SPL searches

Every SPL query in the GoSplunk library, ready to copy into Splunk.

Search Crafted by Category

spl

AI Crafted access_combined

Splunk SPL: Apache Unique Visitors by Day

▲ 0 ▼ 0

by AI Crafted

spl

AI Crafted access_combined

Splunk SPL: Apache 404 Spike Detector (15m)

▲ 0 ▼ 0

by AI Crafted

spl

AI Crafted access_combined

Splunk SPL: Slowest Apache Requests (Top 50)

▲ 0 ▼ 0

by AI Crafted

spl

AI Crafted access_combined

Splunk SPL: Top Apache Endpoints by Bytes (Daily)

▲ 0 ▼ 0

by AI Crafted

spl

AI Crafted access_combined

Splunk SPL: Apache Response Codes by Client IP (Top 20)

▲ 0 ▼ 0

by AI Crafted

spl

WinEventLog:Security

Password changes in a Windows environment by user account

▲ 4 ▼ 1

by Go Splunk

spl

WinEventLog:Security

Password Non Compliance Windows

▲ 0 ▼ 1

by SplunkNinja

spl

WinEventLog:System

Microsoft Antimalware Virus Remediation Details

▲ 1 ▼ 0

by SplunkNinja

spl

Remediation Tracking Trend - Qualys

▲ 0 ▼ 0

by SplunkNinja

spl

_internal _audit

Find unused dashboards

▲ 18 ▼ 5

by Azeemering

spl

WMI:Uptime Unix:Uptime

Show uptime in Days

▲ 7 ▼ 0

by manderso

spl

List all your existing indexes or check if index exists

▲ 2 ▼ 0

by Azeemering

spl

Overview of all medium to critical risks for Win20xx

▲ 5 ▼ 1

by Ronald (Access42)

spl

Uncategorized Linux Performance

Linux Memory Usage

▲ 1 ▼ 6

by SplunkNinja

spl

WinEventLog:Security

Clearing of Windows Audit Logs

▲ 8 ▼ 7

by ItsJohnLocke

spl

Check your strftime is correct in the props.conf

▲ 3 ▼ 0

by Azeemering

spl

WinEventLog:Security

Get list of concurrent users on a specific server

▲ 8 ▼ 1

by rupya1983

spl

Fun Stuff & Helpful Hints

Breathing Fire Dragon when Starting dbx_task_server

▲ 8 ▼ 1

by Azeemering

spl

Visits by Hour of the Day in IIS

▲ 0 ▼ 0

by SplunkNinja

spl

Fun Stuff & Helpful Hints

Fishies! Fun Query and Easter Egg

▲ 12 ▼ 0

by SplunkNinja

spl

Overview SMB Shares with unprivileged access (tenable)

▲ 6 ▼ 0

by Ronald (Access42)

spl

SSL certificates about to expire

▲ 4 ▼ 0

by Ronald (Access42)

spl

WinEventLog:Security

Weekend User Activity

▲ 1 ▼ 3

by SplunkNinja

spl

Simple GeoIP Information for Web Traffic

▲ 4 ▼ 0

by ItsJohnLocke

spl

WinEventLog:Security

Zerologon Detection (CVE-2020-1472)

▲ 10 ▼ 0

by riparino

spl

Qualys Active OS Vuln Count

▲ 3 ▼ 0

by CattyWampus

spl

Weekday Web Traffic Summary in IIS

▲ 1 ▼ 0

by SplunkNinja

spl

Universal Forwarder Throughput Limit Hit Count

▲ 3 ▼ 0

by Azeemering

spl

Significant Data Ingress/Egress

▲ 5 ▼ 0

by splunkie99

spl

WinEventLog:Security

System Security Access Removed from Account

▲ 1 ▼ 0

by SplunkNinja

spl

List of Indexes

▲ 15 ▼ 27

by ItsJohnLocke

spl

Remove Z or T string from your Timestamp

▲ 2 ▼ 3

by sahr.lebbie

spl

Original posted in 2015 Testing an issue with brackets

▲ 0 ▼ 0

by Thomas Chase

spl

High Severity Vulnerabilities - Qualys

▲ 0 ▼ 0

by SplunkNinja

spl

Direct and Referred Apache Web Traffic

▲ 3 ▼ 0

by SplunkNinja

spl

Perfmon:CPU Load

CPU Thresholds, Warnings, and Risk Scoring

▲ 3 ▼ 0

by SplunkNinja

spl

Timestamps from the future.

