Count of Splunk Errors Per Host

The following Splunk query will list the number of errors associated with each host over a given time range:

Continue Reading →

Memory Usage and Information on Splunk Server

This Splunk Search Query will perform a rest call to indicate current memory consumption on the Splunk server(s) itself/themselves: *NOTE* The following has been modified from the “Distributed Management Console” to be more generic for a copy, paste, and search example.

Continue Reading →

Count of Attackers on Juniper Devices

The following is a Splunk search query that indicates potential “attacks” by source IP.  Further investigation will be needed to determine accuracy of attacks.

Credit given to bbosearch.

Continue Reading →

Splunk Server Restart Duration

As titled, the following Splunk search query will show the restart duration (using the transaction command) of the Splunk service itself.  

Continue Reading →

Successful Linux Logons by Username

As stated in the title, this Splunk search query will return a list of all successful logons by user name on linux hosts. The regex is provided in the event the field is not extracted:

Continue Reading →

List Ports Forwarders are Using

Use the following Splunk Search Query to list what ports your Universal Forwarders are using to communicate to the Indexer:

Continue Reading →

Simple GeoIP Information for Web Traffic

This simple query will show if IIS traffic came to a given site from three geographical possibilities: “United States” “International” or “Unknown” sources. This relies entirely on geoip lookup. You can change the country of “United States” to anything you desire for you own data set (just make the change in the eval section below!). […]

Continue Reading →

List of Indexes

This simple Splunk query will return results for indexes that the current user (typically you) have access to: *NOTE* depending on settings this may or may not return internal indexes.

Continue Reading →

Unintended Windows Shutdowns

This splunk query will show any unintended Windows system Shutdowns. Ensure the Splunk App for Windows is installed, you can grab it here: https://apps.splunk.com/app/742/

Continue Reading →

Clearing of Windows Audit Logs

This Splunk search will show anytime the windows audit logs (event viewer logs) have been cleared or deleted. Ensure the Splunk App for Windows is installed, you can grab it here: https://apps.splunk.com/app/742/

Continue Reading →

Successful Windows Logons with Average Overlay

The following Splunk query will display successful windows logins and overlay an average on visualizations.

Continue Reading →

Accounts Deleted in a Windows Environment

These splunk queries will return deleted accounts in Associated with Windows Environments (NOTE* The 2003 query requires that the splunk for windows app be installed): 2003:

2008:

Continue Reading →

Failed Login to OSX

The following splunk query will return results on users who made unsuccessful attempts to login to an OSX machine:

Continue Reading →

Successful Login to OSX

The following splunk query (with regex) will return a result of users who have successfully authenticated to an OSX machine: *NOTE* Thanks Bob for pointing this out. The regular expression has now been fixed!

Continue Reading →