• Search
  • Dashboards
  • Browse
    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • crowdstrike
      • Dashboards
      • datamodels
      • DBConnect
      • Enterprise Security
      • eval
      • F5
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • Networking
      • opensense
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime
    • Tags

      6.1.2 admin apache audit audittrail authentication Cisco Diagnostics failed logon Firewall IIS index indexes internal license License usage Linux linux audit Login Logon malware Network Perfmon Performance qualys REST Security sourcetype splunk splunkd splunk on splunk Tenable Tenable Security Center troubleshoot troubleshooting tstats Universal Forwarder users Vulnerabilities Web Traffic Windows Windows Audit Windows Security _audit _internal
  • Post New Query
  • Our Blog
  • Splunk Jobs
  • Search
  • Dashboards
  • Browse
    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • crowdstrike
      • Dashboards
      • datamodels
      • DBConnect
      • Enterprise Security
      • eval
      • F5
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • Networking
      • opensense
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime
    • Tags

      6.1.2 admin apache audit audittrail authentication Cisco Diagnostics failed logon Firewall IIS index indexes internal license License usage Linux linux audit Login Logon malware Network Perfmon Performance qualys REST Security sourcetype splunk splunkd splunk on splunk Tenable Tenable Security Center troubleshoot troubleshooting tstats Universal Forwarder users Vulnerabilities Web Traffic Windows Windows Audit Windows Security _audit _internal
  • Post New Query
  • Our Blog
  • Splunk Jobs

Members

Profile picture of ItsJohnLocke

ItsJohnLocke

@itsjohnlocke Active 5 years, 11 months ago
  • Activity
  • Profile
  • Posts
  • Personal
  • Mentions
  • Favorites
  • Profile picture of ItsJohnLocke
    6 years, 5 months ago

    ItsJohnLocke wrote a new post

    Show how much disk space is used by _internalThe following Splunk query will return disk space used by the _internal index. index=_internal […]

  • Profile picture of ItsJohnLocke
    6 years, 9 months ago

    ItsJohnLocke wrote a new post

    There is an older Splunk query here that had previously predicted license usage. I’m not sure why (perhaps the predict command has changed since the original post in 2015?), but the query is no longer working. […]

  • Profile picture of ItsJohnLocke
    6 years, 9 months ago

    ItsJohnLocke commented on the post, Memory Usage (MB) per Splunk Process Class

    In reply to: Azeemering wrote a new post Use the following search with a column chart visualisation. It will give you a good overview of what Splunk processes use the most memory: index=_introspection […] View

    I modified this to fit my environment by specifying a host specifically (where you have host=*).

    Thanks for sharing, I’ve added it to an internal admin dashboard!

  • Profile picture of ItsJohnLocke
    6 years, 9 months ago

    ItsJohnLocke wrote a new post

    The following Splunk query uses REST to display non internal indexes associated with sourcetypes. It is my understanding that this is all time (such is the way of REST searches)
    | rest /services/data/inputs/all
    | […]

  • Profile picture of ItsJohnLocke
    6 years, 10 months ago

    ItsJohnLocke wrote a new post

    Ever wonder how your search performance is across search heads? Try this query.

    Depending on your environment you’ll want to specify the host=* section to better represent your environment. Say if you have a […]

  • Profile picture of ItsJohnLocke
    7 years, 10 months ago

    ItsJohnLocke commented on the post, Malware Detection

    In reply to: ItsJohnLocke wrote a new post I’m reposting this query I stumbled upon in a blog here. The description states that it can be used to detect malware reporting out to the web. Check out the article it’s a decent […] View

    When I posted this I got it here:

    Detecting malware beacons using Splunk

    Never tested it, but thought it was a pretty interesting idea!

  • Profile picture of ItsJohnLocke
    8 years, 1 month ago

    ItsJohnLocke wrote a new post

    I found this very useful user statistics/information splunk dashboard on http://www.function1.com/2016/06/rest-easy-with-the-splunk-rest-api. They have additional Splunk REST queries and examples worth checking […]

  • Profile picture of ItsJohnLocke
    8 years, 1 month ago

    ItsJohnLocke wrote a new post

    Here is some SPL to get useful information via REST on indexes within your Splunk environment:
    | REST /services/data/indexes
    | eval currentDBSizeMB=tostring(currentDBSizeMB, “commas”)
    | eval […]

  • Profile picture of ItsJohnLocke
    8 years, 5 months ago

    ItsJohnLocke wrote a new post

    The following Splunk search (query) will show a list of alerts within Splunk via the | rest call:
    | rest /services/alerts/fired_alerts splunk_server=local| table eai:acl.owner eai:acl.app id title triggered_alert_count

    • Profile picture of iceten2011
      iceten2011 replied 4 years, 5 months ago

      please can someone create me a search query that will show the highest source utilizing the license?