▲ 2 ▼ 0

by Tensore

spl

Uncategorized Linux Performance

Linux CPU Usage

▲ 7 ▼ 3

by SplunkNinja

spl

Splunk User Search Activity

▲ 16 ▼ 8

by CattyWampus

spl

WinEventLog:System

Get unexpected shutdown date with downtime duration

▲ 2 ▼ 0

by dstaulcu

spl

IIS Response Time

▲ 3 ▼ 2

by kharris

spl

License Usage by Index per Day

▲ 39 ▼ 4

by SplunkNinja

spl

Traffic Volume by Forwarder

▲ 5 ▼ 0

by SplunkNinja

spl

Count of Unique Users in a Linux Environment

▲ 1 ▼ 0

by SplunkNinja

spl

Apache High Level Visitor Info

▲ 2 ▼ 0

by SplunkNinja

spl

Top exploitable vulnerabilities (tenable)

▲ 5 ▼ 0

by Ronald (Access42)

spl

Show Splunk User to Role mapping

▲ 2 ▼ 1

by SplunkNinja

spl

access_combined

Nr. of unique visitors per hour timechart

▲ 4 ▼ 1

by m1ll3n1umf4lc0n

spl

USB and Removable Media Detection

▲ 2 ▼ 1

by SplunkNinja

spl

Total Number of Hosts reporting in.

▲ 1 ▼ 0

by SplunkNinja

spl

Total Unique Browsers detected in IIS logs

▲ 0 ▼ 6

by SplunkNinja

spl

WinEventLog:Security

Search Common EventCodes (EventID's) for Suspicious Behavior

▲ 30 ▼ 5

by Go Splunk

spl

Query for when PowerShell execution policy is set to Bypass

▲ 0 ▼ 0

by rsanchez

spl

WinEventLog:Security

Failed Authentication to Non-existing Accounts

▲ 6 ▼ 0

by SplunkNinja

spl

Evaluate Fahrenheit to Celsius

▲ 2 ▼ 1

by Azeemering

spl

Search Traffic by Source IP

▲ 2 ▼ 0

by pradeep577

spl

WinEventLog:Security

Pass the Hash Detection

▲ 22 ▼ 26

by srilankanmonkey

spl

Enterprise Security

Listing incident review and the closing comments

▲ 2 ▼ 0

by Opeyemi Olatunji

spl

Identifying Hosts not sending data for more than 6 hours

▲ 5 ▼ 0

by vr2312

spl

List of Failed Login Attempts in Linux

▲ 1 ▼ 1

by ItsJohnLocke

spl

Windows Software Matrix

▲ 3 ▼ 0

by TeamC

spl

count all events for 1 or multiple index(es)

▲ 6 ▼ 1

by sedi

spl

Qualys - Number of Hosts Scanned

▲ 0 ▼ 0

by SplunkNinja

spl

Uncategorized Fun Stuff & Helpful Hints

Pearson Coefficient of Two Fields

▲ 4 ▼ 0

by yangzd

spl

User Agent - Browser Details & Information for IIS

▲ 0 ▼ 0

by SplunkNinja

spl

Number of mails sent over time (Postfix)

