|
1 |
| windbag |
This command creates a set of sample data of 100 events
List of index available to your role
|
1 |
|tstats count WHERE index=* OR index=_ BY index |
Don’t forget time modifier is required
Fishies! Fun Query and Easter Egg
Here is a fun query that you may have seen as an Easter egg in an app. I stumbled on this while cleaning up old saved searches. If you know the app comment below! FYI make sure you run this in real time otherwise you won’t see the fun part :)
|
1 |
index=_* OR index=* | head 1 | eval fish="><((*>" | eval fishies=mvappend(fish,fish) | eval fishies=mvappend(fishies,fishies) | eval fishies=mvappend(fishies,fishies) | eval fishies=mvappend(fishies,fishies) | eval spawnify=fishies | mvexpand spawnify | eval fishies=mvjoin(fishies," ") | streamstats count as offset | eval offset=(offset*3) % 7 | addinfo | eval make_swim=round(info_max_time-info_search_time) | eval fishies=substr(fishies,(10*16)-(make_swim-offset+10),100+offset) | fields fishies | streamstats count | eval fishies=if(count==16,"FATAL ERROR: you have unleashed an army of fish.",fishies) | fields fishies | rename fishies as _raw | fields - _time | eval _raw=substr(_raw,0,100) |
Current Vulnerability Summary by Severity (tenable)
Having Tenable Security Center connected via the splunk plugin, this search gives an overview of all vulnerabilties, summarized by severity.
|
1 |
sourcetype="tenable:sc:vuln" severity.name=* | chart count over severity.name by ip |
Add the following to your dashboard source to add consistent colors to the pie chart: <option name=”charting.fieldColors”>{“Critical”:0x800000,”High”:0xFF0000,”Medium”:0xFFA500,”Low”:0x008000,”Info”:0x0000FF}</option>
Pearson Coefficient of Two Fields
The following SPL query calculates the Pearson coefficient of two fields named x and y.
|
1 2 3 4 5 6 |
index=* | fields x y | eval n=1 | eval xx=x*x | eval xy=x*y | eval yy=y*y | addcoltotals | tail 1 | eval rho_xy=(xy/n-x/n*y/n)/(sqrt(xx/n-(x/n)*(x/n))*sqrt(yy/n-(y/n)*(y/n))) | fields rho_xy |
