Review account activity for accounts which have been flagged.
Let me first say, I'm sure I could write a search that essentially returns what I'm looking for, however due to the amount and nature of the data it would not be an fast running search. I'm looking to...
View ArticleHeatmap - Tool, Query, and visualization options.
I currently have a sample data table as below. I want to put it into a heatmap, where `Date, TimeWindow, Sum` as X, Y, and Z in the heatmap. `Date TimeWindow Sum 3/1/2018 20:20:00—20:40:00 5 3/3/2018...
View ArticleIs it possible to use results_preview with a tstats search on a data model?
I am running a Splunk query that looks like this below, and runs on an accelerated data model (this is not an exact query, but just illustrates the logic) | tstats `list_of_my_tstats_fields` from...
View Articledatamodel - custom command as calculated field
We have built a considerable amount of logic using a combination of python and kvstore collections to categorise incoming data The custom command can be called after the root event by using | datamodel...
View ArticleHow to get lookup results into datamodel
I am trying to get lookup results into accelerated datamodel, but no luck so far. I am using network_traffic datamodel, where I have added new auto extracted field. I have tried to setup automatic...
View ArticleWhy is it slow if you don't use a numeric value when searching in a datamodel?
The following example is pretty fast: | from datamodel:rc-stats | search _time > 1519966560 _time <= 1519970160 | stats count Why the next two similar queries are so slow? The slowness also...
View ArticleData model not picking up field alias
I have installed the Suricata TA on my Splunk box. I am verifying that the data is flowing into the Intrusion Detection data model correctly. The Suricata TA has the following field alias:...
View ArticleWhy do the fields on datamodel "ns_waf" doesn't exist?
Hi. Fields present on datamodel "ns_waf" doesn't exist. Anyone have these fields extracted? nswaf_action, nswaf_appliance, nswaf_company, etc. This app doesn't have any extraction defined on...
View ArticleDiscrepancy between datamodel, summaries, & raw search
We are running SE 6.5.4, ES 4.7.1, Splunk_SA_CIM - 4.8.0 I'm getting a discrepancy between 3 searches over the exact same 15 minute period (any given 15 minute period) for the following 3 searches: |...
View ArticleHow to use datamodel field values in tstats to filter resultant data?
I'm trying to search my Intrusion Detection datamodel when the src_ip is a specific CIDR to limit the results but can't seem to get the search right. Is this possible? | tstats count from...
View ArticleWhy is tstats command with eval not working on a particular field?
hi, I am trying to combine results into two categories based of an eval statement. The original query returns the results fine, but is slow because of large amount of results and extended time frame:...
View ArticleData model is accelerating within 5 secs but not able to fetch the data from...
When we start the acceleration of data model, it completes successfully. But when we run the below query, we are not able to fetch the data. | tstats summariesonly=t count from...
View ArticleHow come my data model is accelerating within 5 secs but can't fetch the data...
When we start the acceleration of a data model, it completes successfully. But, when we run the below query, we are not able to fetch the data. | tstats summariesonly=t count from...
View ArticleWhy does data model show name of lookup definition in its fields?
Hello, in the past few weeks, we have run into some strange behavior with a data model. It is somehow connected to geofence. We named our lookup definition for it as ld_geoContEurope and used the...
View ArticleIn Splunk Enterprise Security, why is "weight" field missing in the Threat...
The datamodel for Threat Intelligence is missing the weight field. This breaks the built in Threat Activity Detected notable, that is based on the datamodel. This renders the following lines without...
View ArticleWhy isn't my datamodel doesnt returning any data?
Hi all, I have upgraded my Splunk from 6.6.6 to 7.1.1 and installed a new Splunk CIM version(4.12). I accelerated a few data models like malware, network traffic and change analysis. Malware data model...
View ArticleHow do you edit a correlation rule in a datamodel in Splunk Enterprise Security?
Hello, Our correlation search for "account deleted" in Splunk is firing for any type of machine deletion detected on our domain controllers. Here is our correlation search: | from...
View ArticleDatamodel is giving results outside of the constraints given in Summary Range
I have accelerated my data model for **7 days** period and Rebuild the datamodel. After its completion, I have executed below query to get the acceleration period which is mentioned in...
View ArticleOverwriting _time in datamodel causing mismatch between _time and time picker
Hello, I am overwriting _time in datamodel because there is no proper timestamp in logs. when I am trying to access data using tstat search, _time is not sync with time picker. In below screen shot I...
View ArticleHow do you group by field in the stats table?
I am attempting to get the top values from a datamodel and output a table. The query that I am using: | from datamodel:"Authentication"."Failed_Authentication" | search app!=myapp | top limit=20 user...
View Article