▲ 2 ▼ 0

by m1ll3n1umf4lc0n

spl

Fun Stuff & Helpful Hints

Add a count of events by fieldname

▲ 1 ▼ 0

by Azeemering

spl

WinEventLog:Security

Time between rights granted and rights revoked

▲ 2 ▼ 1

by SplunkNinja

spl

List of Extractions in Transforms.conf

▲ 3 ▼ 0

by ItsJohnLocke

spl

Perfmon:Free Disk Space

Free Disk Space for each Drive Letter

▲ 4 ▼ 0

by SplunkNinja

spl

Count of Unique Hosts in Linux

▲ 2 ▼ 0

by SplunkNinja

spl

List of Hosts in a Linux Environment

▲ 2 ▼ 0

by SplunkNinja

spl

audittrail DBConnect

Queries Executed in DBConnect

▲ 2 ▼ 0

by ItsJohnLocke

spl

Identify all saved searches that use a specific keyword

▲ 0 ▼ 0

by Azeemering

spl

Apps Deployed from Deployment Server

▲ 0 ▼ 0

by SplunkNinja

spl

Perfmon:Network Interface

Network Usage by KB per minute on a Windows Box

▲ 2 ▼ 1

by SplunkNinja

spl

Use TSTATS to find hosts no longer sending data

▲ 4 ▼ 0

by SplunkNinja

spl

Basic binary conversion for IPv4 Mask

▲ 4 ▼ 0

by masdeeper

spl

Top Visited Pages in IIS Web Logs

▲ 0 ▼ 0

by SplunkNinja

spl

Indexes size and EPS

▲ 1 ▼ 1

by alasta

spl

Perfmon:Free Disk Space

Available Disk Space on a Windows Box

▲ 2 ▼ 0

by SplunkNinja

spl

citrix:netscaler:syslog

Extract DNS Queries from netscaler syslog

▲ 5 ▼ 1

by Ronald (Access42)

spl

WinEventLog:Security

Changes to Windows User Groups by Account

▲ 1 ▼ 2

by SplunkNinja

spl

List of Users in a Linux Environment

▲ 3 ▼ 0

by SplunkNinja

spl

Uncategorized Linux Performance

Linux Free Disk Space

▲ 3 ▼ 1

by SplunkNinja

spl

Splunk License Consumption via _introspection

▲ 1 ▼ 0

by SplunkNinja

spl

REST Call for Splunk Server Role Status

▲ 0 ▼ 1

by ItsJohnLocke

spl

eval WinEventLog:Security

Find passwords in User_Name field

▲ 13 ▼ 0

by thall

spl

Perfmon:Network Interface

Network Traffic Received in Megabytes over Time

▲ 0 ▼ 0

by SplunkNinja

spl

WinEventLog:Security

Escalation of Privileges in a Windows Environment by User

▲ 8 ▼ 4

by Go Splunk

spl

Splunk Admin Account Activity - Role Modifications

▲ 1 ▼ 0

by john117

spl

Fun Stuff & Helpful Hints

Expand JSON fields using spath

▲ 0 ▼ 0

by gr33nlant3rn

spl

Show all successful splunk configuration changes by user

▲ 2 ▼ 2

by sedi

spl

Enterprise Security

Detect Credit Card Numbers using Luhn Algorithm

▲ 2 ▼ 0

by Azeemering

spl

WinEventLog:Security

Accounts Deleted in a Windows Environment

▲ 1 ▼ 0

by ItsJohnLocke

spl

Current vulnerabilities from tenable.io

▲ 0 ▼ 0

by secninjago

spl

Convert non timestamp time to Epoch

▲ 4 ▼ 4

by SplunkNinja

spl

Fun Stuff & Helpful Hints Tenable

Current Vulnerability Summary by Severity (tenable)

▲ 5 ▼ 3

by Ronald (Access42)

