-
2 weeks, 5 days agoSplunkNinja wrote a new post, Regex Extraction for WordPress Version from Apache Logs
The following Splunk search extracts the WordPress version from your Apache Web Logs. For fun I also did a time chart using 100% stacked bar chart to show by month each version of wordpress used. This was actually […]
-
2 weeks, 6 days ago
SplunkNinja wrote a new post, Utilizing tstats for Page Views within Apache Web Logs
Here’s a Splunk query to show a timechart of page views from a website running on Apache. Due to the search utilizing tstats, the query will return results incredibly fast over a very LONG period of time if […]
-
1 month ago
SplunkNinja commented on the post, Dashboard and App views by user
In reply to: john117 wrote a new post, Dashboard and App views by user This Splunk query / search shows historical access to dashboards and apps on a local splunk server. index=_internal sourcetype=splunk_web_access host=* […] ViewInogues,
Absolutely! I’ll edit this to fix it :)
-
1 month ago
SplunkNinja wrote a new post, Successful File Access Attempts and Filename Accessed
Ever need to find when a user accessed a file within a Windows environment? The following Splunk query will show successful file accesses by each user for a given day. Depending on the size of your environment […]
-
1 month, 1 week ago
SplunkNinja commented on the post, High Level Windows Dashboard
In reply to: SplunkNinja wrote a new post, High Level Windows Dashboard Part 1 – User Logon Activity The following Splunk Dashboard provides a high level view of windows user logon activity. It should be emphasized […] ViewMike,
You would create a new dashboard, and copy and paste the xml into the “source” of the dashboard. This can all be done within the web interface.If you have any issues, please join our discord!
-
1 month, 2 weeks ago
SplunkNinja wrote a new post, Internal Splunk User Stats
This simple Splunk query will show us unique Splunk user logged into Splunk per day, as well as total count of log-ons.
index=_audit info=succeeded | timechart span=1d dc(user) as unique_users count(user) as logons_all_users -
1 month, 2 weeks ago
SplunkNinja wrote a new post, Apache Traffic Dashboard
Description:
The following Dashboard is what I use to monitor traffic to GoSplunk. It uses the built in sourcetype of access_combined. No additional add-on’s or TA’s are required. I replaced my index with […]
-
2 months, 3 weeks ago
SplunkNinja commented on the post, Number of Hosts Associated with a Serverclass
In reply to: SplunkNinja wrote a new post, Number of Hosts Associated with a Serverclass The following query will list the number of hosts associated with all serverclasses on your Splunk Deployment server. This query should […] ViewThanks @Lyx for posting a fix!
-
3 months ago
SplunkNinja commented on the post, High Level Windows Dashboard
In reply to: SplunkNinja wrote a new post, High Level Windows Dashboard Part 1 – User Logon Activity The following Splunk Dashboard provides a high level view of windows user logon activity. It should be emphasized […] ViewNeil,
Please give this a shot again. I updated the xml escape tags to hopefully work this time. I’ve tested it on both Firefox and Chrome as of the time of this post.Thanks for the comment and letting me know!
-
3 months ago
SplunkNinja wrote a new post, High Level Windows Dashboard
Part 1 – User Logon Activity
The following Splunk Dashboard provides a high level view of windows user logon activity.
It should be emphasized that the focus of this dashboard is fairly high level, has a […]
-
3 months, 2 weeks ago
SplunkNinja wrote a new post, Use TSTATS to find hosts no longer sending data
This is a simple tstats query shows all hosts and sourcetypes that have reported data, and shows the time in seconds since anything was sent. Be sure to run the query over a lengthy period of time in order to […]
-
4 months ago
SplunkNinja wrote a new post, Number of Hosts Associated with a Serverclass
The following query will list the number of hosts associated with all serverclasses on your Splunk Deployment server. This query should be run on your Deployment Server.
| rest /services/deployment/server/clients […]-
If this query does not work for you try:
| rest /services/deployment/server/clients splunk_server=local | table hostname applications.*.serverclasses | untable hostname, applications, serverclass | rex field=applications “applications.(?.+).serverclasses” | stats dc(hostname) as hostname b-
Thanks @Lyx for posting a fix!
-
-
-
4 months ago
SplunkNinja wrote a new post, Successful Logons – Windows
The following is a Splunk query that will display a timechart for all successful logons to windows:
source=”WinEventLog:security” EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN (“DWM-*”, “UMFD-*”)
| […] -
4 months ago
SplunkNinja commented on the post, Show Searches with Details (Who | When | What)
In reply to: SplunkNinja wrote a new post, Show Searches with Details (Who | When | What) The following Splunk search will show a list of searches ran on a splunk server with the following details: Who ran the search […] ViewThanks!! Good call :)
-
4 months ago
SplunkNinja wrote a new post, Failed Logon Attempts – Windows
The following Splunk query will show a timechart of failed logon attempts per host:
source=”WinEventLog:security” EventCode=4625
| timechart span=1h count by host
The following Splunk query will show a […] -
4 months, 2 weeks ago
SplunkNinja wrote a new post, Show Searches with Details (Who | When | What)
The following Splunk search will show a list of searches ran on a splunk server with the following details:
Who ran the search
What sourcetype was used
What index was used
What the search string […]-
Thanks!! Good call :)
-
-
5 months, 1 week ago
SplunkNinja wrote a new post, REST API response time
This is a Splunk query to measure REST API response time from the various rest URI’s in Splunk.
index=_internal sourcetype=splunkd_access source=*splunkd_access.log | rex “- – – (?P.*)” | rex “”(?[^”]+)” | […] -
5 months, 1 week ago
SplunkNinja commented on the post, Pass the Hash Detection
In reply to: srilankanmonkey wrote a new post, Pass the Hash Detection index=”wineventlog” ( EventCode=4624 Logon_Type=3 ) OR ( EventCode=4625 Logon_Type=3 ) Authentication_Package=”NTLM” NOT Account_Domain=YOURDOMAIN NOT […] ViewDisclaimer to all viewers: I’m going to leave this query here, but take note to what David Veuve and Anup have said.
-
7 months, 1 week ago
SplunkNinja commented on the post, List Deployment Apps and the associated serverClass
In reply to: wrangler2x wrote a new post, List Deployment Apps and the associated serverClass | rest /servicesNS/nobody/system/deployment/server/applications/ | search title =* | rename title as DeploymentApplication, […] Viewwrangler2x,
I’ve updated the query to reflect what you said in the comment. Not sure why you can’t edit, let me know if the issue persists.Thanks for posting and sharing!
-
7 months, 3 weeks ago
SplunkNinja commented on the post, List permissions for Users, roles, allowed indexes and indexes searched by default
In reply to: sedi wrote a new post, List permissions for Users, roles, allowed indexes and indexes searched by default Ok that one is a big one so be prepared ;) The following will (on a SH / SH Cluster): list all users […] ViewThis is awesome!
- Load More
Neil,
Please give this a shot again. I updated the xml escape tags to hopefully work this time. I’ve tested it on both Firefox and Chrome as of the time of this post.
Thanks for the comment and letting me know!
Mike,
You would create a new dashboard, and copy and paste the xml into the “source” of the dashboard. This can all be done within the web interface.
If you have any issues, please join our discord!
https://discord.gg/fFJhGPw