Fun Stuff & Helpful Hints Archives -

Find unused dashboards

_audit/ _internal/ Fun Stuff & Helpful Hints
Azeemering
1 0

Use this search to find unused dashboards:

| rest /servicesNS/-/-/data/ui/views splunk_server=* 
| search isDashboard=1 
| rename eai:acl.app as app 
| fields title app 
| join type=left title 
[| search index=_internal sourcetype=splunk_web_access host=* user=* 
| rex field=uri_path ".*/(?<title>[^/]*)$" 
| stats latest(_time) as Time latest(user) as user by title
] 
| where isnotnull(Time) 
| eval Now=now() 
| eval "Days since last accessed"=round((Now-Time)/86400,2) 
| sort - "Days since last accessed" 
| convert ctime(Time) 
| fields - Now

| rest /servicesNS/-/-/data/ui/views splunk_server=*

| search isDashboard=1

| rename eai:acl.app as app

| fields title app

| join type=left title

[| search index=_internal sourcetype=splunk_web_access host=* user=*

| rex field=uri_path ".*/(?<title>[^/]*)$"

| stats latest(_time) as Time latest(user) as user by title

]

| where isnotnull(Time)

| eval Now=now()

| eval "Days since last accessed"=round((Now-Time)/86400,2)

| sort - "Days since last accessed"

| convert ctime(Time)

| fields - Now

Admin Notes – Fantastic query! I modified the SPL slightly as I had an issue when I copied it to my two test environments.

Continue Reading →

List all ES Correlation Searches

Enterprise Security/ Fun Stuff & Helpful Hints
akhamis
4 0

| rest splunk_server=local count=0 /services/saved/searches 
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") 
| rex field=action.customsearchbuilder.spec "datamodel\\\":\s+\\\"(?<Data_Model>\w+)" 
| rex field=action.customsearchbuilder.spec "object\\\":\s+\\\"(?<Dataset>\w+)" 
| rename
    action.correlationsearch.label as Search_Name
    title as Rule_Name
    eai:acl.app as Application_Context
    request.ui_dispatch_app as UI_Dispatch_Context
    description as Description
    Data_Model as Guided_Mode:Data_Model
    Dataset as Guided_Mode:Dataset
    action.customsearchbuilder.enabled as Guided_Mode
    action.customsearchbuilder.spec as Guided_Mode:Search_Logic
    search as Search
    dispatch.earliest_time as Earliest_Time
    dispatch.latest_time as Latest_Time
    cron_schedule as Cron_Schedule
    schedule_window as Schedule_Window
    schedule_priority as Schedule_Priority
    alert_type as Trigger_Conditions:Trigger_Alert_When
    alert_comparator as Trigger_Conditions:Alert_Comparator
    alert_threshold as Trigger_Conditions:Alert_Threshold
    alert.suppress.period as Throttling:Window_Duration
    alert.suppress.fields as Throttling:Fields_To_Group_By
    action.notable.param.rule_title as Notable:Title
    action.notable.param.rule_description as Notable:Description
    action.notable.param.security_domain as Notable:Security_Domain
    action.notable.param.severity as Notable:Severity
    action.notable.param.default_owner as Notable:Default_Owner
    action.notable.param.default_status as Notable:Default_Status
    action.notable.param.drilldown_name as Notable:Drill-down_Name
    action.notable.param.drilldown_search as Notable:Drill-down_Search
    action.notable.param.drilldown_earliest_offset as Notable:Drill-down_Earliest_Offset
    action.notable.param.drilldown_latest_offset as Notable:drill-down_Latest_Offset
    action.notable.param.next_steps as Notable:Next_Steps
    action.risk.param._risk_score as Risk_Analysis:Risk_Score
    action.risk.param._risk_object as Risk_Analysis:Risk_Object_Field
    action.risk.param._risk_object_type as Risk_Analysis:Risk_Object_Type 
| eval Guided_Mode:Enabled = if(Guided_Mode == 1, "Yes", "No") 
| eval Real-time_Scheduling_Enabled = if(realtime_schedule == 1, "Yes", "No") 
| table
    disabled 
    Search_Name,
    Rule_Name,
    Application_Context,
    UI_Dispatch_Context,
    Description,
    Guided_Mode:Enabled,
    Guided_Mode:Data_Model,
    Guided_Mode:Dataset,
    Guided_Mode:Search_Logic,
    Search,
    Earliest_Time,
    Latest_Time,
    Cron_Schedule,
    Real-time_Scheduling_Enabled,
    Schedule_Window,
    Schedule_Priority,
    Trigger_Conditions:Trigger_Alert_When,
    Trigger_Conditions:Alert_Comparator,
    Trigger_Conditions:Alert_Threshold,
    Throttling:Window_Duration,
    Throttling:Fields_To_Group_By,
    Notable:Title,
    Notable:Description,
    Notable:Security_Domain,
    Notable:Severity,
    Notable:Default_Owner,
    Notable:Default_Status,
    Notable:Drill-down_Name,
    Notable:Drill-down_Search,
    Notable:Drill-down_Earliest_Offset,
    Notable:drill-down_Latest_Offset,
    Notable:Next_Steps,
    Risk_Analysis:Risk_Score,
    Risk_Analysis:Risk_Object_Field,
    Risk_Analysis:Risk_Object_Type

