade on Getting Data In. 01-02-2026 02:41 AM
- Posted o365 add-on upgrade on Getting Data In. 12-28-2025 10:37 PM
- Posted Re: HEC Endpoint on Getting Data In. 11-18-2025 02:06 AM
- Posted Re: Email alert not triggering on Splunk Enterprise Security. 11-17-2025 03:58 AM
- Posted Email alerts not triggering on Monitoring Splunk. 11-13-2025 12:53 AM
- Posted Email alert not triggering on Splunk Enterprise Security. 11-12-2025 04:49 AM
- Posted Re: correlation search not triggering on Splunk Enterprise. 11-05-2025 11:28 PM
- Posted correlation search not triggering on Splunk Enterprise. 11-05-2025 04:12 AM
- Posted Re: Splunk Upgrade on Splunk Enterprise. 11-02-2025 10:24 PM
- Posted Re: Splunk Upgrade on Splunk Enterprise. 11-02-2025 01:02 AM
- Posted Re: Splunk Upgrade on Splunk Enterprise. 11-02-2025 01:25 AM
- Posted Splunk Upgrade on Splunk Enterprise. 11-01-2025 09:26 AM
- Posted Re: JSON field extraction on Getting Data In. 10-27-2025 05:12 AM
- Posted Re: JSON field extraction on Getting Data In. 10-14-2025 11:31 PM
- Posted Re: JSON field extraction on Getting Data In. 10-14-2025 11:30 PM
- Posted JSON field extraction on Getting Data In. 10-14-2025 05:41 AM
- Posted Re: How to integrate Service Desk Plus with Splunk ES on Splunk Enterprise Security. 10-07-2025 05:40 AM
- Posted Re: Universal Forwarder installation on remote host on Getting Data In. 10-06-2025 03:27 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-28-2025
10:37 PM
Hello, I need to upgrade the o365 add-On to the latest version on both the search head and the heavy forwarder, can someone guide me the upgrade process, like how can I upgrade and if need to take any backups etc? thanks in advance.
... View more
Labels
11-18-2025
02:06 AM
We are having an indexer cluster (2 nodes and 1 CM) in this case do need to create HEC token on both the indexers?
... View more
11-13-2025
12:53 AM
Hello, we have a DMC configured on Splunk Licence Master; I need to enable all the critical resource utilization alerts on DMC and send email notifications. I have configured the server setting under settings>server setting>Email settings and set up the same configurations as on our search head (which is successfuly generating email notifications) but the thing is, alerts are triggering but I am not receiving any email notifications. can somebody help me to figure out the root cause? Note: Network connectivity established between mail server and LM server
... View more
Labels
- Labels:
-
monitoring console
-
scheduler activity
11-12-2025
04:49 AM
Hello, we have a DMC configured on Splunk Licence Master, I need to enable all the critical resource utilization alerts on DMC and send email notifications. I have configured the server setting under settings>server setting>Email settings and set up the same configurations as on our search head (which is successfuly generating email notifications) but the thing is, alerts are triggering but but I am not receiving any email notifications. can somebody help me to figure out the root cause? Note: Network connectivity established between mail server and LM server.
... View more
Labels
- Labels:
-
troubleshooting
11-05-2025
11:28 PM
This is where it is creating confusing for me, I am not sure how it is happening, however to answer your query, I am using the same time period in CS as in the search and reporting and not throttling is enabled.
... View more
11-05-2025
04:12 AM
I am running a spl query as below index=o365 app=AzureActiveDirectory operation=UserLoggedIn | iplocation ClientIP | search Country!="United Arab Emirates" user!="Not Available" | table _time user ClientIP City Country app action signature src_ip user_agent | sort -_time this query is fetching results when run in search and reporting app, but when I am using the same query to create a correlation it is not triggering any alert/notable (no events are populated) again if I copy paste the same query in Search and reporting it is not working, but when I keep addding one by one fileds to build same query, it is starts giving results, this is very strange behaviour, can somebody explain this?
