×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
maheshnc
Path Finder
Member since: ‎09-08-2025
‎03-12-2026
Community Statistics
Posts 38
Solutions 1
Karma Given 1
Karma Received 0
Member Since ‎09-08-2025
Activity Feed
Topics I've Started
View All

Transilience AI threat intel feed integration

by in Getting Data In
‎03-11-2026 05:10 AM
‎03-11-2026 05:10 AM
Hello All, we need to integrate threat intel feeds from transilience ai, I have never worked on such treat feed integrations, can somebody guide me what prerequisites do I need to have and how can I configure it? Thanks in advance ... View more
Labels

Re: ADAudit plus integration with Splunk Enterpris...

by in All Apps and Add-ons
‎03-05-2026 02:03 AM
‎03-05-2026 02:03 AM
Hi, Have you got resolution? ... View more

Re: o365 add-on upgrade

by in Getting Data In
‎01-02-2026 03:12 AM
‎01-02-2026 03:12 AM
Okay, Thank you! ... View more

Re: o365 add-on upgrade

by in Getting Data In
‎01-02-2026 02:41 AM
‎01-02-2026 02:41 AM
Hello gcusello, Currently it is 4.6.0 version ... View more

o365 add-on upgrade

by in Getting Data In
‎12-28-2025 10:37 PM
‎12-28-2025 10:37 PM
Hello, I need to upgrade the o365 add-On to the latest version on both the search head and the heavy forwarder, can someone guide me the upgrade process, like how can I upgrade and if need to take any backups etc? thanks in advance. ... View more

Re: HEC Endpoint

by in Getting Data In
‎11-18-2025 02:06 AM
‎11-18-2025 02:06 AM
We are having an indexer cluster (2 nodes and 1 CM) in this case do need to create HEC token on both the indexers?   ... View more

Re: Email alert not triggering

by in Splunk Enterprise Security
‎11-17-2025 03:58 AM
‎11-17-2025 03:58 AM
Getting this error, not sure why ... View more

Email alerts not triggering

by in Monitoring Splunk
‎11-13-2025 12:53 AM
‎11-13-2025 12:53 AM
  Hello, we have a DMC configured on Splunk Licence Master; I need to enable all the critical resource utilization alerts on DMC and send email notifications. I have configured the server setting under settings>server setting>Email settings and set up the same configurations as on our search head (which is successfuly generating email notifications) but the thing is, alerts are triggering but I am not receiving any email notifications. can somebody help me to figure out the root cause? Note: Network connectivity established between mail server and LM server ... View more

Email alert not triggering

by in Splunk Enterprise Security
‎11-12-2025 04:49 AM
‎11-12-2025 04:49 AM
Hello, we have a DMC configured on Splunk Licence Master, I need to enable all the critical resource utilization alerts on DMC and send email notifications. I have configured the server setting under settings>server setting>Email settings and set up the same configurations as on our search head (which is successfuly generating email notifications) but the thing is, alerts are triggering but but I am not receiving any email notifications. can somebody help me to figure out the root cause? Note: Network connectivity established between mail server and LM server. ... View more
Labels

Re: correlation search not triggering

by in Splunk Enterprise
‎11-05-2025 11:28 PM
‎11-05-2025 11:28 PM
This is where it is creating confusing for me,  I am not sure how it is happening, however to answer your query, I am using the same time period in CS as in the search and reporting and not throttling is enabled. ... View more

correlation search not triggering

by in Splunk Enterprise
‎11-05-2025 04:12 AM
‎11-05-2025 04:12 AM
 I am running a spl query as below index=o365 app=AzureActiveDirectory operation=UserLoggedIn | iplocation ClientIP | search Country!="United Arab Emirates" user!="Not Available" | table _time user ClientIP City Country app action signature src_ip user_agent | sort -_time this query is fetching results when run in search and reporting app, but when I am using the same query to create a correlation it is not triggering any alert/notable (no events are populated) again if I copy paste the same query in Search and reporting it is not working, but when I keep addding one by one fileds to build same query, it is starts giving results, this is very strange behaviour, can somebody explain this? ... View more
Labels

