This Splunk Query will show hosts that stopped sending logs for at least 48 hours. You’ll want to change the time range to be relevant to your environment, and you may need to tweak the 48 hour range to something that is more appropriate for your environment. | tstats count as countAtToday latest(_time) as lastTime […]
Exclude single event type from logs
Do this on HF transforms.conf: [discard_gotoips] REGEX = <<<use regex,URL>>> DEST_KEY = queue FORMAT = nullQueue props.conf: [default] TRANSFORMS-null = discard_gotoips File location: /etc/system/local
Port usage for opsec sourcetype
Stats count by port usage index=* sourcetype=opsec | stats count by s_port proto dest dest_svc action product
Search Traffic by Source IP
GoSplunk Admin Notes: If you have a data model enabled that matches the search below, this might work for you! | datamodel Network_Traffic All_Traffic search | search All_Traffic.src_ip=10.x.x.x | stats count by All_Traffic.src_ip, All_Traffic.dest,All_Traffic.action, dstcountry | dedup All_Traffic.dest
