-
2 months agoSplunkNinja commented on the post, Windows Dashboard showing Who (was) logged on to ?
In reply to: DaveyBoy wrote a new post, Windows Dashboard showing Who (was) logged on to ? Dashboard with 3 separate columns which allow you to drill into 3 separate assets to find out who was logged on, when they logged on, […] ViewArmando,
You’ll need to have access to the correct indexes for this, you might need to manually enter the index name if your role doesn’t search all non-internal indexes by default. -
2 months, 3 weeks ago
SplunkNinja wrote a new post, Character Count Per Event
Here’s an incredibly simple Splunk query to count the number of characters in an event:
index=* | eval CharCount=len(_raw) -
2 months, 4 weeks ago
SplunkNinja wrote a new post, Dashboard for Splunk Infrastructure/Server Specs at a Glance
This dashboard will show the server or infrastructure specs of your Splunk environment. This is not intended to replace the Monitoring console, but rather augment as sometimes we need a condensed version of what […]
-
7 months ago
SplunkNinja commented on the post, Failed Attempts to Logon to Splunk Web
In reply to: SplunkNinja wrote a new post, Failed Attempts to Logon to Splunk Web The following Splunk Search Query will return all users who have failed to logon to the Splunk Web console. This query will also include an […] ViewIt’s been….~6 months. I’m going to assume I updated the original here :)
-
8 months, 3 weeks ago
SplunkNinja commented on the post, Apache Traffic Dashboard
In reply to: SplunkNinja wrote a new post, Apache Traffic Dashboard Description: The following Dashboard is what I use to monitor traffic to GoSplunk. It uses the built in sourcetype of access_combined. No additional […] ViewJay,
I placed the index=* in there as it will work for any named index. In practice you’ll want to put the name of your index in there. For example: index=”web” -
9 months ago
SplunkNinja commented on the post, Successful Login to OSX
In reply to: ItsJohnLocke wrote a new post, Successful Login to OSX The following splunk query (with regex) will return a result of users who have successfully authenticated to an OSX machine: *NOTE* Thanks Bob for […] ViewThanks Bob! It has been fixed :)
-
9 months ago
SplunkNinja commented on the post, High Level Windows Dashboard
In reply to: SplunkNinja wrote a new post, High Level Windows Dashboard Part 1 – User Logon Activity The following Splunk Dashboard provides a high level view of windows user logon activity. It should be emphasized […] ViewHopefully soon :)
-
9 months, 3 weeks ago
SplunkNinja wrote a new post, Apps Deployed from Deployment Server
Want to show what apps have been deployed to forwarders from a deployment server (DS)? Try this Splunk Search:
index=_internal sourcetype=splunkd component=DeployedApplication installing
| stats count […] -
9 months, 3 weeks ago
SplunkNinja wrote a new post, List of Forwarders that are Deployment Clients
Need a list of Forwarders that are talking to a Deployment Server? Try this:
index=_internal sourcetype=splunkd component=DC* Handshake | stats count by host
Additional REST query (performed on the DS) will […] -
9 months, 3 weeks ago
SplunkNinja wrote a new post, Successful Logons to WordPress Admin Area
Ever want more detailed information on authentications to your WordPress Admin Area? This Splunk Query will show detailed information on successful authentications to the wp-admin section of your […]
-
10 months ago
SplunkNinja commented on the post, License Usage by Index per Day
In reply to: SplunkNinja wrote a new post, License Usage by Index per Day The following Splunk search query will output license usage for each index for each day for the week to date. It will also output an average for each […] ViewSpeed Racer,
Good catch. I think an earlier version of this did have an average but was removed for some reason.You’d want to use something like this below but alter it as needed:
index=_internal source=*license_usage.log type=”Usage” splunk_server=*
| eval Date=strftime(_time, “%Y/%m/%d”)
| streamstats sum(b) as volume
| eval…[Read more] -
11 months ago
SplunkNinja commented on the post, High Level Windows Dashboard
In reply to: SplunkNinja wrote a new post, High Level Windows Dashboard Part 1 – User Logon Activity The following Splunk Dashboard provides a high level view of windows user logon activity. It should be emphasized […] ViewThe only thing you’ll need to change is the index= section. Currently it says index=windows_events, change that to the index name where your windows data lives. If you don’t know you can do index=* but that is not best practice.
-
11 months, 2 weeks ago
SplunkNinja commented on the post, Accounts Deleted within 24 Hours of Creation
In reply to: SplunkNinja wrote a new post, Accounts Deleted within 24 Hours of Creation This splunk query unmodified will return results on any account regardless of duration, however it uses an “eval case” argument to […] ViewDinesh,
Thanks for commenting! Please join our live discussion over in Discord: https://discord.gg/fFJhGPwI’d be happy to expand this query upon successful testing!
-
11 months, 2 weeks ago
SplunkNinja commented on the post, Auditd hosts in all environments
In reply to: manderso wrote a new post, Auditd hosts in all environments Shows the login activity to our linux environments, sudo commands per host and users. Admin Notes: index=main was changed to index=* due to not […] Viewgbr,
I’m testing the xml and have no issues. Feel free to join our discord and let us know your issue! https://discord.gg/fFJhGPw -
1 year ago
SplunkNinja wrote a new post, Regex Extraction for WordPress Version from Apache Logs
The following Splunk search extracts the WordPress version from your Apache Web Logs. For fun I also did a time chart using 100% stacked bar chart to show by month each version of wordpress used. This was actually […]
-
1 year ago
SplunkNinja wrote a new post, Utilizing tstats for Page Views within Apache Web Logs
Here’s a Splunk query to show a timechart of page views from a website running on Apache. Due to the search utilizing tstats, the query will return results incredibly fast over a very LONG period of time if […]
-
1 year ago
SplunkNinja commented on the post, Dashboard and App views by user
In reply to: john117 wrote a new post, Dashboard and App views by user This Splunk query / search shows historical access to dashboards and apps on a local splunk server. index=_internal sourcetype=splunk_web_access host=* […] ViewInogues,
Absolutely! I’ll edit this to fix it :)
-
1 year ago
SplunkNinja wrote a new post, Successful File Access Attempts and Filename Accessed
Ever need to find when a user accessed a file within a Windows environment? The following Splunk query will show successful file accesses by each user for a given day. Depending on the size of your environment […]
-
1 year ago
SplunkNinja commented on the post, High Level Windows Dashboard
In reply to: SplunkNinja wrote a new post, High Level Windows Dashboard Part 1 – User Logon Activity The following Splunk Dashboard provides a high level view of windows user logon activity. It should be emphasized […] ViewMike,
You would create a new dashboard, and copy and paste the xml into the “source” of the dashboard. This can all be done within the web interface.If you have any issues, please join our discord!
-
1 year, 1 month ago
SplunkNinja wrote a new post, Internal Splunk User Stats
This simple Splunk query will show us unique Splunk user logged into Splunk per day, as well as total count of log-ons.
index=_audit info=succeeded | timechart span=1d dc(user) as unique_users count(user) as logons_all_users - Load More
