How can I leverage Splunk Cloud to: Monitor System Health & Performance – Track uptime, downtime, and resource utilization (CPU/memory) of essential infrastructure. Enhance Endpoint & Network Security – Analyze firewall activity, VPN connections, and endpoint protection status. Utilize UEBA – Identify unusual user behavior that may signal insider threats or compromised accounts. Visualize Threat Response Metrics – Build dashboards to track the time taken for threat detection, investigation, and resolution. Analyze Cyberattack Patterns – Create dashboards to identify attack sources, detect trends, and refine mitigation strategies.   ... View more

I'm trying to create a report that includes the following information and want to schedule it to run monthly. I need to know how can I gather the information from Splunk. How many events are observed by Splunk for a month? Of those, how many are internal Splunk events ? How many events are from log sources? Total number of notables observed by month Classification of notables based on severity What is the notable generation time? what is the time the notable was assigned to analyst? what is the time the analyst responded to the notable and what was the response? what time was the notable closed?   As of now I'm going through the `notable`, but need more information as to how this can be navigated. Your comments would be appreciated.   Thanks ... View more

I'm looking to export notable events from the Incident Review dashboard in Splunk Enterprise Security to a CSV/Excel file. I need to include the following details: Notable Name (Rule Name) Notable Triggered Time Time Assigned for Investigation Conclusion (e.g., True Positive (TP), False Positive (FP), Benign True Positive (BTP)) Open/Closed Status What would be the best SPL query or method to extract this information? Also, is there a way to automate this export on a scheduled basis?   Currently using the SPL query: `notable` | eval original_time=strftime(orig_time,"%c") | eval reviewing_time=strftime(review_time,"%c") | table search_name, comment, disposition_label, original_time, reviewing_time, owner, search_name, reviewer, status, status_description, status_label, urgency, username and I'm getting results. However, I'm not getting an ID to locate and go through an individual notable if I wanted to. How can I search for a specific notable? Is there a tracking number for a notable? I'd like to include it in my table as well. ... View more

I want to integrate SentinelOne Singularity Enterprise data into my security workflows. What critical data (e.g., process/network events, threat detections, behavioral analytics) should I prioritize ingesting? What’s the best method (API, syslog, SIEM connectors) to pull this data, and how does it add value (e.g., improving threat hunting, automating response, or enriching SIEM/SOAR)? ... View more

I’m implementing a Canary Honeypot in my company and want to integrate its data with Splunk. What key information should I prioritize ingesting? and how can this data enhance threat detection (e.g., correlating with firewall logs, spotting lateral movement)? Are there recommended Splunk TAs or SPL queries to structure and analyze this data effectively? ... View more

  I want do the Splunk Certified Core User certification. Currently, I've registered for a learning path in Splunk itself. I selected only free course in each topic. I didn't select any topic in 'Leveraging Lookups and Subsearches', 'Search Optimization' as it had only paid option. Are all these fine for completing the certification? I'm thinking of doing the same for Power User and Cloud Admin. Is this approach fine? ... View more

1. For a user to use Splunk support portal, should the user be granted access to the support portal? Don't they get the access inherently? 2. Company has 2 different instances of Splunk. Will the dashboard created in one be visible in another as well? Are the 2 instances independent of each other? Can you paint a picture for me, how they'd be related? 3. In order for me to know the answers to these questions, what concepts/topics should I know well? ... View more

In Securonix's SIEM, we can manually create cases through Spotter by generating an alert and then transferring those results into an actual incident on the board. Is it possible to do something similar in Splunk? Specifically, I have a threat hunting report that I've completed, and I'd like to document it in an incident, similar to how it's done in Securonix. The goal is to extract a query from the search results, create an incident, and generate a case ID to help track the report. Is there a way to accomplish this in Splunk so that it can be added to the incident review board for documentation and tracking purposes? ... View more