×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
BrianKJr
Explorer
Member since: ‎04-10-2020
‎01-19-2021
Community Statistics
Posts 4
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎04-10-2020
View All

Re: Splunk ES Correlation Search Not Firing [When ...

by in Alerting
‎01-19-2021 10:51 AM
‎01-19-2021 10:51 AM
After further troubleshooting the time range WAS the issue due to API schedule for threats being forwarded to Splunk.. The API through Cylance / Splunk will need to be looked at because its not sending logs as often as it should be. The solution for the interim is to extend the time range from 2 hours to 12 hours. Thanks for responding 🙂 ... View more

Re: Splunk ES Correlation Search Not Firing [When ...

by in Alerting
‎01-17-2021 07:41 AM
‎01-17-2021 07:41 AM
Hello @scelikok  Yes the search runs every 5 minutes, and looks back 1 hour. Today it should have generated three unique alerts. Its been running for a couple days at this point, and the base search has matched 10 + events. We've received 0 though. ... View more

Splunk ES Correlation Search Not Firing [When it s...

by in Alerting
‎01-16-2021 12:53 PM
‎01-16-2021 12:53 PM
Hello, So I am working on a CS for Enterprise Security that  -- when run manually -- it returns results; however, when its scheduled to run it does not return anything. I've looked in the _internal index and found that: 0 suppressions are taking effect 0 results are returned All searches are ran successfully I've looked in the notable's index and confirmed that 0 alerts are firing. The CS is running as ADMIN within the application context of Enterprise Security. This is the search: index=cylance_protect sourcetype=threat | eval FirstFound=split('First Found'," ") | eval FirstFoundDate=mvindex(FirstFound,0) | eval FirstFoundDate_epoch=strptime(FirstFoundDate, "%m/%d/%Y") | eval currentTime=now() | eval currentTime=strftime(currentTime, "%m/%d/%Y") | eval currentTime_epoch=strptime(currentTime, "%m/%d/%Y") | eval CreatedDaysAgo=(currentTime_epoch-FirstFoundDate_epoch)/86400 | eval CreatedDaysAgo=round(CreatedDaysAgo) | search CreatedDaysAgo < 2 | table _time FirstFound CreatedDaysAgo DeviceName Tenant user action "Cylance Score" signature "Detected By" "Ever Run" "File Name" file_path file_hash   Are the eval statements causing this issue? I used the above logic to ONLY return 'new' Cylance detections within the last 1 day. ... View more

Re: How to check total logs size in MB being sent ...

by in Splunk Search
‎04-24-2020 09:01 AM
‎04-24-2020 09:01 AM
you do /1028 in your example isn't it /1024 ? or am I missing something that Splunk does with padding? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-19-2021 02:12 PM
Karma given to
View All