Re: Splunk Upgrade

by in Splunk Enterprise
‎11-02-2025 10:24 PM
‎11-02-2025 10:24 PM
Could you please walk me through the backups needs to be taken/mandatory ... View more

Re: Splunk Upgrade

by in Splunk Enterprise
‎11-02-2025 01:02 AM
‎11-02-2025 01:02 AM
Could you let me know about the version compatibility for various instances, I mean can we indexers, search heads and Heavy forwarders with different versions or should they have the same version? ... View more

Re: Splunk Upgrade

by in Splunk Enterprise
‎11-02-2025 01:25 AM
‎11-02-2025 01:25 AM
what should be sequence for upgrading? could you suggest the precautions to be taken which may overcome the risk as I am doing this upgrade for the first time. ... View more

Splunk Upgrade

by in Splunk Enterprise
‎11-01-2025 09:26 AM
‎11-01-2025 09:26 AM
I am new as splunk administrator here in the company.  we are using Splunk enterprise and the current version is 9.2.4, and as per splunk document this version is supported until Jan 31 2026, can somebody guide me on  version upgrade, and also which version should we upgrade? Also, I am not sure about the risk in upgrading the version, please provide your suggestions. ... View more
Labels

Re: JSON field extraction

by in Getting Data In
‎10-27-2025 05:12 AM
‎10-27-2025 05:12 AM
I need to have index time field extraction for all the field values under Data field, is it feasible? ... View more

