-
3 weeks, 1 day agoSplunkNinja commented on the post, Number of Hosts Associated with a Serverclass
In reply to: SplunkNinja wrote a new post, Number of Hosts Associated with a Serverclass The following query will list the number of hosts associated with all serverclasses on your Splunk Deployment server. This query should […] ViewThanks @Lyx for posting a fix!
-
1 month ago
SplunkNinja commented on the post, High Level Windows Dashboard
In reply to: SplunkNinja wrote a new post, High Level Windows Dashboard Part 1 – User Logon Activity The following Splunk Dashboard provides a high level view of windows user logon activity. It should be emphasized […] ViewNeil,
Please give this a shot again. I updated the xml escape tags to hopefully work this time. I’ve tested it on both Firefox and Chrome as of the time of this post.Thanks for the comment and letting me know!
-
1 month ago
SplunkNinja wrote a new post, High Level Windows Dashboard
Part 1 – User Logon Activity
The following Splunk Dashboard provides a high level view of windows user logon activity.
It should be emphasized that the focus of this dashboard is fairly high level, has a […]
-
1 month, 2 weeks ago
SplunkNinja wrote a new post, Use TSTATS to find hosts no longer sending data
This is a simple tstats query shows all hosts and sourcetypes that have reported data, and shows the time in seconds since anything was sent. Be sure to run the query over a lengthy period of time in order to […]
-
1 month, 4 weeks ago
SplunkNinja wrote a new post, Number of Hosts Associated with a Serverclass
The following query will list the number of hosts associated with all serverclasses on your Splunk Deployment server. This query should be run on your Deployment Server.
| rest /services/deployment/server/clients […]-
If this query does not work for you try:
| rest /services/deployment/server/clients splunk_server=local | table hostname applications.*.serverclasses | untable hostname, applications, serverclass | rex field=applications “applications.(?.+).serverclasses” | stats dc(hostname) as hostname b-
Thanks @Lyx for posting a fix!
-
-
-
2 months ago
SplunkNinja wrote a new post, Successful Logons – Windows
The following is a Splunk query that will display a timechart for all successful logons to windows:
source=”WinEventLog:security” EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN (“DWM-*”, “UMFD-*”)
| […] -
2 months ago
SplunkNinja commented on the post, Show Searches with Details (Who | When | What)
In reply to: SplunkNinja wrote a new post, Show Searches with Details (Who | When | What) The following Splunk search will show a list of searches ran on a splunk server with the following details: Who ran the search […] ViewThanks!! Good call :)
-
2 months ago
SplunkNinja wrote a new post, Failed Logon Attempts – Windows
The following Splunk query will show a timechart of failed logon attempts per host:
source=”WinEventLog:security” EventCode=4625
| timechart span=1h count by host
The following Splunk query will show a […] -
2 months, 2 weeks ago
SplunkNinja wrote a new post, Show Searches with Details (Who | When | What)
The following Splunk search will show a list of searches ran on a splunk server with the following details:
Who ran the search
What sourcetype was used
What index was used
What the search string […]-
Thanks!! Good call :)
-
-
3 months, 1 week ago
SplunkNinja wrote a new post, REST API response time
This is a Splunk query to measure REST API response time from the various rest URI’s in Splunk.
index=_internal sourcetype=splunkd_access source=*splunkd_access.log | rex “- – – (?P.*)” | rex “”(?[^”]+)” | […] -
3 months, 1 week ago
SplunkNinja commented on the post, Pass the Hash Detection
In reply to: srilankanmonkey wrote a new post, Pass the Hash Detection index=”wineventlog” ( EventCode=4624 Logon_Type=3 ) OR ( EventCode=4625 Logon_Type=3 ) Authentication_Package=”NTLM” NOT Account_Domain=YOURDOMAIN NOT […] ViewDisclaimer to all viewers: I’m going to leave this query here, but take note to what David Veuve and Anup have said.
-
5 months ago
SplunkNinja commented on the post, List Deployment Apps and the associated serverClass
In reply to: wrangler2x wrote a new post, List Deployment Apps and the associated serverClass | rest /servicesNS/nobody/system/deployment/server/applications/ | search title =* | rename title as DeploymentApplication, […] Viewwrangler2x,
I’ve updated the query to reflect what you said in the comment. Not sure why you can’t edit, let me know if the issue persists.Thanks for posting and sharing!
-
5 months, 3 weeks ago
SplunkNinja commented on the post, List permissions for Users, roles, allowed indexes and indexes searched by default
In reply to: sedi wrote a new post, List permissions for Users, roles, allowed indexes and indexes searched by default Ok that one is a big one so be prepared ;) The following will: list all users and their roles list […] ViewThis is awesome!
-
6 months ago
SplunkNinja commented on the post, License Usage by Index per Day
In reply to: SplunkNinja wrote a new post, License Usage by Index per Day The following Splunk search query will output license usage for each index for each day for the week to date. It will also output an average for each […] ViewSamthegeek,
You’ll want to add in the additional math for GB.
| eval MB=round(volume/1024/1024,5)
| eval MB=round(volume/1024/1024/1024,5)As you can see above you simply divide by another 1024 to go from MB to GB.
Thanks!
-
6 months ago
SplunkNinja commented on the post, List forwarders generating socket errors due to unkown SSL protocol
In reply to: wrangler2x wrote a new post, List forwarders generating socket errors due to unkown SSL protocol If you are using SSL on port 9997 or 9998 (or other port) to send logs from your forwarders to your indexers, you […] ViewThanks wrangler2x!
-
6 months, 3 weeks ago
SplunkNinja wrote a new post, Show Splunk User to Role mapping
The following Splunk REST query shows all roles, number of capabilities, and landing app for each user.
| rest /services/authentication/users
| eval name=coalesce(realname, title)
| stats values(roles) as […] -
7 months ago
SplunkNinja wrote a new post, Apache High Level Visitor Info
The following query gives a breakdown on traffic by clientip. I run this over all time so I can get detailed information on first visit versus latest visit as you can see below.
sourcetype=access_combined […]
-
7 months ago
SplunkNinja wrote a new post, Direct and Referred Apache Web Traffic
The following query will show all traffic to an Apache web server that is direct, meaning no referring site.
sourcetype=”access_combined” referer=”-” | stats countThe following query will show all traffic […]
-
7 months, 1 week ago
SplunkNinja wrote a new post, Concurrent Users on Apache Web
I’ve been working through this query and depending on the length of time you are looking back you can use one of the following two methods.
Option 1 – Short time window (30 days or less) concurrent users for a […]
-
1 year, 4 months ago
SplunkNinja wrote a new post, Fishies! Fun Query and Easter Egg
Here is a fun query that you may have seen as an Easter egg in an app. I stumbled on this while cleaning up old saved searches. If you know the app comment below!
FYI make sure you run this in real time […]
- Load More
Neil,
Please give this a shot again. I updated the xml escape tags to hopefully work this time. I’ve tested it on both Firefox and Chrome as of the time of this post.
Thanks for the comment and letting me know!