spl

WinEventLog:Security

Accounts Enabled

▲ 0 ▼ 0

by ItsJohnLocke

spl

rangemap command with single value string

▲ 1 ▼ 1

by Suren

spl

Show your triggered alerts

▲ 11 ▼ 0

by Azeemering

spl

Every index explicitly granted to a role

▲ 2 ▼ 0

by ItsJohnLocke

spl

Linux Cron Job Information

▲ 5 ▼ 0

by SplunkNinja

spl

WinEventLog:Security

System Time Modifications in Windows

▲ 3 ▼ 0

by SplunkNinja

spl

Dashboard and App views by user

▲ 8 ▼ 0

by john117

spl

WinEventLog:Security

Search for disabled AD accounts that have been re-enabled

▲ 5 ▼ 1

by kephalonomancy

spl

Successful Logons to WordPress Admin Area

▲ 3 ▼ 0

by SplunkNinja

spl

audittrail _internal

Splunk Query to report on users logging on to the Splunk Web Console

▲ 9 ▼ 1

by Suren

spl

WinEventLog:System

Microsoft Antimalware Malware Detection Details

▲ 0 ▼ 0

by SplunkNinja

spl

Reports Owned by Admin Users and Writable by Others

▲ 0 ▼ 0

by eugenek

spl

List of installed non-core applications

▲ 2 ▼ 0

by ccloutier

spl

Fun Stuff & Helpful Hints

List all fields for an index

▲ 9 ▼ 0

by Azeemering

spl

New Vulnerabilities Detected Since Last Scan - Qualys

▲ 0 ▼ 0

by SplunkNinja

spl

How to Check When Splunk is finished Indexing a log file

▲ 2 ▼ 0

by Suren

spl

IIS: Indicators of XSS and SQLi attacks

▲ 1 ▼ 2

by Ronald (Access42)

spl

Qualys Top 10 Vulnerabilities by Severity

▲ 2 ▼ 0

by CattyWampus

spl

Forwarder Diagnostics - Last time Data Was Received by Index and Sourcetype

▲ 28 ▼ 3

by SplunkNinja

spl

WinEventLog:Security

Failed Versus Successful Logon Attempts

▲ 7 ▼ 7

by SplunkNinja

spl

User Agent – Operating System Info for web traffic

▲ 0 ▼ 0

by SplunkNinja

spl

REST API: Table all Splunk User Email Addresses

▲ 3 ▼ 0

by SplunkNinja

spl

WinEventLog:Security

Windows security daily domain activities

▲ 6 ▼ 0

by ddanielnp

spl

Successful Login to OSX

▲ 0 ▼ 1

by ItsJohnLocke

spl

Fun Stuff & Helpful Hints

Create a lookup with random test ip's

▲ 0 ▼ 0

by Azeemering

spl

WinEventLog:Application

Shutdown or Suspend a Service in Windows

▲ 1 ▼ 1

by SplunkNinja

spl

Linux Deletion of SSL Certificate (mitre : T1485 , T1070.004 , T1070)

▲ 1 ▼ 0

by MaryamSaniee

spl

Fun Stuff & Helpful Hints

Disk Usage per Index by Indexer

▲ 2 ▼ 0

by LTRand

spl

Uncategorized Tenable

Overall CVSS score (tenable)

▲ 3 ▼ 2

by Ronald (Access42)

spl

Forwarder TCP Connections info

▲ 4 ▼ 0

by thall

spl

List of Login Attempts to Splunk

▲ 4 ▼ 8

by CattyWampus

spl

Fun Stuff & Helpful Hints

Character Count Per Event

▲ 5 ▼ 2

by SplunkNinja

spl

Perfmon:Network Interface

Network Traffic Sent in Megabytes over Time

▲ 4 ▼ 0

by SplunkNinja

spl

WinEventLog:Security

Active Directory Password change attempts

▲ 3 ▼ 0

by Azeemering

spl

1st time connection between servers (FTD CISCO)

▲ 0 ▼ 0

by GaatJeNietsAan

spl

WinEventLog:Application

Start a Windows Service

▲ 0 ▼ 1

by SplunkNinja

spl

WinEventLog:Security

Potential Suspicious Activity in Windows

▲ 12 ▼ 2

by john117

spl

access_combined apache

Regex Extraction for WordPress Version from Apache Logs

▲ 3 ▼ 0

by SplunkNinja

spl

Listing Data models

▲ 8 ▼ 0

by Opeyemi Olatunji

spl

Enterprise Security

Query to see incidents logged by correlation search in ES incident review dashboard

▲ 0 ▼ 0

by snsaxena

spl

splunkd _internal

List skipped searches by name, reason

▲ 7 ▼ 4

by masdeeper

spl

Search for all errors in splunkd

▲ 9 ▼ 0

by Azeemering

spl

Number of Vulnerabilities Detected - Qualys

▲ 0 ▼ 0

by SplunkNinja

spl

Uncategorized Fun Stuff & Helpful Hints

List Notable events with closing history details

▲ 5 ▼ 0

by Opeyemi Olatunji

spl

List the size of lookup files with an SPL search.