Re: JSON field extraction

by in Getting Data In
‎10-14-2025 11:31 PM
‎10-14-2025 11:31 PM
{"CreationTime": "2025-10-02T04:10:15", "Id": "a55abd1d-c02a-44d1-b990-bcee7aae4ca2", "Operation": "AirInvestigationData", "OrganizationId": "5d1aa650-d7e1-4ec2-a6a9-a05372d7b650", "RecordType": 64, "UserKey": "AirInvestigation", "UserType": 4, "Version": 1, "Workload": "AirInvestigation", "ObjectId": "a55abd1d-c02a-44d1-b990-bcee7aae4ca2", "UserId": "AirInvestigation", "Data": "{\"Version\":\"3.0\",\"VendorName\":\"Microsoft\",\"ProviderName\":\"OATP\",\"AlertType\":\"a74bb32a-541b-47fb-adfd-f8c62ce3d59b\",\"StartTimeUtc\":\"2025-10-02T04:07:04Z\",\"EndTimeUtc\":\"2025-10-02T04:07:04Z\",\"TimeGenerated\":\"2025-10-02T04:06:49.8033333Z\",\"ProcessingEndTime\":\"2025-10-02T04:10:12.5202208Z\",\"Status\":\"InProgress\",\"Severity\":\"High\",\"ConfidenceLevel\":\"Unknown\",\"ConfidenceScore\":1.0,\"IsIncident\":false,\"ProviderAlertId\":\"0bc5bc5d-1c4b-67d2-be00-08de0168db42\",\"SystemAlertId\":null,\"CorrelationKey\":\"6e7623bc-7a41-4f6e-91a3-c2367804f4a1\",\"Investigations\":[{\"$id\":\"1\",\"Id\":\"urn:UrlVerdictChangeInvestig:a050537f9fe60b72448a98022810d2f4\",\"InvestigationStatus\":\"Running\"}],\"InvestigationIds\":[\"urn:UrlVerdictChangeInvestig:a050537f9fe60b72448a98022810d2f4\"],\"Intent\":\"Probing\",\"ResourceIdentifiers\":[{\"$id\":\"2\",\"AadTenantId\":\"5d1aa650-d7e1-4ec2-a6a9-a05372d7b650\",\"Type\":\"AAD\"}],\"AzureResourceId\":null,\"WorkspaceId\":null,\"WorkspaceSubscriptionId\":null,\"WorkspaceResourceGroup\":null,\"AgentId\":null,\"AlertDisplayName\":\"A potentially malicious URL click was detected\",\"Description\":\"We have detected that one of your users has recently clicked on a link that was found to be malicious. -V1.0.0.5\",\"ExtendedLinks\":[{\"Href\":\"https://security.microsoft.com/alerts/fa0bc5bc5d-1c4b-67d2-be00-08de0168db42\",\"Category\":null,\"Label\":\"alert\",\"Type\":\"webLink\"}],\"Metadata\":{\"CustomApps\":null,\"GenericInfo\":null},\"Entities\":[{\"$id\":\"3\",\"MailboxPrimaryAddress\":\"scott.williams@admn.ae\",\"Upn\":\"Scott.Williams@admn.ae\",\"AadId\":\"eec44b61-469e-46d6-a72b-c1fcc375c01d\",\"RiskLevel\":\"Low\",\"Type\":\"mailbox\",\"Urn\":\"urn:UserEntity:b9f719512efa348dd7b60bd026c92e29\",\"Source\":\"OATP\",\"FirstSeen\":\"0001-01-01T00:00:00\"},{\"$id\":\"4\",\"Url\":\"https://i.comfortcarevetlangley.com/quantum.php\",\"Type\":\"url\",\"Urn\":\"urn:UrlEntity:0b1c1bfdf1d7ed76331e9f02ee505be4\",\"Source\":\"OATP\",\"FirstSeen\":\"0001-01-01T00:00:00\"},{\"$id\":\"5\",\"Recipient\":\"scott.williams@admn.ae\",\"Urls\":[\"https://i.comfortcarevetlangley.com/quantum.php\",\"https://click.e.usa.experian.com/open.aspx?ffcb10-fe9211767260007c77-fe22127577600375751d74-fe9613737763057e77-ff001574776701-fdff15737c60077d74167272-fefb1774706503&d=70242&bmt=0\",\"https://image.e.usa.experian.com/lib/fe9613737763057e77/m/1/85d3688a-7218-45ea-a1b7-9600e974a0db.png\"],\"Sender\":\"noreply@act.ac\",\"P1Sender\":\"010f0199a2dc906b-4d795411-add7-45a0-a955-5e0c53bc97a2-000000@us-east-2.amazonses.com\",\"P1SenderDomain\":\"us-east-2.amazonses.com\",\"SenderIP\":\"23.251.226.53\",\"P2Sender\":\"noreply@act.ac\",\"P2SenderDomain\":\"act.ac\",\"ReceivedDate\":\"2025-10-02T02:59:54Z\",\"NetworkMessageId\":\"23db9343-0607-4d81-c214-08de015fc0d4\",\"InternetMessageId\":\"<010f0199a2dc906b-4d795411-add7-45a0-a955-5e0c53bc97a2-000000@us-east-2.amazonses.com>\",\"Subject\":\"6882 Admedia365 EReview Doc October 01, 2025 07:59 PM\",\"AntispamDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"Language\":\"en\",\"DeliveryLocation\":\"Inbox\",\"OriginalDeliveryLocation\":\"Inbox\",\"AdditionalActionsAndResults\":[\"OriginalDelivery: [N/A]\"],\"AuthDetails\":[{\"Name\":\"SPF\",\"Value\":\"Pass\"},{\"Name\":\"DKIM\",\"Value\":\"Pass\"},{\"Name\":\"DMARC\",\"Value\":\"Pass\"}],\"SystemOverrides\":[],\"Type\":\"mailMessage\",\"Urn\":\"urn:MailEntity:2e89684d4c0ba4dd116578d7ccca7cd5\",\"Source\":\"OATP\",\"FirstSeen\":\"0001-01-01T00:00:00\"}],\"LogCreationTime\":\"2025-10-02T04:10:12.5202208Z\",\"MachineName\":\"AU2ARE01BG404\",\"SourceTemplateType\":\"MaliciousUrlClick_Single\",\"Category\":\"ThreatManagement\",\"SourceAlertType\":\"System\"}", "DeepLinkUrl": "https://security.microsoft.com/mtp-investigation/urn:UrlVerdictChangeInvestig:a050537f9fe60b72448a98022810d2f4", "EndTimeUtc": "0001-01-01T00:00:00", "InvestigationId": "urn:UrlVerdictChangeInvestig:a050537f9fe60b72448a98022810d2f4", "InvestigationName": "Clicked url Verdict changed to malicious - https://i.comfortcarevetlangley.com/quantum.php", "InvestigationType": "UrlVerdictChangeInvestigation", "LastUpdateTimeUtc": "2025-10-02T04:07:04", "StartTimeUtc": "2025-10-02T04:10:12", "Status": "Investigation Started"}   So basically it is a nested JSON and I need to extract fields from "Data" field.  ... View more

