Members

Here is a fun query that you may have seen as an Easter egg in an app. I stumbled on this while cleaning up old saved searches. If you know the app comment below!

FYI make sure you run this in real time […]

Using the Splunk Tstats command you can quickly list all hosts associated with all indexes:
|tstats values(host) where index=* group by index

The following Splunk Search Queries within the Qualys Sourcetype track the remediation progress for a variety of operating systems. The queries are separated by Operating System or Device Type:

OS & Device […]

The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most vulnerable systems. The queries are separated by Operating System or Device Type:

Linux
eventtype=qualys_vm_detection_event […]

The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most prevailing vulnerabilities that have patches available. The queries are separated by Operating System or Device […]

The following Splunk query will help determine remediation tracking trends within the Qualys Sourcetype:
eventtype=”qualys_vm_detection_event” | stats count as eachCount |eval STATUS=”Total” | table STATUS […]

The following Splunk query will show the percentage of high severity vulnerabilities within the Qualys Sourcetype:
eventtype=”qualys_vm_detection_event” |eval Success= if(SEVERITY >3,1,0)|stats count as total […]

As the title suggests this Splunk Search will dedup results so you can better see changes in Vulnerability detection scan to scan within the Qualys Sourcetype:
eventtype=”qualys_vm_detection_event” | dedup QID […]

The following Splunk query will show the hosts taking an abnormally lengthy time to scan (helps find that needle in a haystack) within the Qualys Sourcetype:
sourcetype=”qualys:hostDetection” […]

The following Splunk query will show the number of vulnerabilities detected all severities and all types within the Qualys Sourcetype:
eventtype=”qualys_vm_detection_event” STATUS=”NEW”  | dedup QID |stats count […]

The following Splunk query will show the number of hosts scanned within the Qualys Sourcetype:
eventtype=”qualys_vm_detection_event” |eval Success= if(SEVERITY >3,1,0)|stats count as total sum(Success) as […]

This Splunk search will show you use and available CPU and Memory statistics. Depending on your environment you may see multiple Splunk servers:
| rest /services/server/status/resource-usage/hostwide | eval […]

The following Splunk query shows a percentage of free disk space over a period of time using timechart:
index=os sourcetype=df PercentFreeSpace=* mount=”/” | timechart latest(PercentFreeSpace) by host

The following Splunk Search will show memory usage on a linux machine over a period of time using timechart:
index=os sourcetype=top pctMEM=*| transaction host _time | streamstats window=1 global=f sum(pctMEM) as […]

The following query will output CPU usage per host over a period of time using timechart:
index=os sourcetype=top pctCPU=* | transaction host _time | streamstats window=1 global=f sum(pctCPU) as CPU | timechart […]

Take any field in splunk that outputs a value in seconds and change it to report in HH:MM:SS format:
your.search.here | eval HHMMSS=tostring(Field_In_Seconds, “duration”) | table HHMMSS

The following Splunk query was modified from the Splunk Health Overview app on Splunkbase. This particular Splunk search returns a list of hosts with their indexes and sourcetypes and determines when each last […]