index=<your JSON index> | spath input=<your field w/ nested JSON data> path={} | mvexpand {} | spath input={}
List Notable events with closing history details
`notable` | stats latest(lastTime) as LastTimeSeen values(rule_name) as “Rule Name” values(comment) as “Historical Analysis” values(user) as User by _time event_id, urgency | eval LastTimeSeen=strftime(LastTimeSeen,”%+”)
Character Count Per Event
Here’s an incredibly simple Splunk query to count the number of characters in an event: index=* | eval CharCount=len(_raw)
Breathing Fire Dragon when Starting dbx_task_server
index=_internal sourcetype=dbx_server Starting dbx_task_server Will return events that display a little dragon ascii art: |\___/| (,\ /,)\ / / \ (@_^_@)/ \ W//W_/ \ (//) | \ (/ /) _|_ / ) \ (// /) ‘/,_ _ _/ (~^-. (( // )) ,-{ _ `. (( /// )) ‘/\ / | (( ///)) `. { […]
Multiple Malware Detections on a Single Host
This is a simple enough query for detecting a host with multiple infections/detections. The reason for the bucket and incorporating a search over a longer time span (say 60m) is I found it to provide better results and less false negatives if the infrastructure isn’t setup to ingest data in near real-time. index=malware category=”something_high_fidelity” | […]
Baselining Dashboard
This is better and more flexible option then timewrap in my opinion. Performance ain’t too shabby either. index=foo earliest=-1d latest=now | timechart span=10m count as Current | appendcols [ search index=foo earliest=-1mon-1d latest=-mon | timechart span=10m count as “-1 Month”] | appendcols [ search index=foo earliest=-1w-1d latest=-w | timechart span=10m count as “-1 Week”]
Disk Usage per Index by Indexer
Summary: Instead of grabbing data from all time, using the dbinspect command will allow administrators to quickly determine how big an index is. There are additional fields in the dbinspect, so explore that to gain other data pivots. |dbinspect index=_internal | stats sum(sizeOnDiskMB) by splunk_server
Exclude single event type from logs
Do this on HF transforms.conf: [discard_gotoips] REGEX = <<<use regex,URL>>> DEST_KEY = queue FORMAT = nullQueue props.conf: [default] TRANSFORMS-null = discard_gotoips File location: /etc/system/local
Find unused dashboards
Use this search to find unused dashboards: | rest /servicesNS/-/-/data/ui/views splunk_server=* | search isDashboard=1 | rename eai:acl.app as app | fields title app | join type=left title [| search index=_internal sourcetype=splunk_web_access host=* user=* | rex field=uri_path “.*/(?<title>[^/]*)$” | stats latest(_time) as Time latest(user) as user by title ] | where isnotnull(Time) | eval Now=now() | […]
List all ES Correlation Searches
| rest splunk_server=local count=0 /services/saved/searches | where match(‘action.correlationsearch.enabled’, “1|[Tt]|[Tt][Rr][Uu][Ee]”) | rex field=action.customsearchbuilder.spec “datamodel\\\”:\s+\\\”(?<Data_Model>\w+)” | rex field=action.customsearchbuilder.spec “object\\\”:\s+\\\”(?<Dataset>\w+)” | rename action.correlationsearch.label as Search_Name title as Rule_Name eai:acl.app as Application_Context request.ui_dispatch_app as UI_Dispatch_Context description as Description Data_Model as Guided_Mode:Data_Model Dataset as Guided_Mode:Dataset action.customsearchbuilder.enabled as Guided_Mode action.customsearchbuilder.spec as Guided_Mode:Search_Logic search as Search dispatch.earliest_time as Earliest_Time dispatch.latest_time as Latest_Time […]
Add a count of events by fieldname
The streamstats count command creates a field called eventCount that displays the amount of events from the fieldname you specify: | streamstats count as eventCount by fieldname
List all fields for an index
A few different queries / methods to list all fields for indexes. index=yourindex| fieldsummary | table field or index=yourindex | stats values(*) AS * | transpose | table column | rename column AS Fieldnames or index=yourindex | stats dc() as * | transpose or ;-) index=yourindex | table *
Easter egg that created sample data
| windbag This command creates a set of sample data of 100 events
List of index available to your role
|tstats count WHERE index=* OR index=_ BY index Don’t forget time modifier is required
Fishies! Fun Query and Easter Egg
Here is a fun query that you may have seen as an Easter egg in an app. I stumbled on this while cleaning up old saved searches. If you know the app comment below! FYI make sure you run this in real time otherwise you won’t see the fun part :) index=_* OR index=* […]
Current Vulnerability Summary by Severity (tenable)
Having Tenable Security Center connected via the splunk plugin, this search gives an overview of all vulnerabilties, summarized by severity. sourcetype=”tenable:sc:vuln” severity.name=* | chart count over severity.name by ip Add the following to your dashboard source to add consistent colors to the pie chart: <option name=”charting.fieldColors”>{“Critical”:0x800000,”High”:0xFF0000,”Medium”:0xFFA500,”Low”:0x008000,”Info”:0x0000FF}</option>
Pearson Coefficient of Two Fields
The following SPL query calculates the Pearson coefficient of two fields named x and y. index=* | fields x y | eval n=1 | eval xx=x*x | eval xy=x*y | eval yy=y*y | addcoltotals | tail 1 | eval rho_xy=(xy/n-x/n*y/n)/(sqrt(xx/n-(x/n)*(x/n))*sqrt(yy/n-(y/n)*(y/n))) | fields rho_xy