  • Profile picture of ItsJohnLocke
    8 years, 6 months ago

    ItsJohnLocke wrote a new post

    List of Extractions in Transforms.confUseful Splunk Query to show REGEX extractions in Transforms.conf | rest /services/data/transforms/extractions | table title eai:appName REGEX FORMAT updated

  • Profile picture of ItsJohnLocke
    8 years, 6 months ago

    ItsJohnLocke wrote a new post

    Useful Splunk Query to show extractions from Props.conf:

    | rest /services/data/props/extractions | table title type value attribute

  • Profile picture of ItsJohnLocke
    8 years, 6 months ago

    ItsJohnLocke wrote a new post

    As the title says. Pretty nice Splunk Search if you’ve forgotten what inputs you have configured and need a central place to list them.

    | rest /services/data/inputs/all | convert ctime(starttime) AS “Start […]

  • Profile picture of ItsJohnLocke
    8 years, 6 months ago

    ItsJohnLocke wrote a new post

    Use this Splunk rest query to list all currently logged in users (to your Splunk server).

     

    | rest /services/authentication/current-context | search NOT username=”splunk-system-user” | table username roles updated

     

    • Profile picture of gr33nlant3rn
      gr33nlant3rn replied 5 years, 12 months ago

      I am not sure what updated is supposed to do… but, it looked like something close to epoc time? Anyway, I cut it off and the query looked cleaner?

  • Profile picture of ItsJohnLocke
    8 years, 6 months ago

    ItsJohnLocke wrote a new post

    Use this splunk search to get a list of all lookup files:
    | rest /services/data/transforms/lookups | table eai:acl.app eai:appName filename title fields_list updated id

  • Profile picture of ItsJohnLocke
    8 years, 6 months ago

    ItsJohnLocke wrote a new post

    This REST Splunk search returns the status of roles on each Splunk server in your environment.
    | rest /services/server/introspection | table title splunk_server status updated
     

  • Profile picture of ItsJohnLocke
    8 years, 6 months ago

    ItsJohnLocke wrote a new post

    Useful search to show a bit of detail on roles and user permissions.
    | rest /servicesNS/-/-/admin/directory count=0 splunk_server=local
    | fields eai:acl.app, eai:acl.owner, eai:acl.perms.*, eai:acl.sharing, […]

  • Profile picture of ItsJohnLocke
    8 years, 6 months ago

    ItsJohnLocke wrote a new post

    Self explanatory, maps roles to indexes. Useful if you have a lot of indexes!
    | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
    | fields title,srchIndexesAllowed
    | rename srchIndexesAllowed […]

    • Profile picture of wrangler2x
      wrangler2x replied 8 years, 6 months ago

      Add

      | stats values(role) by index

      at the end to get a by-index summery of roles.

  • Profile picture of ItsJohnLocke
    8 years, 6 months ago

    ItsJohnLocke wrote a new post

    This query is pretty awesome! It helped enlighten us to exactly when our splunk infrastructure is being hit with users
    index=_internal sourcetype=splunk_web_access
    [ rest / splunk_server=local
    | fields […]

  • Profile picture of ItsJohnLocke
    8 years, 6 months ago

    ItsJohnLocke wrote a new post

    | rest /servicesNS/-/-/data/indexes count=0
    | stats max(isInternal) as internal, max(disabled) as disabled, max(isReadOnly) as readonly by title
    | fillnull
    | where internal=0 AND disabled=0 AND readonly=0
    | […]

  • Profile picture of ItsJohnLocke
    8 years, 10 months ago

    ItsJohnLocke wrote a new post

    I’m reposting this query I stumbled upon in a blog here. The description states that it can be used to detect malware reporting out to the web. Check out the article it’s a decent read.
    search.goes.here | […]

    • Profile picture of ItsJohnLocke
      ItsJohnLocke replied 7 years, 10 months ago

      When I posted this I got it here:

      Detecting malware beacons using Splunk

      Never tested it, but thought it was a pretty interesting idea!

  • Load More
  • Home
  • Log In
  • Register
  • About GoSplunk
  • GoSplunk FAQs
  • Contact the GoSplunk Team
  • Splunk Website
  • Splunk Documentation
  • Splunk Answers

GoSplunk is not affiliated with Splunk Inc. in any way.

© 2019 GoSplunk
  • Privacy Policy
  • Terms and Conditions
  • Forgot Password?
sponsored