It's always mentioned from doc but I couldn't find anywhere to download it including splunk base. ... View more

I added iplocation lookup into my CIM data model.  I found there's a rare handling when I validate the result by running | from datamodel:  SPL The result SPL is like following an intermediate search filter was applied. search src_lon=* src_lat=* src_City=* src_Region=* src_Country=* dest_lon=* dest_lat=* dest_City=* dest_Region=* dest_Country=*  I have no idea why this is added. My data without location mapped will be dropped. In order to reduce the impact of this, seems I need to add EVAL to check if lon,lat,City,Country was not produced after running iplocation lookup. e.g.  | from datamodel expanded SPL (index=* OR index=_*) (((index=MY_INDEX)) tag=ids tag=attack) DIRECTIVES(READ_SUMMARY(datamodel="Intrusion_Detection.IDS_Attacks" summariesonly="false" allow_old_summaries="true")) | eval dvc=if(isnull(dvc) OR dvc="","unknown",dvc), ids_type=if(isnull(ids_type) OR ids_type="","unknown",ids_type), category=if(isnull(category) OR category="","unknown",category), signature=if(isnull(signature) OR signature="","unknown",signature), severity=if(isnull(severity) OR severity="","unknown",severity), src=if(isnull(src) OR src="" OR src="N/A","unknown",src), dest=if(isnull(dest) OR dest="" OR dest="N/A","unknown",dest), user=if(isnull(user) OR user="","unknown",user), vendor_product=case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!="unknown" AND isnotnull(product) AND product!="unknown",vendor." ".product,isnotnull(vendor) AND vendor!="unknown" AND (isnull(product) OR product="unknown"),vendor." unknown",(isnull(vendor) OR vendor="unknown") AND isnotnull(product) AND product!="unknown","unknown ".product,isnotnull(sourcetype),sourcetype,1=1,"unknown") | iplocation src prefix="src_" | iplocation dest prefix="dest_" | eval src_Country=if(isnull(src_Country) OR src_Country ="","unknown", src_Country), dest_Country=if(isnull(dest_Country) OR dest_Country ="","unknown", dest_Country) | search src_lon=* src_lat=* src_City=* src_Region=* src_Country=* dest_lon=* dest_lat=* dest_City=* dest_Region=* dest_Country=* sourcetype="MY_SOURCETYPE" | eval is_Application_IDS_Attacks=if(searchmatch("(ids_type=\"application\")"),1,0), is_not_Application_IDS_Attacks=1-is_Application_IDS_Attacks, is_Host_IDS_Attacks=if(searchmatch("(ids_type=\"host\")"),1,0), is_not_Host_IDS_Attacks=1-is_Host_IDS_Attacks, is_Network_IDS_Attacks=if(searchmatch("(ids_type=\"network\")"),1,0), is_not_Network_IDS_Attacks=1-is_Network_IDS_Attacks | fields "_time" "host" "source" "sourcetype" "action" "dest_bunit" "dest_category" "dest_port" "dest_priority" "dvc_bunit" "dvc_category" "dvc_priority" "file_hash" "file_name" "file_path" "src_bunit" "src_category" "src_priority" "transport" "tag" "user_bunit" "user_category" "user_priority" "soc_site" "vendor_action" "CVE" "dvc" "ids_type" "category" "signature" "severity" "src" "dest" "user" "vendor_product" "src_Country" "dest_Country" "is_Application_IDS_Attacks" "is_not_Application_IDS_Attacks" "is_Host_IDS_Attacks" "is_not_Host_IDS_Attacks" "is_Network_IDS_Attacks" "is_not_Network_IDS_Attacks"    ... View more

Hi, There're some incidents hit my threat intelligence IP, e.g. dest. That's why Threat Activity notable event is triggered which is good to see. However, my concern is it would at the same time multiple the score of "unknown" user and "unknown" src/dest.  How can I filter these noise effectively, so not so many false alert introduced by "unknown" user or IP? ... View more

What's the meaning of this warning message? I didn't enable index reduction at all. "Search on most recent data has completed. Expect slower search speeds as we search the reduced buckets." ... View more

Quite often I saw this warning from dashboard panels. I have no cue what happened with following message. The search peers didn't look busy at all. Can someone give any advice? Thanks!! DistributedPeerManager - Unable to distribute to peer named x.x.x.x:8089 at uri=x.x.x.x:8089 using the uri-scheme=https because peer has status=Down. Verify uri-scheme, connectivity to the search peer, that the search peer is up, and that an adequate level of system resources are available. See the Troubleshooting Manual for more information. I read this manual but still can't find any obvious delay/disconnect https://docs.splunk.com/Documentation/Splunk/8.1.1/Troubleshooting/authtimeout ... View more