-
2 years agoSplunkNinja commented on the post, Weekend User Activity
In reply to: SplunkNinja wrote a new post, Weekend User Activity Run the following (modify user field as needed) to show weekend activity:sourcetype="WinEventLog:Security" (date_wday=saturday OR date_wday=sunday) | stats […]ViewFeel free to join our discord for a live chat & discussion as well as requests! https://discord.gg/K8CFbB7
-
2 years ago
SplunkNinja commented on the post, Weekend User Activity
In reply to: SplunkNinja wrote a new post, Weekend User Activity Run the following (modify user field as needed) to show weekend activity:sourcetype="WinEventLog:Security" (date_wday=saturday OR date_wday=sunday) | stats […]Viewsourcetype=”WinEventLog:Security” (date_wday=saturday OR date_wday=sunday) Account_Name=”user_name_here” | stats count by Account_Name, date_wday
-
2 years ago
SplunkNinja commented on the post, exploremydata – data explorer
In reply to: AzJimbo wrote a new post, exploremydata – data explorer This dashboard provides and overview of the data that is available to query. Click on the index below to review source types in that index, and then a […] ViewBeen using this for a while, great dashboard!
-
2 years ago
SplunkNinja wrote a new post, REST API: Table all Splunk User Email Addresses
The following simple Splunk query will put all Splunk User accounts with an email address into a panel for copy and paste purposes (such as copying all email addresses to send in an email). I’ve added a semi colon […]
-
2 years, 6 months ago
SplunkNinja commented on the post, Windows Dashboard showing Who (was) logged on to ?
In reply to: DaveyBoy wrote a new post, Windows Dashboard showing Who (was) logged on to ? Dashboard with 3 separate columns which allow you to drill into 3 separate assets to find out who was logged on, when they logged on, […] ViewArmando,
You’ll need to have access to the correct indexes for this, you might need to manually enter the index name if your role doesn’t search all non-internal indexes by default. -
2 years, 7 months ago
SplunkNinja wrote a new post, Character Count Per Event
Here’s an incredibly simple Splunk query to count the number of characters in an event:
index=* | eval CharCount=len(_raw) -
2 years, 7 months ago
SplunkNinja wrote a new post, Dashboard for Splunk Infrastructure/Server Specs at a Glance
This dashboard will show the server or infrastructure specs of your Splunk environment. This is not intended to replace the Monitoring console, but rather augment as sometimes we need a condensed version of what […]
-
2 years, 11 months ago
SplunkNinja commented on the post, Failed Attempts to Logon to Splunk Web
In reply to: SplunkNinja wrote a new post, Failed Attempts to Logon to Splunk Web The following Splunk Search Query will return all users who have failed to logon to the Splunk Web console. This query will also include an […] ViewIt’s been….~6 months. I’m going to assume I updated the original here :)
-
3 years ago
SplunkNinja commented on the post, Apache Traffic Dashboard
In reply to: SplunkNinja wrote a new post, Apache Traffic Dashboard Description: The following Dashboard is what I use to monitor traffic to GoSplunk. It uses the built in sourcetype of access_combined. No additional […] ViewJay,
I placed the index=* in there as it will work for any named index. In practice you’ll want to put the name of your index in there. For example: index=”web” -
3 years, 1 month ago
SplunkNinja commented on the post, Successful Login to OSX
In reply to: ItsJohnLocke wrote a new post, Successful Login to OSX The following splunk query (with regex) will return a result of users who have successfully authenticated to an OSX machine: *NOTE* Thanks Bob for […] ViewThanks Bob! It has been fixed :)
-
3 years, 1 month ago
SplunkNinja commented on the post, High Level Windows Dashboard
In reply to: SplunkNinja wrote a new post, High Level Windows Dashboard Part 1 – User Logon Activity The following Splunk Dashboard provides a high level view of windows user logon activity. It should be emphasized […] ViewHopefully soon :)
-
3 years, 2 months ago
SplunkNinja wrote a new post, Apps Deployed from Deployment Server
Want to show what apps have been deployed to forwarders from a deployment server (DS)? Try this Splunk Search:
index=_internal sourcetype=splunkd component=DeployedApplication installing
| stats count […] -
3 years, 2 months ago
SplunkNinja wrote a new post, List of Forwarders that are Deployment Clients
Need a list of Forwarders that are talking to a Deployment Server? Try this:
index=_internal sourcetype=splunkd component=DC* Handshake | stats count by host
Additional REST query (performed on the DS) will […] -
3 years, 2 months ago
SplunkNinja wrote a new post, Successful Logons to WordPress Admin Area
Ever want more detailed information on authentications to your WordPress Admin Area? This Splunk Query will show detailed information on successful authentications to the wp-admin section of your […]
-
3 years, 2 months ago
SplunkNinja commented on the post, License Usage by Index per Day
In reply to: SplunkNinja wrote a new post, License Usage by Index per Day The following Splunk search query will output license usage for each index for each day for the week to date. It will also output an average for each […] ViewSpeed Racer,
Good catch. I think an earlier version of this did have an average but was removed for some reason.You’d want to use something like this below but alter it as needed:
index=_internal source=*license_usage.log type=”Usage” splunk_server=*
| eval Date=strftime(_time, “%Y/%m/%d”)
| streamstats sum(b) as volume
| eval…[Read more] -
3 years, 3 months ago
SplunkNinja commented on the post, High Level Windows Dashboard
In reply to: SplunkNinja wrote a new post, High Level Windows Dashboard Part 1 – User Logon Activity The following Splunk Dashboard provides a high level view of windows user logon activity. It should be emphasized […] ViewThe only thing you’ll need to change is the index= section. Currently it says index=windows_events, change that to the index name where your windows data lives. If you don’t know you can do index=* but that is not best practice.
-
3 years, 3 months ago
SplunkNinja commented on the post, Accounts Deleted within 24 Hours of Creation
In reply to: SplunkNinja wrote a new post, Accounts Deleted within 24 Hours of Creation This splunk query unmodified will return results on any account regardless of duration, however it uses an “eval case” argument to […] ViewDinesh,
Thanks for commenting! Please join our live discussion over in Discord: https://discord.gg/fFJhGPwI’d be happy to expand this query upon successful testing!
-
3 years, 3 months ago
SplunkNinja commented on the post, Auditd hosts in all environments
In reply to: manderso wrote a new post, Auditd hosts in all environments Shows the login activity to our linux environments, sudo commands per host and users. Admin Notes: index=main was changed to index=* due to not […] Viewgbr,
I’m testing the xml and have no issues. Feel free to join our discord and let us know your issue! https://discord.gg/fFJhGPw -
3 years, 4 months ago
SplunkNinja wrote a new post, Regex Extraction for WordPress Version from Apache Logs
The following Splunk search extracts the WordPress version from your Apache Web Logs. For fun I also did a time chart using 100% stacked bar chart to show by month each version of wordpress used. This was actually […]
-
3 years, 4 months ago
SplunkNinja wrote a new post, Utilizing tstats for Page Views within Apache Web Logs
Here’s a Splunk query to show a timechart of page views from a website running on Apache. Due to the search utilizing tstats, the query will return results incredibly fast over a very LONG period of time if […]
- Load More
