• Search
  • Dashboards
  • Browse
    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • crowdstrike
      • Dashboards
      • datamodels
      • DBConnect
      • Enterprise Security
      • eval
      • F5
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • Networking
      • opensense
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime
    • Tags

      6.1.2 admin apache audit audittrail authentication Cisco Dashboard Diagnostics failed logon Firewall IIS internal license License usage Linux linux audit Login Logon malware Nessus Network Perfmon Performance qualys REST Security sourcetype splunk splunkd splunk on splunk Tenable Tenable Security Center troubleshooting tstats Universal Forwarder users Vulnerabilities web Web Traffic Windows Windows Audit Windows Security _audit _internal
  • Post New Query
  • Our Blog
  • Search
  • Dashboards
  • Browse
    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • crowdstrike
      • Dashboards
      • datamodels
      • DBConnect
      • Enterprise Security
      • eval
      • F5
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • Networking
      • opensense
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime
    • Tags

      6.1.2 admin apache audit audittrail authentication Cisco Dashboard Diagnostics failed logon Firewall IIS internal license License usage Linux linux audit Login Logon malware Nessus Network Perfmon Performance qualys REST Security sourcetype splunk splunkd splunk on splunk Tenable Tenable Security Center troubleshooting tstats Universal Forwarder users Vulnerabilities web Web Traffic Windows Windows Audit Windows Security _audit _internal
  • Post New Query
  • Our Blog

Members

Profile picture of Azeemering

Azeemering

@azeemering active 6 months, 2 weeks ago
  • Activity
  • Profile
  • Posts
  • Personal
  • Mentions
  • Favorites
  • Profile picture of Azeemering
    12 months ago

    Azeemering wrote a new post, Datamodel Search Performance

    See how well your DM searches are running.
    Run this search using the Line Chart visualization:
    index=_internal sourcetype=scheduler component=SavedSplunker ACCELERATE NOT skipped run_time=*
    | rex […]

  • Profile picture of Azeemering
    1 year, 1 month ago

    Azeemering wrote a new post, Breathing Fire Dragon when Starting dbx_task_server

    index=_internal sourcetype=dbx_server Starting dbx_task_server
    Will return events that display a little dragon ascii art:

    |___/|
    (, /,)
    / /
    (@_^_@)/ […]

  • Profile picture of Azeemering
    1 year, 8 months ago

    Azeemering wrote a new post, Show your triggered alerts

    This search shows all the alerts that where triggered in your splunk environment:
    index=_audit action=alert_fired ss_app=* | eval ttl=expiration-now() | search ttl>0 | convert ctime(trigger_time) | table […]

    • Profile picture of riparino
      riparino replied 9 months, 2 weeks ago

      This only measures triggered alerts though, no? If you do not have an action set to trigger a “Triggered Alert”, this won’t give back correct stats.

      • Profile picture of riparino
        riparino replied 9 months, 2 weeks ago

        I re-read the title and got the right context for it now. Ty.

  • Profile picture of Azeemering
    1 year, 8 months ago

    Azeemering wrote a new post, Evaluate Fahrenheit to Celsius

    Quick snippet to evaluate temperature Fahrentheit to Celsius:
    | eval Temperature_Fahrenheit=Temperature_Celsius*1.8+32

  • Profile picture of Azeemering
    1 year, 10 months ago

    Azeemering wrote a new post, Find unused dashboards

    Use this search to find unused dashboards:
    | rest /servicesNS/-/-/data/ui/views splunk_server=*
    | search isDashboard=1
    | rename eai:acl.app as app
    | fields title app
    | join type=left title
    [| search […]

  • Profile picture of Azeemering
    2 years ago

    Azeemering wrote a new post, Check your strftime is correct in the props.conf

    A simple method on checking if your strftime (TIME_FORMAT=) in the props.conf matches your log file timestamp format.

    strftime(X,Y)
    This function takes a UNIX time value, X, as the first argument and renders the […]

  • Profile picture of Azeemering
    2 years, 7 months ago

    Azeemering wrote a new post, Saved Search Scheduler Activity

    I use this query a lot to tune and adjust scheduling, find out what searches need attention:
    index=_internal sourcetype=scheduler result_count | extract pairdelim=”,”, kvdelim=”=”, auto=f | stats avg(result_count) […]

  • Profile picture of Azeemering
    2 years, 7 months ago

    Azeemering wrote a new post, Show indexing queue sizes

    Use a linechart with this search to show you the indexing queue sizes:
    index=_internal source=*metrics.log group=queue (name=parsingqueue OR name=indexqueue OR name=typingqueue OR name=aggqueue) | timechart […]

