identify knowledge objects, permissions and extractions

The following will: list all knowledge objects for your SH (or given search peer(s)) each objects name, type, app, permissions, sharing (e.g. global, app, private) and owner if props-extract: the props stanza, props type (e.g if its Inline or Transforms), props sourcetype and props value (e.g. the regex) if transforms-extract: the state (tf_disabled), format (tf_format), tf_fields […]

Continue Reading →

Sysmon – cmd line for non -local connections

Continue Reading →

Sysmon – Outbound Connections by Process

Continue Reading →

Sysmon – Find Processes with Renamed Executables

Continue Reading →

Overall CVSS score (tenable)

Tenable uses the CVSS scoring method for detected vulnerabilities. To have an overall CVSS, use the following query:

Continue Reading →

Pearson Coefficient of Two Fields

The following SPL query calculates the Pearson coefficient of two fields named x and y.

Continue Reading →

Linux Free Disk Space

The following Splunk query shows a percentage of free disk space over a period of time using timechart:

Continue Reading →

Linux Memory Usage

The following Splunk Search will show memory usage on a linux machine over a period of time using timechart:

Continue Reading →

Linux CPU Usage

The following query will output CPU usage per host over a period of time using timechart:

Continue Reading →

Convert non timestamp time to Epoch

Scenario: You have a non timestamp field that you need to convert to epoch time to perform statistics on within splunk. Here’s how you do it:

Continue Reading →

List of Indexes

This simple Splunk query will return results for indexes that the current user (typically you) have access to: *NOTE* depending on settings this may or may not return internal indexes.

Continue Reading →

Rename _time field in a TimeChart

When running a timechart splunk search query you may wish to rename the field _time. In order to do this you must first save the search to a dashboard or report. Once saved edit the source and add the following in the panel:

This can be added right before the closing “</chart>” code.

Continue Reading →

Splunk License Usage Over the Last 30 Days

The following Splunk Search will show license usage over the past 30 days:

Continue Reading →

Splunk License Gauge

This Splunk search query will show current license usage

Continue Reading →

List of Source Names and Frequency of Events

The following splunk query will output a list of all SourceNames in a windows environment and include a sparkline to indicate frequency:

Continue Reading →