Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About mparks11
mparks11
Path Finder
Member since:
05-30-2013
01-13-2021
Community Statistics
| Posts | 28 |
| Solutions | 4 |
| Karma Given | 35 |
| Karma Received | 18 |
| Member Since | 05-30-2013 |
Activity Feed
- Got Karma for Re: What is the best way to combine 3+ fields?. 03-01-2024 07:05 PM
- Karma Re: Expanding nested JSON events into multiple events for search for martin_mueller. 01-12-2021 11:15 AM
- Karma Re: How can I extract a file name from a file path? for masonmorales. 06-05-2020 12:49 AM
- Karma Re: Is there a way to copy a field and not rename it? for woodcock. 06-05-2020 12:48 AM
- Karma Re: I need some searching help for windows event logs. Can anyone tell me the specific search commands? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: Splunk.License: failed to add because: cannot add lic w/ subgroupId=DevTest:xxxxx@xxxx.com to stack w/ subgroupId=Production for scottyau. 06-05-2020 12:48 AM
- Got Karma for Re: Splunk Enterprise Security: Why am I getting this error message "msg="A threat intelligence download has failed" stanza="alexa_top_one_million_sites""?. 06-05-2020 12:48 AM
- Got Karma for Re: How to generate a search where the count is greater than 0 after 5 days?. 06-05-2020 12:48 AM
- Got Karma for Re: Splunk Enterprise Security: How to display all notable events and indicate which ones were suppressed?. 06-05-2020 12:48 AM
- Karma Re: How to get a complete list with descriptions of correlation searches in the Splunk Enterprise Security app? for ekost. 06-05-2020 12:47 AM
- Karma Re: How to Update Splunk after JavaScript Changes without Restarting Splunk for alacercogitatus. 06-05-2020 12:47 AM
- Karma How to Update Splunk after JavaScript Changes without Restarting Splunk for mmensch. 06-05-2020 12:47 AM
- Karma How do you add an additional “Drill-down Search” in the details of a Notable Event? for joe_kraxner. 06-05-2020 12:47 AM
- Karma Re: Configuring "additional fields" for a notable event in Enterprise Security (ES) for jbrodsky_splunk. 06-05-2020 12:47 AM
- Karma Re: Configuring "additional fields" for a notable event in Enterprise Security (ES) for PrinceOfEval. 06-05-2020 12:47 AM
- Karma Configuring "additional fields" for a notable event in Enterprise Security (ES) for PrinceOfEval. 06-05-2020 12:47 AM
- Karma Splunk App for Enterprise Security: How to add additional fields to events under "Incident Review"? for MHibbin. 06-05-2020 12:47 AM
- Karma "This is Cindy, it is my new goatfriend" for dvanzuijlekom. 06-05-2020 12:47 AM
- Karma arbor pravail ddos integration for masiddiqu. 06-05-2020 12:47 AM
- Karma Re: Exclude CIDR range from search results for stephanefotso. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
11-13-2018
02:24 PM
1 Karma
That's awesome! Glad you were able to find out, and thanks for sharing!
... View more
11-13-2018
12:53 PM
1 Karma
Sorry, i don't! Maybe something in the search_id field might be an indication?
... View more
11-13-2018
11:51 AM
1 Karma
There's probably a more elegant way, but this should work to remove the single quotes in your results, by appending to the end of your search:
| rex field=search mode=sed "s/^'//g"
| rex field=search mode=sed "s/'$//g"
... View more
03-10-2017
07:46 AM
Looks like jwelch beat me to the punch!
wget https://s3.amazonaws.com/alexa-static/top-1m.csv.zip
... View more
03-09-2017
09:28 AM
1 Karma
Can you access the URL: https://s3.amazonaws.com/alexa-static/top-1m.csv.zip? This is where the Alexa Top Million is hosted. Personally, I can, so I know they haven't shut down the Alext top million (like happened a few months back and presumably will happen again). It's possible that your Splunk ES Search Head can't access that URL itself, blocked by a content filter or web proxy in your network somewhere. If you don't use the Alexa Top Million, you could just disable the input.
