• Search
  • Dashboards
  • Browse
    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • crowdstrike
      • Dashboards
      • datamodels
      • DBConnect
      • Enterprise Security
      • eval
      • F5
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • Networking
      • opensense
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime
    • Tags

      6.1.2 admin apache audit audittrail authentication Cisco Diagnostics failed logon Firewall IIS index indexes internal license License usage Linux linux audit Login Logon malware Network Perfmon Performance qualys REST Security sourcetype splunk splunkd splunk on splunk Tenable Tenable Security Center troubleshoot troubleshooting tstats Universal Forwarder users Vulnerabilities Web Traffic Windows Windows Audit Windows Security _audit _internal
  • Post New Query
  • Our Blog
  • Splunk Jobs
  • Search
  • Dashboards
  • Browse
    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • crowdstrike
      • Dashboards
      • datamodels
      • DBConnect
      • Enterprise Security
      • eval
      • F5
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • Networking
      • opensense
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime
    • Tags

      6.1.2 admin apache audit audittrail authentication Cisco Diagnostics failed logon Firewall IIS index indexes internal license License usage Linux linux audit Login Logon malware Network Perfmon Performance qualys REST Security sourcetype splunk splunkd splunk on splunk Tenable Tenable Security Center troubleshoot troubleshooting tstats Universal Forwarder users Vulnerabilities Web Traffic Windows Windows Audit Windows Security _audit _internal
  • Post New Query
  • Our Blog
  • Splunk Jobs

Members

Profile picture of masdeeper

masdeeper

@masdeeper Active 5 years, 11 months ago
  • Activity
  • Profile
  • Posts
  • Personal
  • Mentions
  • Favorites
  • Profile picture of masdeeper
    7 years, 2 months ago

    masdeeper wrote a new post

    |tstats count WHERE index=* OR index=_ BY index
     

    Don’t forget time modifier is required

  • Profile picture of masdeeper
    7 years, 2 months ago

    masdeeper wrote a new post

    index=_internal sourcetype=scheduler savedsearch_name=* status=skipped | stats count by savedsearch_name reason
     

    Look at the reason to know how to TB.

  • Profile picture of masdeeper
    7 years, 2 months ago

    masdeeper wrote a new post

    There is a bug that make a search being executed 2 times or more.
    index=_internal sourcetype=scheduler scheduled_time=* savedsearch_name=* |stats count by scheduled_time, savedsearch_name | where count > 1

  • Profile picture of masdeeper
    7 years, 2 months ago

    masdeeper wrote a new post

    Sorry but a query would not be elegant.

    TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%Z

    TZ_ALIAS = A=GMT+1:00, B=GMT+2:00, C=GMT+3:00, D=GMT+4:00, E=GMT+5:00, F=GMT+6:00, G=GMT+7:00, H=GMT+8:00, I=GMT+9:00, K=GMT+10:00, […]

  • Profile picture of masdeeper
    7 years, 2 months ago

    masdeeper wrote a new post

    Impact: since there is no timezone, the logs will have the same timezone as the local user. Therefore in another timezone, the logs won’t have the same order. If no TZ is specified, perhaps we could hard code […]

  • Profile picture of masdeeper
    7 years, 2 months ago

    masdeeper wrote a new post

    Given an IP network address and it’s netmask represented under integer format, the bellow search will create a CIDR representation from the lookup without using built-in tools.

     
    |inputlookup geoip | head […]

  • Profile picture of masdeeper
    7 years, 2 months ago

    masdeeper changed their profile picture

  • Profile picture of masdeeper
    7 years, 2 months ago

    masdeeper commented on the post, RFQ (Request For Query) – Port Scan

    In reply to: rashid47010 wrote a new post I am looking for the query[timechartl] for example 50 port scan attempts with in a second against list of organization public facing IP address. View

    Provide log example.

  • Profile picture of masdeeper
    7 years, 2 months ago

    masdeeper commented on the post, List of Indexes

    In reply to: ItsJohnLocke wrote a new post This simple Splunk query will return results for indexes that the current user (typically you) have access to: *NOTE* depending on settings this may or may not return internal […] View

    This is resource consumming. REST or tstats would be a better choice.

  • Profile picture of masdeeper
    7 years, 2 months ago

    masdeeper became a registered member

  • Profile picture of masdeeper
    7 years, 2 months ago

    masdeeper became a registered member

  • Home
  • Log In
  • Register
  • About GoSplunk
  • GoSplunk FAQs
  • Contact the GoSplunk Team
  • Splunk Website
  • Splunk Documentation
  • Splunk Answers

GoSplunk is not affiliated with Splunk Inc. in any way.

© 2019 GoSplunk
  • Privacy Policy
  • Terms and Conditions
  • Forgot Password?
sponsored