NIX Debian Package (dpkg.log) Dashboard

Description: Wanted a dashboard that would provide information around package information across my Ubuntu servers.  At this time I have only built this dashboard to review the “dpkg.log”. In an attempt to help people understand how I build dashboard, posted a video on YouTube where you can follow along while I build this dashboard out: […]

Continue Reading →

Netflow Activity dashboard showing MB’s in to dest_ip

Description: Dashboard that helps me understand activity in my home lab looking at netflow data from my OPNsense firewall.  This dashboard starts with a simple timechart that gives me a trend of average mb_in across all of my devices. I have OPNsense configured to send netflow data v9 to a Splunk independent stream forward which […]

Continue Reading →

Splunk dashboard that displays User searches

Built this dashboard to give a high level overview of user search activity.  The search powering the dashboard is looking that the _audit index and you will need to ensure that you have proper access to the internal Splunk indexes. The dashboard includes a TimeRange picker, radio button to include or exclude Splunk’s system user, […]

Continue Reading →

Data Usage for Indexer and Forwarders

In my previous role I created this dashboard to identify how much data a Splunk forwarder had sent to my indexers.  This was a daily check that either myself of someone on my team would review.  This check helped us identify a misconfiguration across all of my production Windows servers.  I was able to drilldown […]

Continue Reading →

Windows Sysmon Process Dashboard

(updated on 8/26/2020) Working with a customer I started this dashboard to give a high level overview of Windows Sysmon data.  I have been evolving the dashboard in my home environment and will take any feedback to improve the effectiveness of this dashboard. First is getting sysmon data into your splunk environment.  My home computers […]

Continue Reading →

Windows service activity & MSI installs

Here is a dashboard I built to help you understand the activity of services and MSI installs within a Windows machine.  This dashboard utilizes Post Processing so there is only 2 searches that are launched when the dashboard is loaded to minimize impact on search queuing. Add-on’s: Splunk Add-on for Microsoft Windows – https://splunkbase.splunk.com/app/742/ Video overview […]

Continue Reading →

Forwarder TCP Connections info

This search should help identify which forwarders are connected and give you more information on the forwarders. index=”_internal” sourcetype=”splunkd” source=”*metrics.lo*” group=tcpin_connections component=Metrics | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | eval connectionType=case(fwdType==”uf”,”universal forwarder”, fwdType==”lwf”, “lightweight forwarder”,fwdType==”full”, “heavy forwarder”, connectionType==”cooked” or connectionType==”cookedSSL”,”Splunk forwarder”, connectionType==”raw” or connectionType==”rawSSL”,”legacy forwarder”) | eval version=if(isnull(version),”pre 4.2″,version) | eval guid=if(isnull(guid),sourceHost,guid) | eval os=if(isnull(os),”n/a”,os)| eval arch=if(isnull(arch),”n/a”,arch) […]

Continue Reading →

Find passwords in User_Name field

This eval for password can be easily used for any field where a user can accidentally type in a password or even worse both username/password during login which generates a failed event.   Below example is for Windows failed login.  The eval will match 10 or more characters with 1 uppercase, 1 lower case, 1 […]

Continue Reading →