Splunk Enterprise Security: How can I do a cidrmatch against a data model field?
I'm working with Splunk Enterprise Security and I'm trying to build/refine correlations against the Network Traffic Data Model. I want to exclude destination addresses in RFC1918 space. When working...
View ArticleHow do I search using a data model?
I've been working on a report that shows the dropped or blocked traffic using the interesting ports lookup table. I want to change this to search the network data model so I'm not using the `*` for my...
View ArticleHow to build a datamodel like this ?
My data consists of pairs of files, lets call them file_A_1...file_A_n, and file_B_1...file_B_n, where file_A_1 is connected with file_B_1. The pairs are always ingested at the same time together. The...
View ArticleSplunk Enterprise Security: Why am I getting "[indexer] The search for...
Hello, I have an error message in the threat activity dashboard in a Splunk Entreprise Security search head: [indexer] The search for datamodel 'Threat_Intelligence' failed to parse, cannot get indexes...
View ArticleHow to do select * on a datamodel
I am trying to build a machine learning model using data from datamodels in Splunk. To build feature vector I need to do select * (sql) kind of queries on Splunk datamodel data. I could not find any...
View ArticlePivot Column Fields Disappear in results table for long date range
Here is the actual query: | pivot data_model_name object_name avg(response_time) AS "Average of response_time" SPLITROW _time AS _time PERIOD hour SPLITCOL somefield1 FILTER somefield2 is yes FILTER...
View ArticleSplunk CIM Network Datamodel
So I am writing an iRule for an F5 load balancer pair to log out LDAP usage. The log needs the following to meet the needs of the customer - trustedSever ip and port F5Self ip and port Destination IP...
View ArticleField values not appearing in data model
I'm trying to add uptime field values to the performance data model. I used an EXTRACT to create the field and can validate that each expected host is putting a value into the field. I then created an...
View ArticleWhy am I getting Splunk IT Service Intelligence import error "datamodel model...
Does anyone know why I'm getting this ITSI import error? failed to import services from a successful backup. details : main machine was windows, remote. Json was correctly created with no unusual...
View ArticleIs there a way to get output similar to the list function that works in a...
I am searching for some data for a user and the data file is huge, so the normal search and stats function is taking too long. I created a data model for this, but the problem is I can't use the...
View ArticleHow to manage data models with REST endpoints?
Hello, I am trying to find the way to manage datamodels using REST endpoints: [http://docs.splunk.com/Documentation/Splunk/6.3.1/RESTREF][1] **May main objectives are:** - Launch datamodel rebuild...
View ArticleTransaction on (accelerated) datamodel
Hello, i have a search like this: index=XXX (sourcetype=XXX OR sourcetype=XXX) THREAT cs_component_id=XXX [ search index=XXX (sourcetype=XXX OR sourcetype=XXX) THREAT cs_component_id=XXX pa_dst_ip=YYY...
View ArticleSplunk App for Enterprise Security: How to edit the Threat Intelligience Data...
So within the Enterprise Security App, there is the built-in threat activity dashboard. One of panels shows your sourcetype(firewall) and all the hits the events off that source type match up with a...
View ArticleIs there a quick way to list all fields in a data model within Splunk?
I've read about the pivot and datamodel commands. What I'm trying to do is run some sort of search in Splunk (rest perhaps) to pull out the fields defined in any loaded datamodel. I'm not trying to run...
View ArticleAre wildcards with tstats on accelerated data models not possible?
I'm running a search that is something like this: | tstats values from datamodel=foo When the datamodel is not accelerated, I get all my data. When it is accelerated, no data is returned. If i specify...
View ArticlePivot Reports - Why I cant select thrid level objects?
Hi all, I created a Data Model in Splunk which has three levels of objects. For example: 1.RDP Events 1.1 LSM Log Entries 1.1.1 Successful Session Logins In Pivot Report I choose "RDP Events". Why i...
View ArticleSplunk Enterprise Security: How to modify the Top Infections Search to...
Can someone help me modify the Top Infections search? It is using tstats and a datamodel. I'm trying to exclude results where signature=Tracking Cookies, but usual exclusion methods aren't working with...
View ArticleWhere can I find detailed documentation for using tstats with accelerated...
I'm starting to use accelerated data models to power some dashboards, but I'm having some issues. For example, after a few days of searching, I only recently found out that to reference fields, I need...
View ArticleSplunk IT Service Intelligence: Why am I getting datamodel search error...
| datamodel Host_OS CPU search | `aggregate_raw_into_service(avg, Performance.CPU.cpu_load_percent)` | `assess_severity(ac600b7a-5db7-49b9-a3b6-1535c31d7826, d307e18cac4d171a0539a07c, true, true)` |...
View ArticleSplunk App for Web Analytics: Why my does my data model have empty fields...
Hello there. I'm having another issue with the Splunk App for Web Analytics... but I'm not sure where the problem is. I created a script that download some data and put this data in a directory. Then,...
View Article