I am trying to assign custom tags to notable events so that they can be triaged by certain analysts, i.e., tier 1. I have a cron scheduled search created and it is set to create notable events; this works fine. I then setup a corresponding tag for that search_name but when I try to filter by the tag name in the tag field in the Incident Review dashboard it does not show up. scheduled search (search name is _triage_test) that is working and generates a notable: index=snort signature="test rule" tag (tag name is _use_case_test) that is not working: search_name=_triage_test Any ideas? Thanks. ... View more

For example, I want to run the following search and have splunk output IPs that do NOT show up in the results. index=blah dest_ip=10.0.0.0/16 I imagine i need to use the stats count function but I have yet to figure it out. edit: I have a list of ~1600 hosts and I want to see which ones in this list have not generated any events. ... View more

When I run the following search, I get 100+ results of src_ip 1.2.3.4 and signature X: index=http status=200 src_ip!=10.0.0.0/8 src_ip!=192.168.0.0/16 src_ip!=172.16.0.0/12 | table src_ip | join [search index=snort | dedup src_ip,signature | table src_ip,signature] However, if I run the search below, dedup works as expected and the combination of src_ip 1.2.3.4 and signature X only shows up once index=snort src_ip=1.2.3.4 | dedup src_ip,signature | table src_ip signature ... View more

I want to take the values of src_ip from this search: index=http status=200 and see which of those source IPs also generated an event in index=snort ... View more