• Search
  • Dashboards
  • Browse
    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • crowdstrike
      • Dashboards
      • datamodels
      • DBConnect
      • Enterprise Security
      • eval
      • F5
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • Networking
      • opensense
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime
    • Tags

      6.1.2 admin apache audit audittrail authentication Cisco Diagnostics failed logon Firewall IIS index internal license License usage Linux linux audit Login Logon malware Nessus Network Perfmon Performance qualys REST Security sourcetype splunk splunkd splunk on splunk Tenable Tenable Security Center troubleshoot troubleshooting tstats Universal Forwarder users Vulnerabilities Web Traffic Windows Windows Audit Windows Security _audit _internal
  • Post New Query
  • Our Blog
  • Search
  • Dashboards
  • Browse
    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • crowdstrike
      • Dashboards
      • datamodels
      • DBConnect
      • Enterprise Security
      • eval
      • F5
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • Networking
      • opensense
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime
    • Tags

      6.1.2 admin apache audit audittrail authentication Cisco Diagnostics failed logon Firewall IIS index internal license License usage Linux linux audit Login Logon malware Nessus Network Perfmon Performance qualys REST Security sourcetype splunk splunkd splunk on splunk Tenable Tenable Security Center troubleshoot troubleshooting tstats Universal Forwarder users Vulnerabilities Web Traffic Windows Windows Audit Windows Security _audit _internal
  • Post New Query
  • Our Blog

Members

Profile picture of SplunkNinja

SplunkNinja

@hagjos43 Active 2 weeks, 1 day ago
  • Activity
  • Profile
  • Posts
  • Personal
  • Mentions
  • Favorites
  • Profile picture of SplunkNinja
    2 years ago

    SplunkNinja commented on the post, Weekend User Activity

    In reply to: SplunkNinja wrote a new post, Weekend User Activity Run the following (modify user field as needed) to show weekend activity: sourcetype="WinEventLog:Security" (date_wday=saturday OR date_wday=sunday) | stats […] View

    Feel free to join our discord for a live chat & discussion as well as requests! https://discord.gg/K8CFbB7

  • Profile picture of SplunkNinja
    2 years ago

    SplunkNinja commented on the post, Weekend User Activity

    In reply to: SplunkNinja wrote a new post, Weekend User Activity Run the following (modify user field as needed) to show weekend activity: sourcetype="WinEventLog:Security" (date_wday=saturday OR date_wday=sunday) | stats […] View

    sourcetype=”WinEventLog:Security” (date_wday=saturday OR date_wday=sunday) Account_Name=”user_name_here” | stats count by Account_Name, date_wday

  • Profile picture of SplunkNinja
    2 years ago

    SplunkNinja commented on the post, exploremydata – data explorer

    In reply to: AzJimbo wrote a new post, exploremydata – data explorer This dashboard provides and overview of the data that is available to query. Click on the index below to review source types in that index, and then a […] View

    Been using this for a while, great dashboard!

  • Profile picture of SplunkNinja
    2 years ago

    SplunkNinja wrote a new post, REST API: Table all Splunk User Email Addresses

    The following simple Splunk query will put all Splunk User accounts with an email address into a panel for copy and paste purposes (such as copying all email addresses to send in an email). I’ve added a semi colon […]

  • Profile picture of SplunkNinja
    2 years, 6 months ago

    SplunkNinja commented on the post, Windows Dashboard showing Who (was) logged on to ?

    In reply to: DaveyBoy wrote a new post, Windows Dashboard showing Who (was) logged on to ? Dashboard with 3 separate columns which allow you to drill into 3 separate assets to find out who was logged on, when they logged on, […] View

    Armando,
    You’ll need to have access to the correct indexes for this, you might need to manually enter the index name if your role doesn’t search all non-internal indexes by default.

  • Profile picture of SplunkNinja
    2 years, 7 months ago

    SplunkNinja wrote a new post, Character Count Per Event

    Here’s an incredibly simple Splunk query to count the number of characters in an event:
    index=* | eval CharCount=len(_raw)

  • Profile picture of SplunkNinja
    2 years, 7 months ago

    SplunkNinja wrote a new post, Dashboard for Splunk Infrastructure/Server Specs at a Glance

    This dashboard will show the server or infrastructure specs of your Splunk environment. This is not intended to replace the Monitoring console, but rather augment as sometimes we need a condensed version of what […]

  • Profile picture of SplunkNinja
    2 years, 11 months ago

    SplunkNinja commented on the post, Failed Attempts to Logon to Splunk Web

    In reply to: SplunkNinja wrote a new post, Failed Attempts to Logon to Splunk Web The following Splunk Search Query will return all users who have failed to logon to the Splunk Web console. This query will also include an […] View

    It’s been….~6 months. I’m going to assume I updated the original here :)

  • Profile picture of SplunkNinja
    3 years ago

    SplunkNinja commented on the post, Apache Traffic Dashboard

    In reply to: SplunkNinja wrote a new post, Apache Traffic Dashboard Description: The following Dashboard is what I use to monitor traffic to GoSplunk. It uses the built in sourcetype of access_combined. No additional […] View

