Smart AnSwerS #77

Hey there community and welcome to the 77th installment of Smart AnSwerS.

Applications for the 2016 – 2017 SplunkTrust cohort were submitted a month ago, and the current membership reviewed and ranked all of them individually within the past several weeks. The rankings have been gathered to finalize who will be a SplunkTrustee and inducted at .conf2016. The Splunk community has greatly benefited from the contributions of all the applicants through various means, and we can’t thank them enough for sharing their Splunk clue with other users to learn and grow. Best of luck to everyone!

Check out this week’s featured Splunk Answers posts:

Ever wonder which dashboards are being used and what users are using them?

MattZerfas posted this useful Q&A with the community to share the Simple XML for a dashboard he created to monitor dashboards being used, and by which users in a Splunk environment. It includes a drop-down form that uses a rest search to populate a list of LDAP users to view their individual dashboard usage. You also have the option to drill down on any dashboard in a chart to see who is using it per day. willisiw commented to confirm the dashboard was useful, and added what needs to be edited in the searches for Splunk installations on Windows.

Splunk Enterprise Security: What conditions need to be met to generate an Original Event Window in Incident Review?

sheamus69 noticed some notable events in the Incident Review dashboard had a link to view the raw details of the original event that triggered the notable event, but others did not. He wasn’t sure what requirements were necessary to generate this option for notable events where this was missing. hgrow explains that some notable events require multiple events to trigger the correlation search. However, hgrow lists the specific fields to be included to display the “view original event” link if you write your own correlation search.

Why does Splunk CSV export change the time format to epoch time? How to fix it?

rajnepali didn’t understand why time was displayed in a human-readable format viewing search results in Splunk Web, but when the results were exported to a CSV file, it was automatically converted to epoch time. somesoni2 sheds light on the fact that the _time field is shown in a human-readable format in Splunk visualizations, but holds an epoch value. When the results are exported to CSV, the original epoch time is displayed. To get a formatted date and time string, it would have to be converted first in the search generating the results.

Thanks for reading!

Missed out on the first seventy-six Smart AnSwerS blog posts? Check ‘em out here!

Posted by

Show All Tags
Show Less Tags