-
20 hours, 47 minutes agoSplunkNinja wrote a new post, Apps Deployed from Deployment Server
Want to show what apps have been deployed to forwarders from a deployment server (DS)? Try this Splunk Search:
index=_internal sourcetype=splunkd component=DeployedApplication installing | stats count […] -
20 hours, 49 minutes ago
SplunkNinja wrote a new post, List of Forwarders that are Deployment Clients
Need a list of Forwarders that are talking to a Deployment Server? Try this:
index=_internal sourcetype=splunkd component=DC* Handshake | stats count by host -
1 day, 13 hours ago
SplunkNinja wrote a new post, Successful Logons to WordPress Admin Area
Ever want more detailed information on authentications to your WordPress Admin Area? This Splunk Query will show detailed information on successful authentications to the wp-admin section of your […]
-
6 days, 8 hours ago
SplunkNinja commented on the post, License Usage by Index per Day
In reply to: SplunkNinja wrote a new post, License Usage by Index per Day The following Splunk search query will output license usage for each index for each day for the week to date. It will also output an average for each […] ViewSpeed Racer,
Good catch. I think an earlier version of this did have an average but was removed for some reason.You’d want to use something like this below but alter it as needed:
index=_internal source=*license_usage.log type=”Usage” splunk_server=*
| eval Date=strftime(_time, “%Y/%m/%d”)
| streamstats sum(b) as volume
| eval…[Read more] -
1 month, 1 week ago
SplunkNinja commented on the post, High Level Windows Dashboard
In reply to: SplunkNinja wrote a new post, High Level Windows Dashboard Part 1 – User Logon Activity The following Splunk Dashboard provides a high level view of windows user logon activity. It should be emphasized […] ViewThe only thing you’ll need to change is the index= section. Currently it says index=windows_events, change that to the index name where your windows data lives. If you don’t know you can do index=* but that is not best practice.
-
1 month, 3 weeks ago
SplunkNinja commented on the post, Accounts Deleted within 24 Hours of Creation
In reply to: SplunkNinja wrote a new post, Accounts Deleted within 24 Hours of Creation This splunk query unmodified will return results on any account regardless of duration, however it uses an “eval case” argument to […] ViewDinesh,
Thanks for commenting! Please join our live discussion over in Discord: https://discord.gg/fFJhGPwI’d be happy to expand this query upon successful testing!
-
1 month, 3 weeks ago
SplunkNinja commented on the post, Auditd hosts in all environments
In reply to: manderso wrote a new post, Auditd hosts in all environments Shows the login activity to our linux environments, sudo commands per host and users. Admin Notes: index=main was changed to index=* due to not […] Viewgbr,
I’m testing the xml and have no issues. Feel free to join our discord and let us know your issue! https://discord.gg/fFJhGPw -
2 months, 2 weeks ago
SplunkNinja wrote a new post, Regex Extraction for WordPress Version from Apache Logs
The following Splunk search extracts the WordPress version from your Apache Web Logs. For fun I also did a time chart using 100% stacked bar chart to show by month each version of wordpress used. This was actually […]
-
2 months, 2 weeks ago
SplunkNinja wrote a new post, Utilizing tstats for Page Views within Apache Web Logs
Here’s a Splunk query to show a timechart of page views from a website running on Apache. Due to the search utilizing tstats, the query will return results incredibly fast over a very LONG period of time if […]
-
2 months, 4 weeks ago
SplunkNinja commented on the post, Dashboard and App views by user
In reply to: john117 wrote a new post, Dashboard and App views by user This Splunk query / search shows historical access to dashboards and apps on a local splunk server. index=_internal sourcetype=splunk_web_access host=* […] ViewInogues,
Absolutely! I’ll edit this to fix it :)
-
3 months ago
SplunkNinja wrote a new post, Successful File Access Attempts and Filename Accessed
Ever need to find when a user accessed a file within a Windows environment? The following Splunk query will show successful file accesses by each user for a given day. Depending on the size of your environment […]
-
3 months, 1 week ago
SplunkNinja commented on the post, High Level Windows Dashboard
In reply to: SplunkNinja wrote a new post, High Level Windows Dashboard Part 1 – User Logon Activity The following Splunk Dashboard provides a high level view of windows user logon activity. It should be emphasized […] ViewMike,
You would create a new dashboard, and copy and paste the xml into the “source” of the dashboard. This can all be done within the web interface.If you have any issues, please join our discord!
