Weekend Web Traffic Summary in IIS

The following Splunk query will return a summary of weekend activity for a given IIS hosted website. sourcetype=”iis” (date_wday=saturday OR date_wday=sunday) | stats count(JSESSIONID) as Value | eval Metric=”Total Hits on Weekends” | append [ search sourcetype=”iis” (date_wday=saturday OR date_wday=sunday) | stats dc(JSESSIONID) as Value | eval Metric=”Total Visits on Weekends”] | append [ search […]

Continue Reading →

Total Hits on Most Active Day in IIS

The following Splunk query will return the total number of hits on the most active day in a given time range within an IIS environment: sourcetype=”iis” |  top limit=1 date_mday | rename count as Value| fieldformat Value=tostring(Value,”commas”) | eval Metric=”Number of hits on Most active date” | fields – date_mday, count, percent | fields Metric, […]

Continue Reading →

Total Hits on Least Active Day in IIS

The following Splunk Query will return the total number of hits to a web site on the least active day of a given time range: sourcetype=”iis” |  rare limit=1 date_mday | rename count as Value | fieldformat Value=tostring(Value,”commas”)| eval Metric=”Number of hits on least active date” | fields – date_mday, count, percent | fields Metric, […]

Continue Reading →

Most Active Day and Least Active Day for IIS Web Traffic

The following Splunk query will return the most active and the least active days for web traffic in an IIS environment: sourcetype=”iis” | bucket span=1d _time | top limit=1 _time | eval Date=strftime(_time, “%m/%d/%Y”) | eval Metric=”Most Active Date” | append [ search sourcetype=”iis” | bucket span=1d _time | rare limit=1 _time | eval Date=strftime(_time, […]

Continue Reading →

Visits by Days of the Week in IIS

The following Splunk query will show the number of web visits for each weekday: sourcetype=”iis” | eval uppercase=upper(substr(date_wday,1,1)).substr(date_wday,2)|dedup JSESSIONID| top limit=7 uppercase | eval sort_field=case(uppercase==”Sunday”,1, uppercase==”Monday”,2, uppercase==”Tuesday”,3, uppercase==”Wednesday”,4, uppercase==”Thursday”,5, uppercase==”Friday”,6, uppercase==”Saturday”,7) | sort + sort_field | fields – sort_field |rename count as Visits | rename uppercase as “Day of the Week”

Continue Reading →

Top 5 Visiting Countries in IIS

The following Splunk query will list the top 5 visiting countries using the built in “iplocation” feature in Splunk: sourcetype=”iis” | iplocation c_ip |top limit=5 Country | eval percent = round(percent,2) . ” %” | rename count as Views | rename percent as Percent

Continue Reading →

Rename _time field in a TimeChart

When running a timechart splunk search query you may wish to rename the field _time. In order to do this you must first save the search to a dashboard or report. Once saved edit the source and add the following in the panel: <option name=”charting.axisTitleX.text”>Date</option> This can be added right before the closing “</chart>” code.

Continue Reading →

Splunk License Usage Over the Last 30 Days

The following Splunk Search will show license usage over the past 30 days: index=_internal source=*license_usage.log type=”RolloverSummary” earliest=-30d@d | eval _time=_time – 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS “volume” fixedrange=false | join type=outer _time [ search index=_internal source=*license_usage.log type=”RolloverSummary” earliest=-30d@d | eval _time=_time […]

Continue Reading →

Splunk License Gauge

This Splunk search query will show current license usage | rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | join type=outer stack_id [rest splunk_server=local /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota] | stats sum(used_bytes) as used max(stack_quota) […]

Continue Reading →

Comparing Stats Time Over Time

index=_internal earliest=-48h latest=-24h | bin _time span=10m | stats count by _time | eval window=”yesterday” | append [ search index=_internal earliest=-24h | bin _time span=10m | stats count by _time| eval window=”today” | eval _time=(_time-(60*60*24))] | timechart span=10m sum(count) by window This search will lay a count of something (in this case, just a count) […]

Continue Reading →

Unintended Windows Shutdowns

This splunk query will show any unintended Windows system Shutdowns. Ensure the Splunk App for Windows is installed, you can grab it here: https://apps.splunk.com/app/742/ sourcetype=”WinEventLog:system” EventCode=6008 | eval Date=strftime(_time, “%Y/%m/%d”) | table  Date host, index, Message  | sort  – Date

Continue Reading →

Clearing of Windows Audit Logs

This Splunk search will show anytime the windows audit logs (event viewer logs) have been cleared or deleted. Ensure the Splunk App for Windows is installed, you can grab it here: https://apps.splunk.com/app/742/ source=WinEventLog:security (EventCode=1102 OR EventCode=517) | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Client_User_Name, host, index, Date | sort – Date | rename Client_User_Name as […]

Continue Reading →

Successful Windows Logons with Average Overlay

The following Splunk query will display successful windows logins and overlay an average on visualizations. source=”WinEventLog:Security” (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624) | timechart count(EventCode) as count | eventstats avg(count) as Average | eval average=round(average,0) | rename count as “Successful Logons”

Continue Reading →

Linux Cron Job Information

This splunk query example uses regex (regular expressions) to extract information on Linux cron jobs. *Note* this query has not been extensively tested sourcetype=”cron” | eval Date=strftime(_time, “%Y/%m/%d”) | rex “.*:\d{2}\s(?<hostname>\S+)” | rex “]:\sfinished(?<Info>.*)”  | stats count by Date, hostname, Info

Continue Reading →

Failed Windows Remote Desktop Connection Attempt

The following splunk query example will return results on any Windows remote desktop connection attempts. This could be a result of a bad password, invalid user name, or any number of other reasons. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/   Windows Server 2008 and Newer: source=WinEventLog:Security sourcetype=WinEventLog:security Logon_Type=10 EventCode=4625 | […]

Continue Reading →