index=<specify index> | eval x=sha256(_raw) | stats count values(host) values(source) values(sourcetype) values(index) by x | where count>1
Find where actual hostnames don’t match the host from the Universal Forwarder
Description: This will provide a list of hosts that don’t match the actual host names. This will allow you to find the hosts/IP addresses that need to have the clonefix actions ran against them This can probably be written better to account for host names that include an underscore in them. Requires access to _internal […]
Remove mulitple values from a multivalue field
This Splunk search is an example on how to remove unwanted values from multivalue fields using mvfilter. | gentimes start=-1 | eval field1=”pink,fluffy,unicorns” | table field1 | makemv field1 delim=”,” | eval field1_filtered=mvfilter(NOT match(field1,”pink”) AND NOT match(field1,”fluffy”))
Search for duplicate events in Splunk
index=<indexname> | stats count values(host) values(source) values(sourcetype) values(index) by _raw | WHERE count>1
Parsing Military Time Zones
Sorry but a query would not be elegant. TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%Z TZ_ALIAS = A=GMT+1:00, B=GMT+2:00, C=GMT+3:00, D=GMT+4:00, E=GMT+5:00, F=GMT+6:00, G=GMT+7:00, H=GMT+8:00, I=GMT+9:00, K=GMT+10:00, L=GMT+11:00, M=GMT+12:00
date_zone=local is bad
Impact: since there is no timezone, the logs will have the same timezone as the local user. Therefore in another timezone, the logs won’t have the same order. If no TZ is specified, perhaps we could hard code one. |tstats count where index=* date_zone=local by index, sourcetype
