-
6 years, 5 months agojohn117 wrote a new post
The following Splunk query will show a table of all users and their roles:
| rest /services/authentication/users | stats values(roles) as Roles by user
*Admin Notes*
I’ve found the following query to work […] -
6 years, 5 months ago
john117 wrote a new post
This Splunk query shows when the admin account performed Create or Modify Roles actions:
index=”_audit” action=edit_roles operation=* | table _time user operation object* -
6 years, 5 months ago
john117 wrote a new post
This Splunk query shows when the admin account performed Account Modification / Deletion / Creation actions:
index=_audit user=admin action=edit_user operation=* | table _time user operation object* -
6 years, 5 months ago
john117 wrote a new post
This Splunk query should show which users attempted to modify an index and if that action was successful:
index=_audit user=* action=indexes_edit | stats count by index info user action -
6 years, 5 months ago
john117 wrote a new post
This Splunk query / search shows historical access to dashboards and apps on a local splunk server.
index=_internal sourcetype=splunk_web_access host=* user=*
| rex field=uri_path “.*/(?[^/]*)$”
| join […] -
6 years, 7 months ago
john117 wrote a new post
Use the following simple tstats query to return the latest time events came in for a given index as well as list all sourcetypes for each index:
|tstats values(sourcetype) as Sourcetype latest(_time) as Time […] -
6 years, 8 months ago
john117 commented on the post, Potential Suspicious Activity in Windows
In reply to: john117 wrote a new post Potential Suspicious Activity in WindowsThe following Splunk search should be ran over a long period of time (at least it worked best that way in my environment). This query will show […] ViewTry it without the Evals. Sorry haven’t touched this in a while (and clearly haven’t commented on this!). I’m no longer working in an environment that uses this query.
-
6 years, 8 months ago
john117 commented on the post, List forwarders generating socket errors due to unkown SSL protocol
In reply to: wrangler2x wrote a new post If you are using SSL on port 9997 or 9998 (or other port) to send logs from your forwarders to your indexers, you know that a misconfigured forwarder or one with incorrect certs can […] ViewThanks for sharing! I do not have a default “dnsLookup” in my environment. Did you build this with an app or acquire it from your networking team and upload it as a lookup?
If the query works the way I think it works, this is pretty neat!
-
6 years, 10 months ago
john117 commented on the post, Clean or Delete Data in a given Source
In reply to: SplunkNinja wrote a new post The following Splunk query will wipe or clear a data source. Ensure you specify an index else it will wipe the given source for all indexes. source=pathtosourcename | delete ViewIt should be noted that this will not actually wipe the data, but simply hide it from view.
-
8 years, 2 months ago
john117 wrote a new post
This Splunk Query shows if there is a time offset on your Splunk servers. I borrowed and modified this one from the splunk clock skew search posted on http://www.bbosearch.com (another pretty awesome site like this […]
-
8 years, 4 months ago
john117 wrote a new post
This will show events that have been sent to the null que within the splunk internal logs.
index=_internal component=metrics processor=nullqueue group=pipeline sourcetype=splunkd | table _time log_level […] -
8 years, 5 months ago
john117 posted an update
Just another day in the life of a splunk administrator!
-
8 years, 5 months ago
john117 wrote a new post
Potential Suspicious Activity in WindowsThe following Splunk search should be ran over a long period of time (at least it worked best that way in my environment). This query will show potentially […]
-
I get the following error running this search (Splunk 6.1.5):
Error in ‘eval’ command: The expression is malformed. An unexpected character is reached at ‘0)’.
-
I get a similar error with version 6.5.1:
Error in ‘eval’ command: The expression is malformed. An unexpected character is reached at ‘0)’.Appears to be in: (eval Short_Message=mvindex(Message,0)
-
Hmm posting error with //
Lets try this again:
(eval Short_Message=mvindex(Message,/0) -
“eval Short_Message=mvindex(Message,0) “
-
Argh…html….
eval Short_Message=mvindex(Message,LessThanSign wbr Right slash //GreaterThanSign>0) -
having the same issue with that eval short message.
-
Try it without the Evals. Sorry haven’t touched this in a while (and clearly haven’t commented on this!). I’m no longer working in an environment that uses this query.
-
-
8 years, 5 months ago
john117 wrote a new post
The following splunk search looks for changes in services within Windows.
sourcetype=”WinEventLog:System” EventCode=7045 NOT (Service_Name=mgmt_service) | eval Message=split(Message,”.”) | eval […] -
8 years, 5 months ago
john117 wrote a new post
This splunk search will show file shares being accessed within windows environments.
sourcetype=”WinEventLog:Security” EventCode=5140 (Share_Name=”*C$” OR Share_Name=”*D$” OR Share_Name=”*E$” OR […] -
8 years, 9 months ago
john117 changed their profile picture
-
9 years, 6 months ago
john117 became a registered member
Inogues,
Absolutely! I’ll edit this to fix it :)
This is GREAT!
Is there a way to map the user to their email or name? Would that require another join of some sort?
I looked into the base search and didn’t see an email or name field.