... View more
Labels
- Labels:
-
using Splunk Enterprise
11-02-2025
10:24 PM
Could you please walk me through the backups needs to be taken/mandatory
... View more
11-02-2025
01:02 AM
Could you let me know about the version compatibility for various instances, I mean can we indexers, search heads and Heavy forwarders with different versions or should they have the same version?
... View more
11-02-2025
01:25 AM
what should be sequence for upgrading? could you suggest the precautions to be taken which may overcome the risk as I am doing this upgrade for the first time.
... View more
11-01-2025
09:26 AM
I am new as splunk administrator here in the company. we are using Splunk enterprise and the current version is 9.2.4, and as per splunk document this version is supported until Jan 31 2026, can somebody guide me on version upgrade, and also which version should we upgrade? Also, I am not sure about the risk in upgrading the version, please provide your suggestions.
... View more
Labels
- Labels:
-
upgrade
10-27-2025
05:12 AM
I need to have index time field extraction for all the field values under Data field, is it feasible?
... View more
10-14-2025
11:31 PM
{"CreationTime": "2025-10-02T04:10:15", "Id": "a55abd1d-c02a-44d1-b990-bcee7aae4ca2", "Operation": "AirInvestigationData", "OrganizationId": "5d1aa650-d7e1-4ec2-a6a9-a05372d7b650", "RecordType": 64, "UserKey": "AirInvestigation", "UserType": 4, "Version": 1, "Workload": "AirInvestigation", "ObjectId": "a55abd1d-c02a-44d1-b990-bcee7aae4ca2", "UserId": "AirInvestigation", "Data": "{\"Version\":\"3.0\",\"VendorName\":\"Microsoft\",\"ProviderName\":\"OATP\",\"AlertType\":\"a74bb32a-541b-47fb-adfd-f8c62ce3d59b\",\"StartTimeUtc\":\"2025-10-02T04:07:04Z\",\"EndTimeUtc\":\"2025-10-02T04:07:04Z\",\"TimeGenerated\":\"2025-10-02T04:06:49.8033333Z\",\"ProcessingEndTime\":\"2025-10-02T04:10:12.5202208Z\",\"Status\":\"InProgress\",\"Severity\":\"High\",\"ConfidenceLevel\":\"Unknown\",\"ConfidenceScore\":1.0,\"IsIncident\":false,\"ProviderAlertId\":\"0bc5bc5d-1c4b-67d2-be00-08de0168db42\",\"SystemAlertId\":null,\"CorrelationKey\":\"6e7623bc-7a41-4f6e-91a3-c2367804f4a1\",\"Investigations\":[{\"$id\":\"1\",\"Id\":\"urn:UrlVerdictChangeInvestig:a050537f9fe60b72448a98022810d2f4\",\"InvestigationStatus\":\"Running\"}],\"InvestigationIds\":[\"urn:UrlVerdictChangeInvestig:a050537f9fe60b72448a98022810d2f4\"],\"Intent\":\"Probing\",\"ResourceIdentifiers\":[{\"$id\":\"2\",\"AadTenantId\":\"5d1aa650-d7e1-4ec2-a6a9-a05372d7b650\",\"Type\":\"AAD\"}],\"AzureResourceId\":null,\"WorkspaceId\":null,\"WorkspaceSubscriptionId\":null,\"WorkspaceResourceGroup\":null,\"AgentId\":null,\"AlertDisplayName\":\"A potentially malicious URL click was detected\",\"Description\":\"We have detected that one of your users has recently clicked on a link that was found to be