... View more
03-09-2017
09:21 AM
1 Karma
Probably need more details here, but you could do your base search for "errors" and have that run for the last 5 days, then pipe those results to stats and distinct count the days over which the errors existed, then trigger an alert if that distinct count >= 5.
index=foo sourcetype=bar "error" earliest=-5d | stats dc(date_wday) as days
Save As Alert then set a Trigger Condition for when days>=5.
Something like that maybe!
... View more
01-25-2017
01:25 PM
Last update. We got a workaround from Splunk support for displaying more than 30 suppressions inside of ES.
It's in the comments here:
https://answers.splunk.com/answers/482839/splunk-enterprise-security-why-is-the-notable-even-1.html
... View more
01-25-2017
01:01 PM
To increase the number of supressions displayed to the ui edit:
$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/appserver/static/js/collections/NotableEventSuppressions.js (line 14):
url: "alerts/suppressions",
change it to:
url: "alerts/suppressions?count=-1",
Then _bump the version up one. This will work pending an ES 4.5.1 upgrade.
... View more
01-05-2017
02:58 PM
1 Karma
You can create an alert and send an email for the following:
index=_internal sourcetype=notable_event_suppression:rest_handler "SuppressionAudit" action=create.
I know this is an old question, but have been doing some research lately myself and came upon this :). It only seems to apply when creating a suppression from ES either through Incident Review workflow action or through Notable Event Suppression page under Content Management --> Incident Review (I believe - working from memory presently).
... View more
01-05-2017
02:45 PM
As an update, Splunk has confirmed that the 30 Suppressions view limit is a known bug for which there is no present hotfix for 4.1.3 BUT is fixed in 4.5.1. I'll also note that managing Suppressions via Event types means that ES does NOT log the audit trail of that Suppression. This means no events logged to index=_internal sourcetype=notable_event_suppression:rest_handler "SuppressionAudit" action=* (aka eventtype=suppression_audit). Still looking for a workaround on that 🙂
... View more
12-15-2016
12:05 PM
OK, thanks for the heads up. Will do!
... View more
12-15-2016
10:56 AM
Hi there,
Just noticed that the Notable Event Suppressions page in Splunk Enterprise Security (Configure --> Incident Management --> Notable Event Suppressions) is only showing 30 out of over 300 suppressions. I can view suppressions under Settings --> Event types in the Web UI, see them in SA-ThreatIntelligence/local/eventtypes.conf, and can see that they're being applied where appropriate.
We recently upgraded to ES 4.1.3 from 4.0.1, so maybe this is somehow related to the upgrade?
Was hoping someone else was seeing something similar and could guide me towards a root cause. Thanks in advance.
... View more
12-15-2016
08:49 AM
Interesting that you mention 30 suppressions maximum, as that seems to be some limit that displays in the Web UI, and it seems to be related to a recent upgrade from ES 4.0.1 to ES 4.1.3, as it used to not be the case for us.
We have ~300 suppressions that all used to show up under Configure --> Incident Management --> Notable Event Suppressions, but now it only displays 30 of them. However, all of the other ~270 are still there and working. You can see them in the Web UI:
Settings > Event types.
Search suppression event types using: notable_suppression-*
Or you can see them in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/eventtypes.conf
That said, I know that doesn't answer your question completely. For us it was important that we allowed our analysts the ability to implement suppressions based on an IP address or user for a specific notable, so we've given them the ability to do so.
What I still want to implement though, is a process by which we Audit those suppressions and consolidate/review as necessary.
Hope that helps.
... View more
12-15-2016
08:25 AM
1 Karma
There are built in macros that can assist with what you're trying to do.
`notable`
`suppression`
Try:
`notable` | search NOT `suppression`
And you can take it from there with however else you want to proceed. We use one like this in a bubble chart viz to track notables that aren't suppressed, and their delta over the previous day, over 30 days.
`notable` | search eventtype!=notable_suppression* | bin _time span=24h |stats count by _time, search_name | streamstats window=2 global=f current=t first(count) as previous by search_name | eval delta=count-previous | eval time=_time | table search_name, time, delta, count
Another option would be to use the incident_review macro:
| `incident_review`
That will only track notables that have been actioned somehow (hence tracked in the incident review KV store).
More information can be found here: http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA
Hope that helps!
... View more
09-12-2016
11:06 AM
Does this mean that ES will be supported or is supported on/with Hunk? Thanks.
