-
32 minutes agoSplunkNinja wrote a new post, Successful Logons – Windows
The following is a Splunk query that will display a timechart for all successful logons to windows:
source=”WinEventLog:security” EventCode=4624 (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11) […] -
55 minutes ago
SplunkNinja commented on the post, Show Searches with Details (Who | When | What)
In reply to: SplunkNinja wrote a new post, Show Searches with Details (Who | When | What) The following Splunk search will show a list of searches ran on a splunk server with the following details: Who ran the search […] ViewThanks!! Good call :)
-
2 hours, 9 minutes ago
SplunkNinja wrote a new post, Failed Logon Attempts – Windows
The following Splunk query will show a timechart of failed logon attempts per host:
source=”WinEventLog:security” EventCode=4625
| timechart span=1h count by host
The following Splunk query will show a […] -
1 week, 5 days ago
SplunkNinja wrote a new post, Show Searches with Details (Who | When | What)
The following Splunk search will show a list of searches ran on a splunk server with the following details:
Who ran the search
What sourcetype was used
What index was used
What the search string […] -
1 month ago
SplunkNinja wrote a new post, REST API response time
This is a Splunk query to measure REST API response time from the various rest URI’s in Splunk.
index=_internal sourcetype=splunkd_access source=*splunkd_access.log | rex “- – – (?P.*)” | rex “”(?[^”]+)” | […] -
1 month ago
SplunkNinja commented on the post, Pass the Hash Detection
In reply to: srilankanmonkey wrote a new post, Pass the Hash Detection index=”wineventlog” ( EventCode=4624 Logon_Type=3 ) OR ( EventCode=4625 Logon_Type=3 ) Authentication_Package=”NTLM” NOT Account_Domain=YOURDOMAIN NOT […] ViewDisclaimer to all viewers: I’m going to leave this query here, but take note to what David Veuve and Anup have said.
-
3 months ago
SplunkNinja commented on the post, List Deployment Apps and the associated serverClass
In reply to: wrangler2x wrote a new post, List Deployment Apps and the associated serverClass | rest /servicesNS/nobody/system/deployment/server/applications/ | search title =* | rename title as DeploymentApplication, […] Viewwrangler2x,
I’ve updated the query to reflect what you said in the comment. Not sure why you can’t edit, let me know if the issue persists.Thanks for posting and sharing!
-
3 months, 2 weeks ago
SplunkNinja commented on the post, List permissions for Users, roles, allowed indexes and indexes searched by default
In reply to: sedi wrote a new post, List permissions for Users, roles, allowed indexes and indexes searched by default Ok that one is a big one so be prepared ;) The following will: list all users and their roles list […] ViewThis is awesome!
-
3 months, 3 weeks ago
SplunkNinja commented on the post, License Usage by Index per Day
In reply to: SplunkNinja wrote a new post, License Usage by Index per Day The following Splunk search query will output license usage for each index for each day for the week to date. It will also output an average for each […] ViewSamthegeek,
You’ll want to add in the additional math for GB.
| eval MB=round(volume/1024/1024,5)
| eval MB=round(volume/1024/1024/1024,5)As you can see above you simply divide by another 1024 to go from MB to GB.
Thanks!
-
3 months, 3 weeks ago
SplunkNinja commented on the post, List forwarders generating socket errors due to unkown SSL protocol
In reply to: wrangler2x wrote a new post, List forwarders generating socket errors due to unkown SSL protocol If you are using SSL on port 9997 or 9998 (or other port) to send logs from your forwarders to your indexers, you […] ViewThanks wrangler2x!
-
4 months, 3 weeks ago
SplunkNinja wrote a new post, Show Splunk User to Role mapping
The following Splunk REST query shows all roles, number of capabilities, and landing app for each user.
| rest /services/authentication/users
| eval name=coalesce(realname, title)
| stats values(roles) as […] -
4 months, 4 weeks ago
SplunkNinja wrote a new post, Apache High Level Visitor Info
The following query gives a breakdown on traffic by clientip. I run this over all time so I can get detailed information on first visit versus latest visit as you can see below.
sourcetype=access_combined […]
-
4 months, 4 weeks ago
SplunkNinja wrote a new post, Direct and Referred Apache Web Traffic
The following query will show all traffic to an Apache web server that is direct, meaning no referring site.
sourcetype=”access_combined” referer=”-” | stats countThe following query will show all traffic […]
-
5 months, 1 week ago
SplunkNinja wrote a new post, Concurrent Users on Apache Web
I’ve been working through this query and depending on the length of time you are looking back you can use one of the following two methods.
Option 1 – Short time window (30 days or less) concurrent users for a […]
-
1 year, 2 months ago
SplunkNinja wrote a new post, Fishies! Fun Query and Easter Egg
Here is a fun query that you may have seen as an Easter egg in an app. I stumbled on this while cleaning up old saved searches. If you know the app comment below!
FYI make sure you run this in real time […]
-
1 year, 2 months ago
SplunkNinja commented on the post, License Usage by Sourcetypes
In reply to: SplunkNinja wrote a new post, License Usage by Sourcetypes The following Splunk query will return results for license usage by sourcetype: index=_internal source=”*license_usage.lo*” type=Usage | stats sum(b) as […] Viewindex=_internal source=”*license_usage.lo*” type=Usage
| stats sum(b) as bytes by st
| eval Megabytes=bytes/1048576
| eval Megabytes=round(Megabytes,2)
| rename st as sourcetype
| fields – bytes
| sort – Megabytes
| eventstats sum(Megabytes) as totalMB
| eval percent=100*(Megabytes/totalMB) -
1 year, 11 months ago
SplunkNinja wrote a new post, List All Hosts Associated with All Indexes
Using the Splunk Tstats command you can quickly list all hosts associated with all indexes:
|tstats values(host) where index=* group by index -
2 years ago
SplunkNinja wrote a new post, Track Remediation Progress by OS – Qualys
The following Splunk Search Queries within the Qualys Sourcetype track the remediation progress for a variety of operating systems. The queries are separated by Operating System or Device Type:
OS & Device […]
-
2 years ago
SplunkNinja wrote a new post, Top 25 Most Vulnerable Systems by OS – Qualys
The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most vulnerable systems. The queries are separated by Operating System or Device Type:
Linux
eventtype=qualys_vm_detection_event […] -
2 years ago
SplunkNinja wrote a new post, Top 25 Most Prevailing Vulnerabilities with Patches Available (Multiple OSs)- Qualys
The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most prevailing vulnerabilities that have patches available. The queries are separated by Operating System or Device […]
- Load More
Thanks!! Good call :)