-
3 months, 2 weeks ago
SplunkNinja wrote a new post, Internal Splunk User Stats
This simple Splunk query will show us unique Splunk user logged into Splunk per day, as well as total count of log-ons.
index=_audit info=succeeded | timechart span=1d dc(user) as unique_users count(user) as logons_all_users -
3 months, 2 weeks ago
SplunkNinja wrote a new post, Apache Traffic Dashboard
Description:
The following Dashboard is what I use to monitor traffic to GoSplunk. It uses the built in sourcetype of access_combined. No additional add-on’s or TA’s are required. I replaced my index with […]
-
4 months, 3 weeks ago
SplunkNinja commented on the post, Number of Hosts Associated with a Serverclass
In reply to: SplunkNinja wrote a new post, Number of Hosts Associated with a Serverclass The following query will list the number of hosts associated with all serverclasses on your Splunk Deployment server. This query should […] ViewThanks @Lyx for posting a fix!
-
5 months ago
SplunkNinja commented on the post, High Level Windows Dashboard
In reply to: SplunkNinja wrote a new post, High Level Windows Dashboard Part 1 – User Logon Activity The following Splunk Dashboard provides a high level view of windows user logon activity. It should be emphasized […] ViewNeil,
Please give this a shot again. I updated the xml escape tags to hopefully work this time. I’ve tested it on both Firefox and Chrome as of the time of this post.Thanks for the comment and letting me know!
-
5 months ago
SplunkNinja wrote a new post, High Level Windows Dashboard
Part 1 – User Logon Activity
The following Splunk Dashboard provides a high level view of windows user logon activity.
It should be emphasized that the focus of this dashboard is fairly high level, has a […]
-
5 months, 2 weeks ago
SplunkNinja wrote a new post, Use TSTATS to find hosts no longer sending data
This is a simple tstats query shows all hosts and sourcetypes that have reported data, and shows the time in seconds since anything was sent. Be sure to run the query over a lengthy period of time in order to […]
-
5 months, 4 weeks ago
SplunkNinja wrote a new post, Number of Hosts Associated with a Serverclass
The following query will list the number of hosts associated with all serverclasses on your Splunk Deployment server. This query should be run on your Deployment Server.
| rest /services/deployment/server/clients […]-
If this query does not work for you try:
| rest /services/deployment/server/clients splunk_server=local | table hostname applications.*.serverclasses | untable hostname, applications, serverclass | rex field=applications “applications.(?.+).serverclasses” | stats dc(hostname) as hostname b-
Thanks @Lyx for posting a fix!
-
-
-
6 months ago
SplunkNinja wrote a new post, Successful Logons – Windows
The following is a Splunk query that will display a timechart for all successful logons to windows:
source=”WinEventLog:security” EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN (“DWM-*”, “UMFD-*”)
| […] - Load More
Neil,
Please give this a shot again. I updated the xml escape tags to hopefully work this time. I’ve tested it on both Firefox and Chrome as of the time of this post.
Thanks for the comment and letting me know!
Mike,
You would create a new dashboard, and copy and paste the xml into the “source” of the dashboard. This can all be done within the web interface.
If you have any issues, please join our discord!
https://discord.gg/fFJhGPw
The only thing you’ll need to change is the index= section. Currently it says index=windows_events, change that to the index name where your windows data lives. If you don’t know you can do index=* but that is not best practice.