Hi All, just wondering if anyone has a search that shows which user deleted another user in Linux  ? Typically in the linux syslog messages, when we check for userdel messages ,  it only shows the name of the user account that was deleted.  There isn't any mention of which user performed this action.   Whereas in Windows events, we see both src and target user for deletion Event IDs.  How to get this info ? I know one can manually login to host and verify the ./bash_history but how do you accomplish this from Splunk itself ? ... View more

Hi All,  which page in UBA shows closed threats or how can we view the threats that have been closed out ?  By default the "threats" review page shows all open or active ones.  I couldn't find any option in the Top Menu or filter to take us to list of the threats that have been closed out.   ... View more

Hi All,   i have a row in my dashboard which consists of multiple panels in one line as shown below.  Is there a way to put a horizontal scroll bar  at the bottom of this row so that it allow me to slide left to right and that way i can enlarge these panels ?  My requirement is to make all the 10 boxes (panel) fit in the same row and make them readable and slightly bigger.  Autosize ends up shrinking some words. The xml code for above is something like this:   <row> <panel> <single> <title>Initial Access</title> <search> <query></query> </search> <option name="colorBy">value</option> <option name="colorMode">none</option> <option name="drilldown">all</option> <option name="height">125</option> <option name="rangeColors">["0x000","0xd93f3c"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> </single> </panel> <panel> <single> <title>Execution</title> .... </single> </panel> .... </row>   I am aware that by including overflow: auto  inside a HTML block of a panel will show the scroll bar for that individual panel.  But in my case, i need a common scroll bar for all the panels in the same row. Hope i am clear   ... View more

Hi All,  My Dashboard panel which calls a report search is showing "Search did not return any events." When i click on the magnifying glass icon and run the search manually, it displays the results without any issues.  Please advise what could be wrong in the XML form.  I am ensuring to use <form> </form>      <form version="1.1"> <label>SLA Metrics</label> <fieldset autoRun="true" submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <event> <title>MTTA - Mean Time to Acknowledge</title> <search ref="MHE - Mean Time to Acknowledge"> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="list.drilldown">none</option> </event> </panel> </row> </form>         I have referenced https://community.splunk.com/t5/Splunk-Search/Using-time-range-picker-does-not-work-in-dashboard-where-report/m-p/148254 and as far as i can tell,  my xml code is in line with what is the solution in the post.  Please assist. ... View more

Hi All, Need some guidance for calculating SLA  Achieved percentage column.  This is how my results look like after running base search Severity Count_of_Alerts Mean_Time_To_Close SLA Target SLA Achieved  in % S1 10 7 mins 8 secs  15 mins   S2 5 6 mins 25 secs 45 min   I have referenced solution provided by @ITWhisperer in https://community.splunk.com/t5/Splunk-Search/adding-percentage-of-SLA-breach/m-p/572942#M199687  but in my case we also have count column.   We are ok with considering only the minutes portion of the Time_to_Close and ignoring the secs if too complicated. How can i calculate my SLA achieved in % . Is it as simple as doing a  | eval SLA_Achieved = (Mean_Time_to_close*SLA_Target)/100 One further optimization would if the SLA % achieved is less than the Target, then perhaps color that cell green else Red in color (something on that lines). ... View more

Hi All, I have a very simple use case and that is to display the time difference between 2 fields that already have their values as time in epoch format.   But when i use ctime to display the difference, it shows weird results.  As shown below my events contains 2 fields ( tt0 & tt1). Their values are  timestamp in EPOCH. If we manually  convert these to Human Readable Time , the difference between the tt0 and tt1 is just 03 mins and xx seconds.   tto tt1 1675061542  1675061732 But when i do a      | eval ttc=tt1-tt0 | convert ctime(ttc)     Splunk displays ttc as follows:   12/31/1969 18:56:49.2304990  What am i doing wrong here?  How to make it display ttc correctly ? ... View more