Re: JSON field extraction

by in Getting Data In
‎10-14-2025 11:30 PM
‎10-14-2025 11:30 PM
{"CreationTime": "2025-10-02T04:10:15", "Id": "124147e3-6c47-46ca-8f77-6fd0b9aa9e99", "Operation": "AirInvestigationData", "OrganizationId": "5d1aa650-d7e1-4ec2-a6a9-a05372d7b650", "RecordType": 64, "UserKey": "AirInvestigation", "UserType": 4, "Version": 1, "Workload": "AirInvestigation", "ObjectId": "124147e3-6c47-46ca-8f77-6fd0b9aa9e99", "UserId": "AirInvestigation", "Data": "{\"Version\":\"3.0\",\"VendorName\":\"Microsoft\",\"ProviderName\":\"OATP\",\"AlertType\":\"8e6ba277-ef39-404e-aaf1-294f6d9a2b88\",\"StartTimeUtc\":\"2025-10-02T04:08:23Z\",\"EndTimeUtc\":\"2025-10-02T04:08:23Z\",\"TimeGenerated\":\"2025-10-02T04:06:28.27Z\",\"ProcessingEndTime\":\"2025-10-02T04:10:14.0666959Z\",\"Status\":\"InProgress\",\"DetectionTechnology\":\"URLList\",\"Severity\":\"Informational\",\"ConfidenceLevel\":\"Unknown\",\"ConfidenceScore\":1.0,\"IsIncident\":false,\"ProviderAlertId\":\"fcc7e7f8-3630-61d7-be00-08de0168db42\",\"SystemAlertId\":null,\"CorrelationKey\":\"034549ac-35ef-481e-928d-da3d07eed36f\",\"Investigations\":[{\"$id\":\"1\",\"Id\":\"urn:ZappedUrlInvestigation:b7485c2295ebf76b97b2cee80d063211\",\"InvestigationStatus\":\"Running\"}],\"InvestigationIds\":[\"urn:ZappedUrlInvestigation:b7485c2295ebf76b97b2cee80d063211\"],\"Intent\":\"Probing\",\"ResourceIdentifiers\":[{\"$id\":\"2\",\"AadTenantId\":\"5d1aa650-d7e1-4ec2-a6a9-a05372d7b650\",\"Type\":\"AAD\"}],\"AzureResourceId\":null,\"WorkspaceId\":null,\"WorkspaceSubscriptionId\":null,\"WorkspaceResourceGroup\":null,\"AgentId\":null,\"AlertDisplayName\":\"Email messages containing malicious URL removed after delivery\u200b\",\"Description\":\"Emails with malicious URL that were delivered and later removed -V1.0.0.3\",\"ExtendedLinks\":[{\"Href\":\"https://security.microsoft.com/alerts/fafcc7e7f8-3630-61d7-be00-08de0168db42\",\"Category\":null,\"Label\":\"alert\",\"Type\":\"webLink\"}],\"Metadata\":{\"CustomApps\":null,\"GenericInfo\":null},\"Entities\":[{\"$id\":\"3\",\"MailboxPrimaryAddress\":\"aahmed@alittihad.ae\",\"Upn\":\"aahmed@alittihad.ae\",\"AadId\":\"9cd9a955-3f6e-42c9-9e5b-73da88078866\",\"RiskLevel\":\"None\",\"Type\":\"mailbox\",\"Urn\":\"urn:UserEntity:a8c90e3cbe8d52a9d1414f4c11865be6\",\"Source\":\"OATP\",\"FirstSeen\":\"0001-01-01T00:00:00\"},{\"$id\":\"4\",\"Recipient\":\"aahmed@alittihad.ae\",\"Urls\":[\"https://i.comfortcarevetlangley.com/quantum.php\",\"https://click.e.usa.experian.com/open.aspx?ffcb10-fe9211767260007c77-fe22127577600375751d74-fe9613737763057e77-ff001574776701-fdff15737c60077d74167272-fefb1774706503&d=70242&bmt=0\",\"https://image.e.usa.experian.com/lib/fe9613737763057e77/m/1/85d3688a-7218-45ea-a1b7-9600e974a0db.png\"],\"Sender\":\"noreply@act.ac\",\"P1Sender\":\"010f0199a2db62bb-836f5593-9d4e-494d-b0c2-90fc9a020d40-000000@us-east-2.amazonses.com\",\"P1SenderDomain\":\"us-east-2.amazonses.com\",\"SenderIP\":\"23.251.226.55\",\"P2Sender\":\"noreply@act.ac\",\"P2SenderDomain\":\"act.ac\",\"ReceivedDate\":\"2025-10-02T02:58:38Z\",\"NetworkMessageId\":\"39621bc0-bd8d-4bae-0da9-08de015f92df\",\"InternetMessageId\":\"<010f0199a2db62bb-836f5593-9d4e-494d-b0c2-90fc9a020d40-000000@us-east-2.amazonses.com>\",\"Subject\":\"8852 