Why is the Linux Auditd app unable to see all indexes?
Hi, We are trying to set up the Linux Auditd App on one of our Search Heads. Currently, there are two Indexers getting Auditd related data and both have linux-auditd and TA_linux-auditd Apps installed....
View ArticleHow do I add a time range to a datamodel search that cannot use tstats?
I have a data model where the object is generated by a search which doesn't permit the DM to be accelerated which means no tstats. I am wanting to do a appendcols to get a delta between averages for...
View ArticleHow do I convert this search into a tstats search leveraging the web datamodel?
Here's the search: index=proxysg sourcetype=proxysg | replace \*pandora* with www.pandora.com in url | replace \*facebook* with www.facebook.com in url | stats sum(bytes_in) as MB by url | eval...
View ArticleSuggestion for data model acceleration page summary page of fire brigade...
Currently the query you use is: | rest /services/data/models | search acceleration=1 | fields title, eai:acl.app | eval app_model_name='eai:acl.app' . " / " . title | eval dm_full_name="DM_" ....
View ArticleWhy am I getting eval command error "The arguments to the 'searchmatch'...
Added a root event object to data model as so: index="main" host="*S100-L543*" source!="*geoip*" AND source!="*.xml" AND source!="*.config" AND ( _raw="*Exception*" OR _raw="*Stack Trace*" OR...
View ArticleQuestions regarding datamodel, stats, NOT, and Macros in my query
This is the query I have: | tstats `summariesonly` count from datamodel=Threat_Intelligence.Threat_Activity where NOT [|...
View ArticleDoes tstats always specify a datamodel?
Basically my problem is that I'm switching Splunk queries that I have into queries for a different search language. I don't yet have the capability to transfer the part of the search that specifies...
View ArticleWhat does datamodel do?
I really need help because I've read through the Splunk documentation on tstats and their datamodel pages and I am still really confused about them. Are they just collections of your available data?...
View ArticleWhen getting started with Linux Auditd, is it necessary to have a data model...
I have the "Splunk Add-on for Unix and Linux", the "Splunk App for Unix and Linux", and "Linux Auditd" applications installed. When I bring up the "Linux Auditd" and look for data, there is a lot of...
View ArticleDoes tstats use datamodels the same way Pivot does?
After reading through the Splunk documentation on pivot a few times, I noticed that it describes how it works with regards to datamodels and data model objects in a way that seems to imply that it's...
View ArticleWhat is the best practice for correlating events from multiple sources?
Hi, I'm working on a use case with the purpose of investigating user activity over time from multiple log sources and then visualize this on a timeline (Timeline - Custom Visualization app) Currently...
View ArticleSplunk Enterprise Security: After adding some fields to the IDS data model,...
Hi I had added some fields to the IDS data model. First, I disabled the acceleration mode, then clicked on add attributes, added some four new fields to IDS data model, clicked rebuild on the IDS data...
View ArticleWhat's the difference between these two searches
These are the two queries: | `tstats` count from datamodel=Authentication by _time,Authentication.action span=10m | timechart minspan=10m useother=`useother` count by Authentication.action |...
View ArticleIs this search just counting the number of events in this datamodel?
This is the search: | tstats count from datamodel=Authentication where nodename=Authentication.Privileged_Authentication by _time span=1h | timechart span=1h count Is this search counting the number of...
View ArticleHow to add keepevicted=true in the datamodel or the query which uses...
Hi, I've created a datamodel which has a TRANSACTION. When I try to use the datamodel query for a longer period of time say 7 days , I'm seeing the following error.> Some transactions have been...
View ArticleHow do I distinguish inbound vs outbound in the Web datamodel
I am trying to use the Web datamodel in Splunk ES. This datamodel seems to be missing the distinction between inbound web traffic and outbound web traffic. In fact it seems mostly to focused on inbound...
View ArticleSplunk App for AWS: How to have VPC Flow Log options available when creating...
Hi Team, We have configured Splunk App for AWS and configured VPC Flow Log to forward logs to Splunk. We would like to have the options available (like vpc_flow.bytes, vpc_flow.interface_id,...
View ArticleAfter renaming an auto-extracted field in Data Model Editor, why am I unable...
I've tried this with multiple fields now and the same behavior occurs. What I want is simple: To auto extract a field, and have it rename to something else so that I don't have to constantly pipe in a...
View ArticleWhy Malware Data Model is not working after Splunk Enterprise Security...
Hi I have upgraded Splunk Enterprise Security as per the documentation, but I see the Correlation searches using Malware Data-model is not working, but I can see the data in Data model Pivots. Anyone...
View ArticleHow to use join with data model?
I have tried using join to detect the common field from lookup but i need not find the fields that are not present using data model query. |inputlookup Denied_traffic.csv | join type=inner...
View Article