▲ 0 ▼ 0

by Azeemering

spl

WinEventLog:Security

Failed Windows Remote Desktop Connection Attempt

▲ 4 ▼ 0

by SplunkNinja

spl

List of Universal Forwarders with Version

▲ 18 ▼ 2

by SplunkNinja

spl

Splunk License Gauge

▲ 1 ▼ 0

by SplunkNinja

spl

WinEventLog:Security

Console Lock Duration

▲ 2 ▼ 0

by SplunkNinja

spl

List Deployment Apps and the associated serverClass

▲ 4 ▼ 0

by wrangler2x

spl

Number of Hosts Associated with a Serverclass

▲ 2 ▼ 0

by SplunkNinja

spl

Failed Attempts to Logon to Splunk Web

▲ 4 ▼ 2

by SplunkNinja

spl

WinEventLog:Security

Windows Time Change

▲ 0 ▼ 0

by SplunkNinja

spl

Splunk Apps added to an instance

▲ 1 ▼ 0

by marksplunker

spl

IIS: Indicators of directory traversal, RFI and LFI

▲ 3 ▼ 0

by Ronald (Access42)

spl

Real Time IIS Web Site Connections

▲ 3 ▼ 4

by SplunkNinja

spl

Perfmon:Available Memory

Available Memory in a Windows box

▲ 4 ▼ 0

by SplunkNinja

spl

Monitoring WinEventLog:Security

Detect Username Guessing Brute Force Attacks

▲ 29 ▼ 0

by DaveyBoy

spl

F5 SL ASM iRule Parser for Hosted Deployments

▲ 1 ▼ 0

by riparino

spl

Investigate an IP through Palo Alto Logs

▲ 2 ▼ 0

by Opeyemi Olatunji

spl

REST API response time

▲ 3 ▼ 1

by SplunkNinja

spl

Internal Splunk User Stats

▲ 4 ▼ 2

by SplunkNinja

spl

Use REST to gather Index Info

▲ 4 ▼ 3

by ItsJohnLocke

spl

Splunk Query Count by users

▲ 0 ▼ 0

by databeastmaster

spl

Average Splunk Web requests by hour

▲ 1 ▼ 1

by ItsJohnLocke

spl

WinEventLog:System

Monitor for Service Changes in Windows

▲ 15 ▼ 3

by john117

spl

Timechart of Linux Logons

▲ 4 ▼ 1

by ItsJohnLocke

spl

apache access_combined

Apache access_logs status code reporting

▲ 7 ▼ 0

by Suren

spl

Sysmon - cmd line for non -local connections

▲ 1 ▼ 3

by jwalzer

spl

Host not sending logs for x days

▲ 6 ▼ 1

by pradeep577

spl

Fun Stuff & Helpful Hints

Exclude single event type from logs

▲ 0 ▼ 0

by pradeep577

spl

List of Props.conf Extractions

▲ 2 ▼ 0

by ItsJohnLocke

spl

Total Hits on Least Active Day in IIS

▲ 0 ▼ 0

by SplunkNinja

spl

All indexes not explicitly granted to a role

▲ 0 ▼ 0

by ItsJohnLocke

spl

REST Call for a get details about Alert cron_schedules