| rest splunk_server=local count=0 /services/saved/searches

| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]")

| rex field=action.customsearchbuilder.spec "datamodel\\\":\s+\\\"(?<Data_Model>\w+)"

| rex field=action.customsearchbuilder.spec "object\\\":\s+\\\"(?<Dataset>\w+)"

| rename

action.correlationsearch.label as Search_Name

title as Rule_Name

eai:acl.app as Application_Context

request.ui_dispatch_app as UI_Dispatch_Context

description as Description

Data_Model as Guided_Mode:Data_Model

Dataset as Guided_Mode:Dataset

action.customsearchbuilder.enabled as Guided_Mode

action.customsearchbuilder.spec as Guided_Mode:Search_Logic

search as Search

dispatch.earliest_time as Earliest_Time

dispatch.latest_time as Latest_Time

cron_schedule as Cron_Schedule

schedule_window as Schedule_Window

schedule_priority as Schedule_Priority

alert_type as Trigger_Conditions:Trigger_Alert_When

alert_comparator as Trigger_Conditions:Alert_Comparator

alert_threshold as Trigger_Conditions:Alert_Threshold

alert.suppress.period as Throttling:Window_Duration

alert.suppress.fields as Throttling:Fields_To_Group_By

action.notable.param.rule_title as Notable:Title

action.notable.param.rule_description as Notable:Description

action.notable.param.security_domain as Notable:Security_Domain

action.notable.param.severity as Notable:Severity

action.notable.param.default_owner as Notable:Default_Owner

action.notable.param.default_status as Notable:Default_Status

action.notable.param.drilldown_name as Notable:Drill-down_Name

action.notable.param.drilldown_search as Notable:Drill-down_Search

action.notable.param.drilldown_earliest_offset as Notable:Drill-down_Earliest_Offset

action.notable.param.drilldown_latest_offset as Notable:drill-down_Latest_Offset

action.notable.param.next_steps as Notable:Next_Steps

action.risk.param._risk_score as Risk_Analysis:Risk_Score

action.risk.param._risk_object as Risk_Analysis:Risk_Object_Field

action.risk.param._risk_object_type as Risk_Analysis:Risk_Object_Type

| eval Guided_Mode:Enabled = if(Guided_Mode == 1, "Yes", "No")

| eval Real-time_Scheduling_Enabled = if(realtime_schedule == 1, "Yes", "No")