malicious. -V1.0.0.5\",\"ExtendedLinks\":[{\"Href\":\"https://security.microsoft.com/alerts/fa0bc5bc5d-1c4b-67d2-be00-08de0168db42\",\"Category\":null,\"Label\":\"alert\",\"Type\":\"webLink\"}],\"Metadata\":{\"CustomApps\":null,\"GenericInfo\":null},\"Entities\":[{\"$id\":\"3\",\"MailboxPrimaryAddress\":\"scott.williams@admn.ae\",\"Upn\":\"Scott.Williams@admn.ae\",\"AadId\":\"eec44b61-469e-46d6-a72b-c1fcc375c01d\",\"RiskLevel\":\"Low\",\"Type\":\"mailbox\",\"Urn\":\"urn:UserEntity:b9f719512efa348dd7b60bd026c92e29\",\"Source\":\"OATP\",\"FirstSeen\":\"0001-01-01T00:00:00\"},{\"$id\":\"4\",\"Url\":\"https://i.comfortcarevetlangley.com/quantum.php\",\"Type\":\"url\",\"Urn\":\"urn:UrlEntity:0b1c1bfdf1d7ed76331e9f02ee505be4\",\"Source\":\"OATP\",\"FirstSeen\":\"0001-01-01T00:00:00\"},{\"$id\":\"5\",\"Recipient\":\"scott.williams@admn.ae\",\"Urls\":[\"https://i.comfortcarevetlangley.com/quantum.php\",\"https://click.e.usa.experian.com/open.aspx?ffcb10-fe9211767260007c77-fe22127577600375751d74-fe9613737763057e77-ff001574776701-fdff15737c60077d74167272-fefb1774706503&d=70242&bmt=0\",\"https://image.e.usa.experian.com/lib/fe9613737763057e77/m/1/85d3688a-7218-45ea-a1b7-9600e974a0db.png\"],\"Sender\":\"noreply@act.ac\",\"P1Sender\":\"010f0199a2dc906b-4d795411-add7-45a0-a955-5e0c53bc97a2-000000@us-east-2.amazonses.com\",\"P1SenderDomain\":\"us-east-2.amazonses.com\",\"SenderIP\":\"23.251.226.53\",\"P2Sender\":\"noreply@act.ac\",\"P2SenderDomain\":\"act.ac\",\"ReceivedDate\":\"2025-10-02T02:59:54Z\",\"NetworkMessageId\":\"23db9343-0607-4d81-c214-08de015fc0d4\",\"InternetMessageId\":\"<010f0199a2dc906b-4d795411-add7-45a0-a955-5e0c53bc97a2-000000@us-east-2.amazonses.com>\",\"Subject\":\"6882 Admedia365 EReview Doc October 01, 2025 07:59 PM\",\"AntispamDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"Language\":\"en\",\"DeliveryLocation\":\"Inbox\",\"OriginalDeliveryLocation\":\"Inbox\",\"AdditionalActionsAndResults\":[\"OriginalDelivery: [N/A]\"],\"AuthDetails\":[{\"Name\":\"SPF\",\"Value\":\"Pass\"},{\"Name\":\"DKIM\",\"Value\":\"Pass\"},{\"Name\":\"DMARC\",\"Value\":\"Pass\"}],\"SystemOverrides\":[],\"Type\":\"mailMessage\",\"Urn\":\"urn:MailEntity:2e89684d4c0ba4dd116578d7ccca7cd5\",\"Source\":\"OATP\",\"FirstSeen\":\"0001-01-01T00:00:00\"}],\"LogCreationTime\":\"2025-10-02T04:10:12.5202208Z\",\"MachineName\":\"AU2ARE01BG404\",\"SourceTemplateType\":\"MaliciousUrlClick_Single\",\"Category\":\"ThreatManagement\",\"SourceAlertType\":\"System\"}", "DeepLinkUrl": "https://security.microsoft.com/mtp-investigation/urn:UrlVerdictChangeInvestig:a050537f9fe60b72448a98022810d2f4", "EndTimeUtc": "0001-01-01T00:00:00", "InvestigationId": "urn:UrlVerdictChangeInvestig:a050537f9fe60b72448a98022810d2f4", "InvestigationName": "Clicked url Verdict changed to malicious - https://i.comfortcarevetlangley.com/quantum.php", "InvestigationType": "UrlVerdictChangeInvestigation", "LastUpdateTimeUtc": "2025-10-02T04:07:04", "StartTimeUtc": "2025-10-02T04:10:12", "Status": "Investigation Started"} So basically it is a nested JSON and I need to extract fields from "Data" field.
