Fun Stuff & Helpful Hints Archives -

Add a count of events by fieldname

The streamstats count command creates a field called eventCount that displays the amount of events from the fieldname you specify:

| streamstats count as eventCount by fieldname

1	\| streamstats count as eventCount by fieldname

Continue Reading →

List all fields for an index

A few different queries / methods to list all fields for indexes.

index=yourindex| fieldsummary | table field

1	index=yourindex\| fieldsummary \| table field

index=yourindex | stats values(*) AS * | transpose | table column | rename column AS Fieldnames

1	index=yourindex \| stats values() AS \| transpose \| table column \| rename column AS Fieldnames

index=yourindex | stats dc() as * | transpose

1	index=yourindex \| stats dc() as * \| transpose

or ;-)

index=yourindex | table *

1	index=yourindex \| table *

Continue Reading →

Easter egg that created sample data

 | windbag

| windbag

This command creates a set of sample data of 100 events

Continue Reading →

List of index available to your role

|tstats count WHERE index=* OR index=_ BY index

1	\|tstats count WHERE index=* OR index=_ BY index

Don’t forget time modifier is required

Continue Reading →

Fishies! Fun Query and Easter Egg

Here is a fun query that you may have seen as an Easter egg in an app. I stumbled on this while cleaning up old saved searches. If you know the app comment below! FYI make sure you run this in real time otherwise you won’t see the fun part :)

index=_* OR index=* | head 1 | eval fish="><((*>" | eval fishies=mvappend(fish,fish) | eval fishies=mvappend(fishies,fishies) | eval fishies=mvappend(fishies,fishies) | eval fishies=mvappend(fishies,fishies) | eval spawnify=fishies | mvexpand spawnify | eval fishies=mvjoin(fishies," ") | streamstats count as offset | eval offset=(offset*3) % 7 | addinfo | eval make_swim=round(info_max_time-info_search_time) | eval fishies=substr(fishies,(10*16)-(make_swim-offset+10),100+offset) | fields fishies | streamstats count | eval fishies=if(count==16,"FATAL ERROR: you have unleashed an army of fish.",fishies) | fields fishies | rename fishies as _raw | fields - _time | eval _raw=substr(_raw,0,100)

Continue Reading →

Current Vulnerability Summary by Severity (tenable)

Having Tenable Security Center connected via the splunk plugin, this search gives an overview of all vulnerabilties, summarized by severity.

sourcetype="tenable:sc:vuln" severity.name=* | chart count over severity.name by ip

1	sourcetype="tenable:sc:vuln" severity.name=* \| chart count over severity.name by ip

Add the following to your dashboard source to add consistent colors to the pie chart: <option name=”charting.fieldColors”>{“Critical”:0x800000,”High”:0xFF0000,”Medium”:0xFFA500,”Low”:0x008000,”Info”:0x0000FF}</option>

Continue Reading →

Pearson Coefficient of Two Fields

yangzd
3 0

The following SPL query calculates the Pearson coefficient of two fields named x and y.

index=*
| fields x y
| eval n=1 | eval xx=x*x | eval xy=x*y | eval yy=y*y
| addcoltotals | tail 1
| eval rho_xy=(xy/n-x/n*y/n)/(sqrt(xx/n-(x/n)*(x/n))*sqrt(yy/n-(y/n)*(y/n)))
| fields rho_xy

index=*

| fields x y

| eval n=1 | eval xx=x*x | eval xy=x*y | eval yy=y*y

| addcoltotals | tail 1

| eval rho_xy=(xy/n-x/n*y/n)/(sqrt(xx/n-(x/n)*(x/n))*sqrt(yy/n-(y/n)*(y/n)))

| fields rho_xy

Continue Reading →

Sourcetype: Fun Stuff & Helpful Hints

Add a count of events by fieldname

List all fields for an index

Easter egg that created sample data

List of index available to your role

Fishies! Fun Query and Easter Egg

Current Vulnerability Summary by Severity (tenable)

Pearson Coefficient of Two Fields