As titled, the following Splunk search query will show the restart duration (using the transaction command) of the Splunk service itself. index=_audit (action=”splunkShuttingDown” OR action=”splunkStarting”) | eval Date=strftime(_time, “%Y/%m/%d”) | transaction splunk_server startswith=action=”splunkShuttingDown” endswith=action=”splunkStarting” | eval duration=round(duration/60, 2) |table Date splunk_server duration| rename duration as “Splunk Restart Duration” splunk_server as “Splunk Server”
Queries Executed in DBConnect
This Splunk query will show the DBX or DBConnect queries executed. I have limited information to work with so check back for updates. Disclaimer – I’m using rex to replace HTML markup that is outputted and ingested by splunk. You may need to add to or remove this depending on your output (see query […]
Permissions for splunk users
Another view for which splunk user can do what in your splunk environment | rest /services/authentication/users | mvexpand roles | table realname, title, roles, email | join roles [ rest /services/authorization/roles | rename title as roles | search srchIndexesAllowed=* | table roles srchIndexesAllowed]
Search to show what apps are ready to be updated
| rest splunk_server=local /services/apps/local | search update.version=* | table title version update.version If that Splunk has internet access, it’ll have the update.* fields filled with the latest version if there is an update available for any app installed on that system. The splunk_server filter should be usable for querying search peers as well. Using that […]
rangemap command with single value string
index=_internal sourcetype=splunkd OR sourcetype=splunkd_access | stats latest(sourcetype) as sourcetype | eval sourcetypeidx=case(sourcetype=”splunkd”,2,sourcetype=”splunkd_access”,1) | rangemap field=sourcetypeidx severe=0-1 low=2-4 default=low
How to Check When Splunk is finished Indexing a log file
How can I tell when Splunk is finished indexing a log file? (Credit for this one goes to learnsplunk.com author who originally posted it on his website) By watching data from splunk’s metrics log in real-time. ************************************************************ index=”_internal” source=”*metrics.log” group=”per_sourcetype_thruput” series=”your_sourcetype_here” | eval MB=kb/1024 | chart sum(MB) ************************************************************ or to watch everything happening split by […]
User Activity in DBConnect
The following Splunk query is for the DBConnect app. This will return all user activity using this particular app. I’ve provided the regex in the search. index=_audit sourcetype=audittrail action=”db_connect*” |eval Date=strftime(_time, “%Y/%d/%m”) |rex “user=(?<user>\S+),” | stats count by Date, user, info, action
Qualys Active OS Vuln Count
The following Splunk Search (query) is for Qualys and will show vulnerability count for Windows Hosts. This query assumes that your index is defined as qualys. index=qualys HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE=”CONFIRMED” earliest=-30d@d | dedup HOST_ID, QID | search STATUS!=”FIXED” | join QID [ search index=qualys QID_INFO PATCHABLE=1] | join HOST_ID [ search […]
Linux Memory Usage
The following Splunk Search will show memory usage on a linux machine over a period of time using timechart: index=os sourcetype=top pctMEM=*| transaction host _time | streamstats window=1 global=f sum(pctMEM) as MEM | timechart latest(MEM) by host
Top Header cpu & memory status
I didn’t like the CPU input from the Splunk TA Nix app, so I created this small ingest from top. The script takes a snapshot of the top command, and looks directly at the header: top -b -n 1 | sed -n ‘1,5p’ and comes back with the first 5 lines of Top: top – 15:20:55 […]
Low Disk Space Alert for Windows Servers
eventtype=hostmon_windows Type=Disk host=”*” FileSystem=”*” DriveType=”*” | dedup host, Name | eval FreeSpacePct=round(FreeSpaceKB/TotalSpaceKB*100) | eval TotalSpaceGB=round(TotalSpaceKB/1024/1024) | eval FreeSpaceGB=round(FreeSpaceKB/1024/1024) | search FreeSpacePct<10 TotalSpaceGB=”*” | dedup host, Name, DriveType, TotalSpaceGB, FreeSpaceGB, FreeSpacePct | table host, Name, DriveType, TotalSpaceGB, FreeSpaceGB, FreeSpacePct | sort FreeSpacePct
Overview SMB Shares with unprivileged access (tenable)
This search will give an overview of all SMB shares with unprivilged access. sourcetype=”tenable:sc:vuln” pluginID=42411 | table ip dnsName pluginText | rename “pluginText” as “Shares enabled” | rename “dnsName” as “DNS Name” | rename “ip” as “IP address”
Track Remediation Progress by OS – Qualys
The following Splunk Search Queries within the Qualys Sourcetype track the remediation progress for a variety of operating systems. The queries are separated by Operating System or Device Type: OS & Device Agnostic eventtype=”qualys_vm_detection_event” STATUS =”FIXED” earliest=-30d@d | dedup HOST_ID, QID | stats count by QID Linux eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS=”^((?!\/).)*Linux((?!\/).)*$” |dedup […]
List All Hosts Associated with All Indexes
Using the Splunk Tstats command you can quickly list all hosts associated with all indexes: |tstats values(host) where index=* by index
Current Vulnerability Summary by Severity (tenable)
Having Tenable Security Center connected via the splunk plugin, this search gives an overview of all vulnerabilties, summarized by severity. sourcetype=”tenable:sc:vuln” severity.name=* | chart count over severity.name by ip Add the following to your dashboard source to add consistent colors to the pie chart: <option name=”charting.fieldColors”>{“Critical”:0x800000,”High”:0xFF0000,”Medium”:0xFFA500,”Low”:0x008000,”Info”:0x0000FF}</option>
Top exploitable vulnerabilities (tenable)
To see the top of exploitable vulnarabilities from the Tenable Security Center: sourcetype=”tenable:sc:vuln” exploitAvailable=”yes” | chart count over pluginName by riskFactor
Overall CVSS score (tenable)
Tenable uses the CVSS scoring method for detected vulnerabilities. To have an overall CVSS, use the following query: sourcetype=”tenable:sc:vuln” ip=* |stats mean(baseScore) as base | eval base = round(base,2)
Top 10 most vulnerable systems (Tenable)
Get an overview of the 10 most vulnerable systems in your network sourcetype=”tenable:sc:vuln” baseScore > 3 | dedup cve ip | stats count by ip, riskFactor | sort 10-count | lookup dnslookup clientip as ip | chart sum(count) by clienthost
SSL Certificates expired
The query below will give an overview of all hosts running expired certificates: sourcetype=”tenable:sc:vuln” synopsis=”The remote server’s SSL certificate has already expired.” | dedup ip | chart count by ip
SSL certificates about to expire
The query below will give an overview of all certificates about to expire (within 60 days) sourcetype=”tenable:sc:vuln” synopsis=”The SSL certificate associated with the remote service will expire soon.” | dedup ip | lookup dnslookup clientip as ip | chart count by ip,clienthost