... View more
10-14-2025
11:30 PM
{"CreationTime": "2025-10-02T04:10:15", "Id": "124147e3-6c47-46ca-8f77-6fd0b9aa9e99", "Operation": "AirInvestigationData", "OrganizationId": "5d1aa650-d7e1-4ec2-a6a9-a05372d7b650", "RecordType": 64, "UserKey": "AirInvestigation", "UserType": 4, "Version": 1, "Workload": "AirInvestigation", "ObjectId": "124147e3-6c47-46ca-8f77-6fd0b9aa9e99", "UserId": "AirInvestigation", "Data": "{\"Version\":\"3.0\",\"VendorName\":\"Microsoft\",\"ProviderName\":\"OATP\",\"AlertType\":\"8e6ba277-ef39-404e-aaf1-294f6d9a2b88\",\"StartTimeUtc\":\"2025-10-02T04:08:23Z\",\"EndTimeUtc\":\"2025-10-02T04:08:23Z\",\"TimeGenerated\":\"2025-10-02T04:06:28.27Z\",\"ProcessingEndTime\":\"2025-10-02T04:10:14.0666959Z\",\"Status\":\"InProgress\",\"DetectionTechnology\":\"URLList\",\"Severity\":\"Informational\",\"ConfidenceLevel\":\"Unknown\",\"ConfidenceScore\":1.0,\"IsIncident\":false,\"ProviderAlertId\":\"fcc7e7f8-3630-61d7-be00-08de0168db42\",\"SystemAlertId\":null,\"CorrelationKey\":\"034549ac-35ef-481e-928d-da3d07eed36f\",\"Investigations\":[{\"$id\":\"1\",\"Id\":\"urn:ZappedUrlInvestigation:b7485c2295ebf76b97b2cee80d063211\",\"InvestigationStatus\":\"Running\"}],\"InvestigationIds\":[\"urn:ZappedUrlInvestigation:b7485c2295ebf76b97b2cee80d063211\"],\"Intent\":\"Probing\",\"ResourceIdentifiers\":[{\"$id\":\"2\",\"AadTenantId\":\"5d1aa650-d7e1-4ec2-a6a9-a05372d7b650\",\"Type\":\"AAD\"}],\"AzureResourceId\":null,\"WorkspaceId\":null,\"WorkspaceSubscriptionId\":null,\"WorkspaceResourceGroup\":null,\"AgentId\":null,\"AlertDisplayName\":\"Email messages containing malicious URL removed after delivery\u200b\",\"Description\":\"Emails with malicious URL that were delivered and later removed -V1.0.0.3\",\"ExtendedLinks\":[{\"Href\":\"https://security.microsoft.com/alerts/fafcc7e7f8-3630-61d7-be00-08de0168db42\",\"Category\":null,\"Label\":\"alert\",\"Type\":\"webLink\"}],\"Metadata\":{\"CustomApps\":null,\"GenericInfo\":null},\"Entities\":[{\"$id\":\"3\",\"MailboxPrimaryAddress\":\"aahmed@alittihad.ae\",\"Upn\":\"aahmed@alittihad.ae\",\"AadId\":\"9cd9a955-3f6e-42c9-9e5b-73da88078866\",\"RiskLevel\":\"None\",\"Type\":\"mailbox\",\"Urn\":\"urn:UserEntity:a8c90e3cbe8d52a9d1414f4c11865be6\",\"Source\":\"OATP\",\"FirstSeen\":\"0001-01-01T00:00:00\"},{\"$id\":\"4\",\"Recipient\":\"aahmed@alittihad.ae\",\"Urls\":[\"https://i.comfortcarevetlangley.com/quantum.php\",\"https://click.e.usa.experian.com/open.aspx?ffcb10-fe9211767260007c77-fe22127577600375751d74-fe9613737763057e77-ff001574776701-fdff15737c60077d74167272-fefb1774706503&d=70242&bmt=0\",\"https://image.e.usa.experian.com/lib/fe9613737763057e77/m/1/85d3688a-7218-45ea-a1b7-9600e974a0db.png\"],\"Sender\":\"noreply@act.ac\",\"P1Sender\":\"010f0199a2db62bb-836f5593-9d4e-494d-b0c2-90fc9a020d40-000000@us-east-2.amazonses.com\",\"P1SenderDomain\":\"us-east-2.amazonses.com\",\"SenderIP\":\"23.251.226.55\",\"P2Sender\":\"noreply@act.ac\",\"P2SenderDomain\":\"act.ac\",\"ReceivedDate\":\"2025-10-02T02:58:38Z\",\"NetworkMessageId\":\"39621bc0-bd8d-4bae-0da9-08de015f92df\",\"InternetMessageId\":\"<010f0199a2db62bb-836f5593-9d4e-494d-b0c2-90fc9a020d40-000000@us-east-2.amazonses.com>\",\"Subject\":\"8852 