To send specific notable events from the Enterprise Security Incident Review page for investigation, an add-on called the ServiceNow Security Operations Add-on is available. This add-on allows Splunk ES analysts to create security-related incidents and events in ServiceNow. It features on-demand single ServiceNow event or incident creation from Splunk Event Scheduled Alerts, enabling the creation of both single and multiple ServiceNow events and incidents. For Detailed integrations steps refer The reverse integration between ServiceNow and Splunk for incident management can be achieved using an out-of-the-box method.  If this reply is helpful, karma would be appreciated 🙂. ... View more

Hi everyone, Please advise is it possible to GET a particular service Health score with a simple Rest API call (for example using a Postman app)? Tried to find it in https://docs.splunk.com/Documentation/ITSI/4.17.0/RESTAPI/ITSIRESTAPIreference#ITOA_Interface but no success. ... View more

UF does only simple ingestion and generally does not modify the events. You can set your metadata to a static value but not calculate it dynamicaly. Your non-splunk solution would be to use a third-party provisioning software (like ansible, chef or puppet) to prepare your UF configs dynamically so that the host setting at the UF level or even a single input is set to this dynamic value. Alternatively, you can do an index-time rewrite of your metadata with a transform similar to what @gcusello presented, just tied to a group of hosts with a matching pattern - see https://docs.splunk.com/Documentation/Splunk/Latest/Admin/Propsconf#GLOBAL_SETTINGS ... View more

This is great, but is there any way of finding the "search_id" of a scheduled search? I've tried using the search_id that is listed in the URL when opening the search in the GUI and the search_is that is listed on the enpoint https://<host>:<mPort>/services/search/jobs (which I found to be not the same for some reason), but I always get the result "Unknown endpoint". Anyone know how to find the correct ID for a scheduled search? ... View more

@rhirasin can you add the raw sample data and also what is the query you are using. When you run just the base search index=<YourIndexName> are you not seeing the Time field? Because that would be very odd. For data inserted to Splunk index the Time field should have event timestamp and Event field should have complete _raw data. Please add few sample events for us to assist you. ... View more

Our org has a small splunk setup. I am trying to secure the splunk with letsencrypt. I have the certs already and put them in /opt/splunk/etc/auth/certs path. Lets encrypt issues the files as cert.pem, chain.pem, fullchain.pem and privkey.pem. I pointed to the location of certs in both web.conf and server.conf under /opt/splunk/etc/system/local/ on indexer server and outputs.conf on forwarders. But I am still getting the same error and forwarders don't forward any data. ... View more