... View more
09-02-2016
11:23 AM
2 Karma
Thanks for the input here. I found some odd results based on what a user says they were searching and what is reported out of the _audit index. Anyway, here's another method I found that may or may not be applicable, but it seemed to at least yield some results.
index=_internal user=* sourcetype=splunkd_ui_access | dedup q | table _time, q | eval q=urldecode(q)
Hope it might also help.
... View more
08-31-2016
04:00 PM
$urgency$
This worked for me in the Title of the Notable Event (in the Correlation Search), and should work in the Email Subject as well, I'd tend to believe.
... View more
08-26-2016
02:37 PM
Hi there, it depends on what your data look like, but you can add information into your stats reporting command in the "by" clause. Splunk should be calculating date_ fields that you could use, such as:
| stats sum(duration) as total_duration by Username, date_month, date_mday
You could also use the bucket/bin command to bucket time by day, which might work better to help calculate the duration by day then eval the duration calculation.
| bin _time span=1d
... View more
09-16-2015
10:26 PM
I was looking at the same today. To Ayn's point about adding in the field name, I made a few changes (in props.conf) and slightly changed another thing or two. It seems to be working well thus far.
[arbor_test]
EXTRACT-Extract src_port = (?i) source port (?P<src_port>\d+)
EXTRACT-category = (?i)^(?:[^ ]* ){5}(?P<category>[^ ]+)
EXTRACT-dest_ip = (?i) destination (?P<dest_ip>[^ ]+)
EXTRACT-signature = (?i) by (?P<signature>\w+\s+\w+)
EXTRACT-src_ip = (?i) host (?P<src_ip>[^ ]+)
EXTRACT-action = (?i) .*?: (?P<action>\w+)(?= )
EXTRACT-dest_port = (?i) .*?/(?P<dest_port>\d+)(?= )
EXTRACT-url = (?i),URL: (?P<url>.+)
EXTRACT-arbor_signature = (?i) by (?P<arbor_signature>.+?)\s+\w+\s+\d+
... View more
05-28-2015
07:33 PM
Hey Jenn - check this out. Still a "hack" as far as I know but I tested it out and it worked :). I used it in props in conjunction with a stanza in transforms.conf.
http://answers.splunk.com/answers/8505/is-it-possible-to-use-wildcards-in-sourcetype-props-conf-stanzas.html
In props.conf:
[(::){0}sourcetype:*]
KV_MODE = auto
REPORT-comma-delims = commafields
In transforms.conf:
[commafields]
DELIMS = ","
FIELDS = field1,field2,field3,field4,field5
... View more
05-28-2015
07:19 PM
Hey I'm curious about the use of this "hack", because it still seems to work (in 6.1.4). Was it implemented as a feature? Is it still just a hack that may or may not go away at some point? Thanks.
... View more
We've run into this as well. Our solution has been to (in the WebUI) look at Settings --> All Configurations --> Select "All" App context and then either search for the user ID of the user that's been removed, or select that user ID from the "Owner" drop down. From there you can see the items that are owned by that user, and the App context under which they exist. At that point it's a matter of still changing the metadata/local.meta file for each App. Once complete, running a debug/refresh (http[s]://[yoursplunkserver]:[splunk port]/en-US[or your locale]/debug/refresh) has worked sufficiently if a Splunk restart isn't possible.
If you've found a better solution please share!
... View more
03-02-2015
03:35 PM
No, the dot just concatenates the values of each three fields, so it'd be "stevedavebuster". If you wanted "steve.dave.buster" it'd be something like:
| fillnull value="" name_1 name_2 name_3
| eval combined_user=name_1.".".name_2.".".name_3
... View more
03-02-2015
02:23 PM
1 Karma
Found another answer as a reference as well! http://answers.splunk.com/answers/61916/concatenating-more-than-one-field.html
... View more
03-02-2015
02:20 PM
2 Karma
| fillnull value="" name_1 name_2 name_3
| eval combined_user=name_1.name_2.name_3
This will fill a null value for any of name_1, name_2 or name_3, but since you don't want to actually fill the null value with an actual value, just use double quotes. Then your eval should work as expected and combine all three values into one new field for combined_user.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-13-2021
10:46 PM
|
Karma given to