    Jay,
    I placed the index=* in there as it will work for any named index. In practice you’ll want to put the name of your index in there. For example: index=”web”

  • Profile picture of SplunkNinja
    3 years, 1 month ago

    SplunkNinja commented on the post, Successful Login to OSX

    In reply to: ItsJohnLocke wrote a new post, Successful Login to OSX The following splunk query (with regex) will return a result of users who have successfully authenticated to an OSX machine: *NOTE* Thanks Bob for […] View

    Thanks Bob! It has been fixed :)

  • Profile picture of SplunkNinja
    3 years, 1 month ago

    SplunkNinja commented on the post, High Level Windows Dashboard

    In reply to: SplunkNinja wrote a new post, High Level Windows Dashboard Part 1 – User Logon Activity The following Splunk Dashboard provides a high level view of windows user logon activity. It should be emphasized […] View

    Hopefully soon :)

  • Profile picture of SplunkNinja
    3 years, 2 months ago

    SplunkNinja wrote a new post, Apps Deployed from Deployment Server

    Want to show what apps have been deployed to forwarders from a deployment server (DS)? Try this Splunk Search:
    index=_internal sourcetype=splunkd component=DeployedApplication installing
    | stats count […]

  • Profile picture of SplunkNinja
    3 years, 2 months ago

    SplunkNinja wrote a new post, List of Forwarders that are Deployment Clients

    Need a list of Forwarders that are talking to a Deployment Server? Try this:
    index=_internal sourcetype=splunkd component=DC* Handshake | stats count by host
    Additional REST query (performed on the DS) will […]

  • Profile picture of SplunkNinja
    3 years, 2 months ago

    SplunkNinja wrote a new post, Successful Logons to WordPress Admin Area

    Ever want more detailed information on authentications to your WordPress Admin Area? This Splunk Query will show detailed information on successful authentications to the wp-admin section of your […]

  • Profile picture of SplunkNinja
    3 years, 2 months ago

    SplunkNinja commented on the post, License Usage by Index per Day

    In reply to: SplunkNinja wrote a new post, License Usage by Index per Day The following Splunk search query will output license usage for each index for each day for the week to date. It will also output an average for each […] View

    Speed Racer,
    Good catch. I think an earlier version of this did have an average but was removed for some reason.

    You’d want to use something like this below but alter it as needed:
    index=_internal source=*license_usage.log type=”Usage” splunk_server=*
    | eval Date=strftime(_time, “%Y/%m/%d”)
    | streamstats sum(b) as volume
    | eval…[Read more]

  • Profile picture of SplunkNinja
    3 years, 3 months ago

    SplunkNinja commented on the post, High Level Windows Dashboard

    In reply to: SplunkNinja wrote a new post, High Level Windows Dashboard Part 1 – User Logon Activity The following Splunk Dashboard provides a high level view of windows user logon activity. It should be emphasized […] View

    The only thing you’ll need to change is the index= section. Currently it says index=windows_events, change that to the index name where your windows data lives. If you don’t know you can do index=* but that is not best practice.

  • Profile picture of SplunkNinja
    3 years, 3 months ago

    SplunkNinja commented on the post, Accounts Deleted within 24 Hours of Creation

    In reply to: SplunkNinja wrote a new post, Accounts Deleted within 24 Hours of Creation This splunk query unmodified will return results on any account regardless of duration, however it uses an “eval case” argument to […] View

    Dinesh,
    Thanks for commenting! Please join our live discussion over in Discord: https://discord.gg/fFJhGPw

    I’d be happy to expand this query upon successful testing!

  • Profile picture of SplunkNinja
    3 years, 3 months ago

    SplunkNinja commented on the post, Auditd hosts in all environments

    In reply to: manderso wrote a new post, Auditd hosts in all environments Shows the login activity to our linux environments, sudo commands per host and users. Admin Notes: index=main was changed to index=* due to not […] View

    gbr,
    I’m testing the xml and have no issues. Feel free to join our discord and let us know your issue! https://discord.gg/fFJhGPw

  • Profile picture of SplunkNinja
    3 years, 4 months ago

    SplunkNinja wrote a new post, Regex Extraction for WordPress Version from Apache Logs

    The following Splunk search extracts the WordPress version from your Apache Web Logs. For fun I also did a time chart using 100% stacked bar chart to show by month each version of wordpress used. This was actually […]

  • Profile picture of SplunkNinja
    3 years, 4 months ago

    SplunkNinja wrote a new post, Utilizing tstats for Page Views within Apache Web Logs

    Here’s a Splunk query to show a timechart of page views from a website running on Apache. Due to the search utilizing tstats, the query will return results incredibly fast over a very LONG period of time if […]

  • Load More
  • Home
  • Log In
  • Register
  • About GoSplunk
  • GoSplunk FAQs
  • Contact the GoSplunk Team
  • Splunk Website
  • Splunk Documentation
  • Splunk Answers

GoSplunk is not affiliated with Splunk Inc. in any way.

© 2019 GoSplunk
  • Privacy Policy
  • Terms and Conditions
  • Forgot Password?
sponsored