Admedia365 EReview Doc October 01, 2025 07:58 PM\",\"AntispamDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"Language\":\"en\",\"DeliveryLocation\":\"Inbox\",\"OriginalDeliveryLocation\":\"Inbox\",\"AdditionalActionsAndResults\":[\"OriginalDelivery: [N/A]\"],\"AuthDetails\":[{\"Name\":\"SPF\",\"Value\":\"Pass\"},{\"Name\":\"DKIM\",\"Value\":\"Pass\"},{\"Name\":\"DMARC\",\"Value\":\"Pass\"}],\"SystemOverrides\":[],\"Type\":\"mailMessage\",\"Urn\":\"urn:MailEntity:73fd77bf162599990938f1595fed86d4\",\"Source\":\"OATP\",\"FirstSeen\":\"0001-01-01T00:00:00\"},{\"$id\":\"5\",\"Url\":\"https://i.comfortcarevetlangley.com/quantum.php\",\"Type\":\"url\",\"ClickCount\":11,\"EmailCount\":138,\"Urn\":\"urn:UrlEntity:9310164f200b0089953572b3a2e835e7\",\"Source\":\"OATP\",\"FirstSeen\":\"0001-01-01T00:00:00\"}],\"LogCreationTime\":\"2025-10-02T04:10:14.0666959Z\",\"MachineName\":\"AU2ARE01BG404\",\"SourceTemplateType\":\"Threat_Single\",\"Category\":\"ThreatManagement\",\"SourceAlertType\":\"System\"}", "DeepLinkUrl": "https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:b7485c2295ebf76b97b2cee80d063211", "EndTimeUtc": "0001-01-01T00:00:00", "InvestigationId": "urn:ZappedUrlInvestigation:b7485c2295ebf76b97b2cee80d063211", "InvestigationName": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:b7485c2295ebf76b97b2cee80d063211", "InvestigationType": "ZappedUrlInvestigation", "LastUpdateTimeUtc": "2025-10-02T04:07:03", "StartTimeUtc": "2025-10-02T04:10:14", "Status": "Investigation Started"} {"CreationTime": "2025-10-02T04:10:15", "Id": "a55abd1d-c02a-44d1-b990-bcee7aae4ca2", "Operation": "AirInvestigationData", "OrganizationId": "5d1aa650-d7e1-4ec2-a6a9-a05372d7b650", "RecordType": 64, "UserKey": "AirInvestigation", "UserType": 4, "Version": 1, "Workload": "AirInvestigation", "ObjectId": "a55abd1d-c02a-44d1-b990-bcee7aae4ca2", "UserId": "AirInvestigation", "Data": "{\"Version\":\"3.0\",\"VendorName\":\"Microsoft\",\"ProviderName\":\"OATP\",\"AlertType\":\"a74bb32a-541b-47fb-adfd-f8c62ce3d59b\",\"StartTimeUtc\":\"2025-10-02T04:07:04Z\",\"EndTimeUtc\":\"2025-10-02T04:07:04Z\",\"TimeGenerated\":\"2025-10-02T04:06:49.8033333Z\",\"ProcessingEndTime\":\"2025-10-02T04:10:12.5202208Z\",\"Status\":\"InProgress\",\"Severity\":\"High\",\"ConfidenceLevel\":\"Unknown\",\"ConfidenceScore\":1.0,\"IsIncident\":false,\"ProviderAlertId\":\"0bc5bc5d-1c4b-67d2-be00-08de0168db42\",\"SystemAlertId\":null,\"CorrelationKey\":\"6e7623