| table

disabled

Search_Name,

Rule_Name,

Application_Context,

UI_Dispatch_Context,

Description,

Guided_Mode:Enabled,

Guided_Mode:Data_Model,

Guided_Mode:Dataset,

Guided_Mode:Search_Logic,

Search,

Earliest_Time,

Latest_Time,

Cron_Schedule,

Real-time_Scheduling_Enabled,

Schedule_Window,

Schedule_Priority,

Trigger_Conditions:Trigger_Alert_When,

Trigger_Conditions:Alert_Comparator,

Trigger_Conditions:Alert_Threshold,

Throttling:Window_Duration,

Throttling:Fields_To_Group_By,

Notable:Title,

Notable:Description,

Notable:Security_Domain,

Notable:Severity,

Notable:Default_Owner,

Notable:Default_Status,

Notable:Drill-down_Name,

Notable:Drill-down_Search,

Notable:Drill-down_Earliest_Offset,

Notable:drill-down_Latest_Offset,

Notable:Next_Steps,

Risk_Analysis:Risk_Score,

Risk_Analysis:Risk_Object_Field,

Risk_Analysis:Risk_Object_Type

Continue Reading →

Add a count of events by fieldname

The streamstats count command creates a field called eventCount that displays the amount of events from the fieldname you specify:

| streamstats count as eventCount by fieldname

1	\| streamstats count as eventCount by fieldname

Continue Reading →

Easter egg that created sample data

 | windbag

| windbag

This command creates a set of sample data of 100 events

Continue Reading →

List of index available to your role

|tstats count WHERE index=* OR index=_ BY index

1	\|tstats count WHERE index=* OR index=_ BY index

Don’t forget time modifier is required

Continue Reading →

Fishies! Fun Query and Easter Egg

Here is a fun query that you may have seen as an Easter egg in an app. I stumbled on this while cleaning up old saved searches. If you know the app comment below! FYI make sure you run this in real time otherwise you won’t see the fun part :)

index=_* OR index=* | head 1 | eval fish="><((*>" | eval fishies=mvappend(fish,fish) | eval fishies=mvappend(fishies,fishies) | eval fishies=mvappend(fishies,fishies) | eval fishies=mvappend(fishies,fishies) | eval spawnify=fishies | mvexpand spawnify | eval fishies=mvjoin(fishies," ") | streamstats count as offset | eval offset=(offset*3) % 7 | addinfo | eval make_swim=round(info_max_time-info_search_time) | eval fishies=substr(fishies,(10*16)-(make_swim-offset+10),100+offset) | fields fishies | streamstats count | eval fishies=if(count==16,"FATAL ERROR: you have unleashed an army of fish.",fishies) | fields fishies | rename fishies as _raw | fields - _time | eval _raw=substr(_raw,0,100)

Continue Reading →

Current Vulnerability Summary by Severity (tenable)

Having Tenable Security Center connected via the splunk plugin, this search gives an overview of all vulnerabilties, summarized by severity.

sourcetype="tenable:sc:vuln" severity.name=* | chart count over severity.name by ip

1	sourcetype="tenable:sc:vuln" severity.name=* \| chart count over severity.name by ip

Add the following to your dashboard source to add consistent colors to the pie chart: <option name=”charting.fieldColors”>{“Critical”:0x800000,”High”:0xFF0000,”Medium”:0xFFA500,”Low”:0x008000,”Info”:0x0000FF}</option>

Continue Reading →

Pearson Coefficient of Two Fields

yangzd
3 0

The following SPL query calculates the Pearson coefficient of two fields named x and y.

index=*
| fields x y
| eval n=1 | eval xx=x*x | eval xy=x*y | eval yy=y*y
| addcoltotals | tail 1
| eval rho_xy=(xy/n-x/n*y/n)/(sqrt(xx/n-(x/n)*(x/n))*sqrt(yy/n-(y/n)*(y/n)))
| fields rho_xy

index=*

| fields x y

| eval n=1 | eval xx=x*x | eval xy=x*y | eval yy=y*y

| addcoltotals | tail 1

| eval rho_xy=(xy/n-x/n*y/n)/(sqrt(xx/n-(x/n)*(x/n))*sqrt(yy/n-(y/n)*(y/n)))

| fields rho_xy

Continue Reading →

Sourcetype: Fun Stuff & Helpful Hints

Find unused dashboards

List all ES Correlation Searches

Add a count of events by fieldname

List all fields for an index

Easter egg that created sample data

List of index available to your role

Fishies! Fun Query and Easter Egg

Current Vulnerability Summary by Severity (tenable)

Pearson Coefficient of Two Fields