  • Profile picture of Azeemering
    2 years, 7 months ago

    Azeemering wrote a new post, Percentage of skipped searches

    This query will give you a table with a percentage of skipped searches and an evaluation with 3 ranges
    index=_internal sourcetype=scheduler | stats count as total, count(eval(status=”skipped”)) as skipped | eval […]

  • Profile picture of Azeemering
    2 years, 7 months ago

    Azeemering wrote a new post, Retention Period in days per index

    This query will give you a table of all indexes and their respective retention period in days:
    | rest splunk_server=* /services/data/indexes | join type=outer title [
    | rest splunk_server=* […]

  • Profile picture of Azeemering
    2 years, 7 months ago

    Azeemering wrote a new post, Bucket Count by indexer/index

    This search displays the amount of buckets per indexer/index

    To learn more about the | dbinspect command go to:

    |dbinspect index=* | search index!=_* | chart dc(bucketId) over splunk_server by index

  • Profile picture of Azeemering
    2 years, 7 months ago

    Azeemering wrote a new post, Bucket Count by State over Index

    This search counts the amount of buckets per state for each index.

    To learn more about | dbinspect go to:

    |dbinspect index=* | eval state=case(state==”warm” OR state==”hot”,”hot/warm”,1=1, state) | chart […]

  • Profile picture of Azeemering
    2 years, 7 months ago

    Azeemering wrote a new post, Memory Usage (MB) per Splunk Process Class

    Use the following search with a column chart visualisation. It will give you a good overview of what Splunk processes use the most memory:
    index=_introspection sourcetype=splunk_resource_usage […]

    • Profile picture of ItsJohnLocke
      ItsJohnLocke replied 2 years, 7 months ago

      I modified this to fit my environment by specifying a host specifically (where you have host=*).

      Thanks for sharing, I’ve added it to an internal admin dashboard!

  • Profile picture of Azeemering
    2 years, 7 months ago

    Azeemering wrote a new post, Universal Forwarder Throughput Limit Hit Count

    This search counts the amount of times the UF’s throughput limit is hit. I also threw in a sparkline:
    index=_internal sourcetype=splunkd “current data throughput” | rex “Current data throughput ((?S+)” | eval […]

  • Profile picture of Azeemering
    2 years, 7 months ago

    Azeemering wrote a new post, Top 10 Accessed Dashboards

    Where “host=”your_sh_host”” you could specify a host, or put a wildcard * in place.
    index=”_internal” source=*access.log user!=”-” */app/* (host=”your_sh_host”)
    | rex field=referer […]

  • Profile picture of Azeemering
    2 years, 7 months ago

    Azeemering wrote a new post, Universal Forwarder Throughput Statistics

    This search creates a table to list all  Universal Forwarders. There is also an eval in there that classifies hosts based on their average Kbps. You can modify this as needed.
    index=_internal source=*metrics.log […]

  • Profile picture of Azeemering
    2 years, 7 months ago

    Azeemering wrote a new post, Timechart of the status of an Locked Out Account

    This query will show a timechart of the status of an Locked Out Account
    sourcetype=”WinEventLog:Security” EventCode=4625 AND Status=0xC0000234 | timechart count by user | sort -count

  • Profile picture of Azeemering
    2 years, 7 months ago

    Azeemering wrote a new post, Active Directory Password change attempts

    Use the following search to create a stacked barchart of AD Password change attempts:
    source=”WinEventLog:Security” “EventCode=4723″ src_user!=”*$” src_user!=”_svc_*” | eval daynumber=strftime(_time,”%Y-%m-%d”) | […]

  • Profile picture of Azeemering
    2 years, 7 months ago

    Azeemering wrote a new post, Add a count of events by fieldname

    The streamstats count command creates a field called eventCount that displays
    the amount of events from the fieldname you specify:
    | streamstats count as eventCount by fieldname

  • Profile picture of Azeemering
    2 years, 7 months ago

    Azeemering wrote a new post, List all fields for an index

    A few different queries / methods to list all fields for indexes.
    index=yourindex| fieldsummary | table field
    or
    index=yourindex | stats values(*) AS * | transpose | table column | rename column AS Fiel […]

  • Load More
  • Home
  • Log In
  • Register
  • About GoSplunk
  • GoSplunk FAQs
  • Contact the GoSplunk Team
  • Splunk Website
  • Splunk Documentation
  • Splunk Answers

GoSplunk is not affiliated with Splunk Inc. in any way.

© 2019 GoSplunk
  • Privacy Policy
  • Terms and Conditions
  • Forgot Password?
sponsored