bc-7a41-4f6e-91a3-c2367804f4a1\",\"Investigations\":[{\"$id\":\"1\",\"Id\":\"urn:UrlVerdictChangeInvestig:a050537f9fe60b72448a98022810d2f4\",\"InvestigationStatus\":\"Running\"}],\"InvestigationIds\":[\"urn:UrlVerdictChangeInvestig:a050537f9fe60b72448a98022810d2f4\"],\"Intent\":\"Probing\",\"ResourceIdentifiers\":[{\"$id\":\"2\",\"AadTenantId\":\"5d1aa650-d7e1-4ec2-a6a9-a05372d7b650\",\"Type\":\"AAD\"}],\"AzureResourceId\":null,\"WorkspaceId\":null,\"WorkspaceSubscriptionId\":null,\"WorkspaceResourceGroup\":null,\"AgentId\":null,\"AlertDisplayName\":\"A potentially malicious URL click was detected\",\"Description\":\"We have detected that one of your users has recently clicked on a link that was found to be malicious. -V1.0.0.5\",\"ExtendedLinks\":[{\"Href\":\"https://security.microsoft.com/alerts/fa0bc5bc5d-1c4b-67d2-be00-08de0168db42\",\"Category\":null,\"Label\":\"alert\",\"Type\":\"webLink\"}],\"Metadata\":{\"CustomApps\":null,\"GenericInfo\":null},\"Entities\":[{\"$id\":\"3\",\"MailboxPrimaryAddress\":\"scott.williams@admn.ae\",\"Upn\":\"Scott.Williams@admn.ae\",\"AadId\":\"eec44b61-469e-46d6-a72b-c1fcc375c01d\",\"RiskLevel\":\"Low\",\"Type\":\"mailbox\",\"Urn\":\"urn:UserEntity:b9f719512efa348dd7b60bd026c92e29\",\"Source\":\"OATP\",\"FirstSeen\":\"0001-01-01T00:00:00\"},{\"$id\":\"4\",\"Url\":\"https://i.comfortcarevetlangley.com/quantum.php\",\"Type\":\"url\",\"Urn\":\"urn:UrlEntity:0b1c1bfdf1d7ed76331e9f02ee505be4\",\"Source\":\"OATP\",\"FirstSeen\":\"0001-01-01T00:00:00\"},{\"$id\":\"5\",\"Recipient\":\"scott.williams@admn.ae\",\"Urls\":[\"https://i.comfortcarevetlangley.com/quantum.php\",\"https://click.e.usa.experian.com/open.aspx?ffcb10-fe9211767260007c77-fe22127577600375751d74-fe9613737763057e77-ff001574776701-fdff15737c60077d74167272-fefb1774706503&d=70242&bmt=0\",\"https://image.e.usa.experian.com/lib/fe9613737763057e77/m/1/85d3688a-7218-45ea-a1b7-9600e974a0db.png\"],\"Sender\":\"noreply@act.ac\",\"P1Sender\":\"010f0199a2dc906b-4d795411-add7-45a0-a955-5e0c53bc97a2-000000@us-east-2.amazonses.com\",\"P1SenderDomain\":\"us-east-2.amazonses.com\",\"SenderIP\":\"23.251.226.53\",\"P2Sender\":\"noreply@act.ac\",\"P2SenderDomain\":\"act.ac\",\"ReceivedDate\":\"2025-10-02T02:59:54Z\",\"NetworkMessageId\":\"23db9343-0607-4d81-c214-08de015fc0d4\",\"InternetMessageId\":\"<010f0199a2dc906b-4d795411-add7-45a0-a955-5e0c53bc97a2-000000@us-east-2.amazonses.com>\",\"Subject\":\"6882 Admedia365 EReview Doc October 01, 2025 07:59 PM\",\"AntispamDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"Language\":\"en\",\"DeliveryLocation\":\"Inbox\",\"OriginalDeliveryLocation\":\"Inbox\",\"AdditionalActionsAndResults\":[\"OriginalDelivery: [N/A]\"],\"AuthDetails\":[{\"Name\":\"SPF\",\"Value\":\"Pass\"},{\"Name\":\"DKIM\",\"Value\":\"Pass\"},{\"Name\":\"DMARC\",\"Value\":\"Pass\"}],\"SystemOverrides\":[],\"Type\":\"mailMessage\",\"Urn\":\"urn:MailEntity:2e89684d4c0ba4dd116578d7ccca7cd5\",\"Source\":\"OATP\",\"FirstSeen\":\"0001-01-01T00:00:00\"}],\"LogCreationTime\":\"2025-10-02T04:10:12.5202208Z\",\"MachineName\":\"AU2ARE01BG404\",\"SourceTemplateType\":\"MaliciousUrlClick_Single\",\"Category\":\"ThreatManagement\",\"SourceAlertType\":\"System\"}", "DeepLinkUrl": "https://security.microsoft.com/mtp-investigation/urn:UrlVerdictChangeInvestig:a050537f9fe60b72448a98022810d2f4", "EndTimeUtc": "0001-01-01T00:00:00", "InvestigationId": "urn:UrlVerdictChangeInvestig:a050537f9fe60b72448a98022810d2f4", "InvestigationName": "Clicked url Verdict changed to malicious - https://i.comfortcarevetlangley.com/quantum.php", "InvestigationType": "UrlVerdictChangeInvestigation", "LastUpdateTimeUtc": "2025-10-02T04:07:04", "StartTimeUtc": "2025-10-02T04:10:12", "Status": "Investigation Started"} Basically it is a nested JSON and I want to extract fields from "Data" field which itself forms a JSON object
... View more
10-14-2025
05:41 AM
We are ingesting a nested JSON payload in Splunk and want to extract specific fields (like AlertDIsplayName, Description, SenderIP etc) how can I do this as Splunk's Field Extractor is not working in this case.
... View more
Labels
- Labels:
-
sourcetype
10-07-2025
05:40 AM
What should be content of Payload schema?
... View more
10-06-2025
03:27 AM
So, in this case, can I download the installer and upload it to the onedrive and then ask Application team to copy it to the remote server and install, once installed then configure the inputs.conf, outputs.conf and deploymentclient.conf?
... View more
10-04-2025
02:35 AM
I need to install it on few number of servers, could you please explain what steps I need to follow to get it installed with the help of server team manually for windows and linux machine?
... View more
10-04-2025
02:08 AM
We need to install UF on remote application servers (linux/windows) but as a splunk admin, I don't have direct access (ssh/rdp) to these servers, in such case how can I proceed with UF installation on these servers? Also, how to decide UF version to be installed on these servers?
... View more
Labels
- Labels:
-
universal forwarder
09-26-2025
05:02 AM
I need to integrate Dell Switches with Splunk using syslog-ng which is installed on, On-Prem HF, what are the prerequisites/configurations need to be done on the switch to forward logs to syslog-ng? Thanks in Advance.
... View more
Labels
- Labels:
-
intermediate forwarder
09-25-2025
04:22 AM
I need to onboard CISCO IOS switch logs with splunk, we have a syslog-ng installed on HF, could somebody explain the exact configurations to be made in syslog-ng.conf? Thanks in Advance
... View more
Labels
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Thursday
|