▲ 0 ▼ 0

by MaryamSaniee

spl

Splunk License Usage Over the Last 30 Days

▲ 9 ▼ 1

by SplunkNinja

spl

Remove mulitple values from a multivalue field

▲ 0 ▼ 0

by Azeemering

spl

Show all currently logged in users

▲ 3 ▼ 0

by ItsJohnLocke

spl

Splunk Objects With Permissions Granted to Non-existent Roles

▲ 2 ▼ 0

by ItsJohnLocke

spl

WinEventLog:Security

List of Legitimate Account Names in Windows

▲ 4 ▼ 0

by ItsJohnLocke

spl

Enterprise Security crowdstrike

CrowdStrike Audit Event Correlation

▲ 2 ▼ 1

by LTRand

spl

List Reports and Wrap the text

▲ 2 ▼ 0

by Opeyemi Olatunji

spl

Perfmon:Free Disk Space

Low Disk Space Alert for Windows Servers

▲ 5 ▼ 3

by Suren

spl

Top 5 Visiting Countries in IIS

▲ 0 ▼ 0

by SplunkNinja

spl

Indexes in Splunk

▲ 3 ▼ 1

by wrangler2x

spl

Universal Forwarder Throughput Statistics

▲ 8 ▼ 0

by Azeemering

spl

Rename _time field in a TimeChart

▲ 6 ▼ 1

by SplunkNinja

spl

REST Call for Memory & CPU usage on Splunk Servers

▲ 10 ▼ 0

by ItsJohnLocke

spl

REST Call for a list of Lookup Files

▲ 9 ▼ 1

by ItsJohnLocke

spl

Average Duration of a Session within an IIS Web Environment

▲ 2 ▼ 0

by Go Splunk

spl

F5 BigIP Brute Force and Session Abuse

▲ 2 ▼ 6

by riparino

spl

Saved Search Scheduler Activity

▲ 8 ▼ 0

by Azeemering

spl

Show indexing queue sizes

▲ 4 ▼ 0

by Azeemering

spl

List of all enabled correlation rules that generate a notable

▲ 2 ▼ 0

by Rbecwar

spl

port scan attack (by juniper)

▲ 1 ▼ 0

by MaryamSaniee

spl

Find where actual hostnames don't match the host from the Universal Forwarder

▲ 0 ▼ 0

by splunk-pony

spl

Linux Performance

Top Header cpu & memory status

▲ 3 ▼ 0

by manderso

spl

Escalation of Privileges via SU in Linux

▲ 5 ▼ 0

by SplunkNinja

spl

WinEventLog:System

Unintended Windows Shutdowns

▲ 2 ▼ 2

by ItsJohnLocke

spl

splunkd _internal

Detect Scheduler Running Twice a Search

▲ 0 ▼ 0

by masdeeper

spl

WinEventLog:System

Verify Windows Updates have been Applied

▲ 12 ▼ 0

by SplunkNinja

spl

Perfmon:CPU Load

Average CPU Usage on a Windows box

▲ 3 ▼ 2

by SplunkNinja

spl

REST Call for a list of Alert actions (Webhook_sms or Email or notable or ..)