Admedia365 EReview Doc October 01, 2025 07:58 PM\",\"AntispamDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"Language\":\"en\",\"DeliveryLocation\":\"Inbox\",\"OriginalDeliveryLocation\":\"Inbox\",\"AdditionalActionsAndResults\":[\"OriginalDelivery: [N/A]\"],\"AuthDetails\":[{\"Name\":\"SPF\",\"Value\":\"Pass\"},{\"Name\":\"DKIM\",\"Value\":\"Pass\"},{\"Name\":\"DMARC\",\"Value\":\"Pass\"}],\"SystemOverrides\":[],\"Type\":\"mailMessage\",\"Urn\":\"urn:MailEntity:73fd77bf162599990938f1595fed86d4\",\"Source\":\"OATP\",\"FirstSeen\":\"0001-01-01T00:00:00\"},{\"$id\":\"5\",\"Url\":\"https://i.comfortcarevetlangley.com/quantum.php\",\"Type\":\"url\",\"ClickCount\":11,\"EmailCount\":138,\"Urn\":\"urn:UrlEntity:9310164f200b0089953572b3a2e835e7\",\"Source\":\"OATP\",\"FirstSeen\":\"0001-01-01T00:00:00\"}],\"LogCreationTime\":\"2025-10-02T04:10:14.0666959Z\",\"MachineName\":\"AU2ARE01BG404\",\"SourceTemplateType\":\"Threat_Single\",\"Category\":\"ThreatManagement\",\"SourceAlertType\":\"System\"}", "DeepLinkUrl": "https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:b7485c2295ebf76b97b2cee80d063211", "EndTimeUtc": "0001-01-01T00:00:00", "InvestigationId": "urn:ZappedUrlInvestigation:b7485c2295ebf76b97b2cee80d063211", "InvestigationName": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:b7485c2295ebf76b97b2cee80d063211", "InvestigationType": "ZappedUrlInvestigation", "LastUpdateTimeUtc": "2025-10-02T04:07:03", "StartTimeUtc": "2025-10-02T04:10:14", "Status": "Investigation Started"} {"CreationTime": "2025-10-02T04:10:15", "Id": "a55abd1d-c02a-44d1-b990-bcee7aae4ca2", "Operation": "AirInvestigationData", "OrganizationId": "5d1aa650-d7e1-4ec2-a6a9-a05372d7b650", "RecordType": 64, "UserKey": "AirInvestigation", "UserType": 4, "Version": 1, "Workload": "AirInvestigation", "ObjectId": "a55abd1d-c02a-44d1-b990-bcee7aae4ca2", "UserId": "AirInvestigation", "Data": "{\"Version\":\"3.0\",\"VendorName\":\"Microsoft\",\"ProviderName\":\"OATP\",\"AlertType\":\"a74bb32a-541b-47fb-adfd-f8c62ce3d59b\",\"StartTimeUtc\":\"2025-10-02T04:07:04Z\",\"EndTimeUtc\":\"2025-10-02T04:07:04Z\",\"TimeGenerated\":\"2025-10-02T04:06:49.8033333Z\",\"ProcessingEndTime\":\"2025-10-02T04:10:12.5202208Z\",\"Status\":\"InProgress\",\"Severity\":\"High\",\"ConfidenceLevel\":\"Unknown\",\"ConfidenceScore\":1.0,\"IsIncident\":false,\"ProviderAlertId\":\"0bc5bc5d-1c4b-67d2-be00-08de0168db42\",\"SystemAlertId\":null,\"CorrelationKey\":\"6e7623bc-7a41-4f6e-91a3-c2367804f4a1\",\"Investigations\":[{\"$id\":\"1\",\"Id\":\"urn:UrlVerdictChangeInvestig:a050537f9fe60b72448a98022810d2f4\",\"InvestigationStatus\":\"Running\"}],\"InvestigationIds\":[\"urn:UrlVerdictChangeInvestig:a050537f9fe60b72448a98022810d2f4\"],\"Intent\":\"Probing\",\"ResourceIdentifiers\":[{\"$id\":\"2\",\"AadTenantId\":\"5d1aa650-d7e1-4ec2-a6a9-a05372d7b650\",\"Type\":\"AAD\"}],\"AzureResourceId\":null,\"WorkspaceId\":null,\"WorkspaceSubscriptionId\":null,\"WorkspaceResourceGroup\":null,\"AgentId\":null,\"AlertDisplayName\":\"A potentially malicious URL click was detected\",\"Description\":\"We have detected that one of your users has