sorting
in your search query is not permitted.
Parameter | Description |
---|---|
Ad Hoc Search Level | The search level of the created search. For more information, refer to the Splunk Documentation. |
Execution Mode | Set to normal , in order to run an asynchronous search.Set to blocking , in order to return the sid when the job is complete. |
Search | The search query the created job will run. Important Note: The use of sorting in your search query is not permitted. |
Search Mode | Set to realtime to search live incoming data, or normal to run a one-time search over historical indexed data. |
{
"_bkt": "notable~17~xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"_cd": "17:xxxxxxxx",
"_eventtype_color": "none",
"_indextime": "xxxxxxxxxx",
"_raw": "xxxxxxxxxx, search_name=\"Threat - External Authentication from Unexpected Location - Rule\", action=\"success\", city=\"Kempton Park (Isando)\", country=\"South Africa\", event_source=\"AAD\", event_time=\"2024-05-28 05:18:55 CDT\", first_event=\"2024-05-28 05:18:55 CDT\", info_max_time=\"xxxxxxxxxx.xxxxxxxxx\", info_min_time=\"xxxxxxxxxx.xxxxxxxxx\", info_search_time=\"xxxxxxxxxx.xxxxxxxxx\", last_event=\"2024-05-28 05:20:36 CDT\", region=\"Gauteng\", src=\"xxx.xxx.xxx.xxx\", user=\"xxxxxx.xxxxxx@xxxxxxx.xxx\"",
"_serial": "0",
"_si": [
"idx20",
"notable"
],
"_sourcetype": "stash",
"_time": "2024-05-28T06:00:13.000-05:00",
"action": "success",
"city": "Kempton Park (Isando)",
"country": "South Africa",
"event_hash": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"event_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@@notable@@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"event_source": "AAD",
"event_time": "2024-05-28 05:18:55 CDT",
"eventtype": [
"modnotable_results",
"notable"
],
"first_event": "2024-05-28 05:18:55 CDT",
"host": "sh04",
"index": "notable",
"indexer_guid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"info_max_time": "xxxxxxxxxx.xxxxxxxxx",
"info_min_time": "xxxxxxxxxx.xxxxxxxxx",
"info_search_time": "xxxxxxxxxx.xxxxxxxxx",
"last_event": "2024-05-28 05:20:36 CDT",
"linecount": "1",
"orig_action_name": "notable",
"orig_rid": "1",
"orig_sid": "scheduler__nobody__SplunkEnterpriseSecuritySuite__RMDxxxxxxxxxxxxxxxx_at_xxxxxxxxxx_xxxxx",
"region": "Gauteng",
"rule_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@@notable@@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"search_name": "Threat - External Authentication from Unexpected Location - Rule",
"source": "Threat - External Authentication from Unexpected Location - Rule",
"sourcetype": "stash",
"splunk_server": "idx20",
"src": "xxx.xxx.xxx.xxx",
"src_is_expected": "false",
"src_pci_domain": "untrust",
"src_requires_av": "false",
"src_should_timesync": "false",
"src_should_update": "false",
"tag": [
"modaction_result",
"success"
],
"tag::action": "success",
"tag::eventtype": "modaction_result",
"timestamp": "none",
"user": "xxxxxx.xxxxxx@xxxxxxx.xxx",
"user_watchlist": "false"
}
Was this page helpful?