recently clicked on a link that was found to be malicious. -V1.0.0.5\",\"ExtendedLinks\":[{\"Href\":\"https://security.microsoft.com/alerts/fa0bc5bc5d-1c4b-67d2-be00-08de0168db42\",\"Category\":null,\"Label\":\"alert\",\"Type\":\"webLink\"}],\"Metadata\":{\"CustomApps\":null,\"GenericInfo\":null},\"Entities\":[{\"$id\":\"3\",\"MailboxPrimaryAddress\":\"scott.williams@admn.ae\",\"Upn\":\"Scott.Williams@admn.ae\",\"AadId\":\"eec44b61-469e-46d6-a72b-c1fcc375c01d\",\"RiskLevel\":\"Low\",\"Type\":\"mailbox\",\"Urn\":\"urn:UserEntity:b9f719512efa348dd7b60bd026c92e29\",\"Source\":\"OATP\",\"FirstSeen\":\"0001-01-01T00:00:00\"},{\"$id\":\"4\",\"Url\":\"https://i.comfortcarevetlangley.com/quantum.php\",\"Type\":\"url\",\"Urn\":\"urn:UrlEntity:0b1c1bfdf1d7ed76331e9f02ee505be4\",\"Source\":\"OATP\",\"FirstSeen\":\"0001-01-01T00:00:00\"},{\"$id\":\"5\",\"Recipient\":\"scott.williams@admn.ae\",\"Urls\":[\"https://i.comfortcarevetlangley.com/quantum.php\",\"https://click.e.usa.experian.com/open.aspx?ffcb10-fe9211767260007c77-fe22127577600375751d74-fe9613737763057e77-ff001574776701-fdff15737c60077d74167272-fefb1774706503&d=70242&bmt=0\",\"https://image.e.usa.experian.com/lib/fe9613737763057e77/m/1/85d3688a-7218-45ea-a1b7-9600e974a0db.png\"],\"Sender\":\"noreply@act.ac\",\"P1Sender\":\"010f0199a2dc906b-4d795411-add7-45a0-a955-5e0c53bc97a2-000000@us-east-2.amazonses.com\",\"P1SenderDomain\":\"us-east-2.amazonses.com\",\"SenderIP\":\"23.251.226.53\",\"P2Sender\":\"noreply@act.ac\",\"P2SenderDomain\":\"act.ac\",\"ReceivedDate\":\"2025-10-02T02:59:54Z\",\"NetworkMessageId\":\"23db9343-0607-4d81-c214-08de015fc0d4\",\"InternetMessageId\":\"<010f0199a2dc906b-4d795411-add7-45a0-a955-5e0c53bc97a2-000000@us-east-2.amazonses.com>\",\"Subject\":\"6882 Admedia365 EReview Doc October 01, 2025 07:59 PM\",\"AntispamDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"Language\":\"en\",\"DeliveryLocation\":\"Inbox\",\"OriginalDeliveryLocation\":\"Inbox\",\"AdditionalActionsAndResults\":[\"OriginalDelivery: [N/A]\"],\"AuthDetails\":[{\"Name\":\"SPF\",\"Value\":\"Pass\"},{\"Name\":\"DKIM\",\"Value\":\"Pass\"},{\"Name\":\"DMARC\",\"Value\":\"Pass\"}],\"SystemOverrides\":[],\"Type\":\"mailMessage\",\"Urn\":\"urn:MailEntity:2e89684d4c0ba4dd116578d7ccca7cd5\",\"Source\":\"OATP\",\"FirstSeen\":\"0001-01-01T00:00:00\"}],\"LogCreationTime\":\"2025-10-02T04:10:12.5202208Z\",\"MachineName\":\"AU2ARE01BG404\",\"SourceTemplateType\":\"MaliciousUrlClick_Single\",\"Category\":\"ThreatManagement\",\"SourceAlertType\":\"System\"}", "DeepLinkUrl": "https://security.microsoft.com/mtp-investigation/urn:UrlVerdictChangeInvestig:a050537f9fe60b72448a98022810d2f4", "EndTimeUtc": "0001-01-01T00:00:00", "InvestigationId": "urn:UrlVerdictChangeInvestig:a050537f9fe60b72448a98022810d2f4", "InvestigationName": "Clicked url Verdict changed to malicious - https://i.comfortcarevetlangley.com/quantum.php", "InvestigationType": "UrlVerdictChangeInvestigation", "LastUpdateTimeUtc": "2025-10-02T04:07:04", "StartTimeUtc": "2025-10-02T04:10:12", "Status": "Investigation Started"} Basically it is a nested JSON and I want to extract fields from "Data" field which itself forms a JSON object ... View more

JSON field extraction

by in Getting Data In
‎10-14-2025 05:41 AM
‎10-14-2025 05:41 AM
We are ingesting a nested JSON payload in Splunk and want to extract specific fields (like AlertDIsplayName, Description, SenderIP etc) how can I do this as Splunk's Field Extractor is not working in this case.     ... View more
Labels

Re: How to integrate Service Desk Plus with Splunk...

by in Splunk Enterprise Security
‎10-07-2025 05:40 AM
‎10-07-2025 05:40 AM
What should be content of Payload schema? ... View more

Re: Universal Forwarder installation on remote hos...

by in Getting Data In
‎10-06-2025 03:27 AM
‎10-06-2025 03:27 AM
So, in this case, can I download the installer and upload it to the onedrive and then ask Application team to copy it to the remote server and install, once installed then configure the inputs.conf, outputs.conf and deploymentclient.conf? ... View more

Re: Universal Forwarder installation on remote hos...

by in Getting Data In
‎10-04-2025 02:35 AM
‎10-04-2025 02:35 AM
I need to install it on few number of servers, could you please explain what steps I need to follow to get it installed with the help of server team manually for windows and linux machine?     ... View more

Universal Forwarder installation on remote host

by in Getting Data In
‎10-04-2025 02:08 AM
‎10-04-2025 02:08 AM
We need to install UF on remote application servers (linux/windows) but as a splunk admin, I don't have direct access (ssh/rdp) to these servers, in such case how can I proceed with UF installation on these servers? Also, how to decide UF version to be installed on these servers? ... View more
Labels

DELL Switch Configuration

by in Getting Data In
‎09-26-2025 05:02 AM
‎09-26-2025 05:02 AM
I need to integrate Dell Switches with Splunk using syslog-ng which is installed on, On-Prem HF, what are the prerequisites/configurations need to be done on the switch to forward logs to syslog-ng? Thanks in Advance. ... View more
Labels

syslog-ng configuration

by in Getting Data In
‎09-25-2025 04:22 AM
‎09-25-2025 04:22 AM
I need to onboard CISCO IOS switch logs with splunk, we have a syslog-ng installed on HF, could somebody explain the exact configurations to be made in syslog-ng.conf? Thanks in Advance ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-12-2026 02:34 AM
Karma given to
View All