▲ 1 ▼ 0

by MaryamSaniee

spl

WinEventLog:Security

New Service Installation on Windows

▲ 2 ▼ 0

by SplunkNinja

spl

WinEventLog:Security

Gauge of Windows Failed Logons

▲ 2 ▼ 0

by Go Splunk

spl

License Usage by Pool per hour for last 24 hours

▲ 3 ▼ 0

by xoff00

spl

Median Duration of a Session within an IIS Web Environment

▲ 1 ▼ 0

by Go Splunk

spl

splunkd Fun Stuff & Helpful Hints

List of index available to your role

▲ 7 ▼ 0

by masdeeper

spl

Track Remediation Progress by OS - Qualys

▲ 1 ▼ 3

by SplunkNinja

spl

WinEventLog:Security

User Logon / Session Duration

▲ 17 ▼ 5

by SplunkNinja

spl

date_zone=local is bad

▲ 0 ▼ 2

by masdeeper

spl

Datamodel Search Performance

▲ 4 ▼ 0

by Azeemering

spl

Average Search Duration

▲ 4 ▼ 0

by ItsJohnLocke

spl

Time Offset on Splunk Servers

▲ 1 ▼ 1

by john117

spl

Malware Fun Stuff & Helpful Hints

Multiple Malware Detections on a Single Host

▲ 2 ▼ 6

by SplunkMasterFlex

spl

Search to show what apps are ready to be updated

▲ 1 ▼ 0

by manderso

spl

List of Source Names and Frequency of Events

▲ 0 ▼ 0

by SplunkNinja

spl

Show how much disk space is used by _internal

▲ 0 ▼ 1

by ItsJohnLocke

spl

List of hosts and sourcetypes not sending data in last 24 Hours

▲ 3 ▼ 10

by alacer.cogitatus

spl

WinEventLog:Security

Failed Attempt to Initiate Remote Desktop Session

▲ 4 ▼ 0

by SplunkNinja

spl

Build License usage by Group

▲ 0 ▼ 1

by manderso

spl

DBConnect _internal

User Activity in DBConnect

▲ 5 ▼ 0

by SplunkNinja

spl

Top 10 Most Active Hosts in a Linux Environment

▲ 1 ▼ 0

by SplunkNinja

spl

Splunk Admin Account Activity - Account Modifications

▲ 2 ▼ 0

by john117

spl

Number of Hosts the Root Account was Detected on

▲ 2 ▼ 0

by SplunkNinja

spl

Apdex Score

▲ 4 ▼ 0

by Taras Ustyianovych

spl

WinEventLog:Security

Accounts Disabled

▲ 1 ▼ 1

by ItsJohnLocke

spl

Memory Usage (MB) per Splunk Process Class

▲ 1 ▼ 0

by Azeemering

spl

Retention Period in days per index

▲ 4 ▼ 2

by Azeemering

spl

Splunk CIM Assist

▲ 10 ▼ 2

by Lyxx

spl

Most Active Day and Least Active Day for IIS Web Traffic

▲ 0 ▼ 0

by SplunkNinja

spl

List All Hosts Associated with All Indexes

▲ 21 ▼ 2

by SplunkNinja

spl

Reflected DDoS Attack

▲ 0 ▼ 0

by MaryamSaniee

spl

WinEventLog:Security

Successful File Access Attempts and Filename Accessed

▲ 3 ▼ 0

by SplunkNinja

spl

Malware Detection

▲ 10 ▼ 14

by ItsJohnLocke

spl

WinEventLog:Security

Modification to File Permissions in Windows

▲ 1 ▼ 2

by SplunkNinja

spl

List of Alerts via REST

▲ 3 ▼ 2

by ItsJohnLocke

spl

WinEventLog:Security

Successful Windows Logons with Average Overlay

▲ 2 ▼ 1

by ItsJohnLocke

spl

WinEventLog:System

Microsoft AntiMalware Scan Completion

▲ 0 ▼ 0

by SplunkNinja

spl

Hosts Taking a Long Time to Scan - Qualys

▲ 0 ▼ 0

by SplunkNinja

spl

Get Fields Defined for Multiple KVStore Collections

▲ 1 ▼ 0

by arcsector

spl

Count of Splunk Errors Per Host

▲ 4 ▼ 1

by ItsJohnLocke

spl

Find success login after 10 failures with streamstats

▲ 6 ▼ 1

by iv.shamanow

spl

Clean or Delete Data in a given Source

▲ 2 ▼ 3

by SplunkNinja

spl

Detect Indexers in Maintenance Mode

▲ 1 ▼ 0

by pjcordes

spl

Hard Disk Usage and Information on Splunk Server

▲ 13 ▼ 1

by SplunkNinja

spl

IIS: 404 errors

▲ 0 ▼ 0

by Ronald (Access42)

spl

Repeated Unsuccessful Logon Attempts in Linux

▲ 2 ▼ 1

by SplunkNinja

spl

WinEventLog:Security

Security Access granted to an Account

▲ 1 ▼ 1

by SplunkNinja

spl

Detailed User Activity

▲ 2 ▼ 0

by tokenwander

spl

Enterprise Security

Alert when ESCU updates detections

▲ 0 ▼ 0

by thelawsofchaos

spl

WinEventLog:Security

Number of Accounts Created in a Windows Environment

▲ 2 ▼ 2

by Go Splunk

spl

Show cron frequency and scheduling of all scheduled searches

▲ 5 ▼ 0

by Azeemering

spl

WinEventLog:Security

Account Modifications in a Windows Environment

▲ 1 ▼ 0

by ItsJohnLocke

spl

WinEventLog:Security

Logon Types within a Windows Environment (with logon count)

▲ 12 ▼ 0

by Go Splunk

spl

WinEventLog:Security

Accounts Deleted via EventID's that Correspond with Post XP/2003 Operating Systems

▲ 1 ▼ 1

by Go Splunk

spl

Show all Indexes and Sourcetypes via REST

▲ 3 ▼ 0

by ItsJohnLocke

spl

find blocking queues

▲ 9 ▼ 1

by sedi

spl

Bucket Count by State over Index

▲ 1 ▼ 0

by Azeemering

spl

Top 10 most active Users in Linux

▲ 3 ▼ 0

by SplunkNinja

spl

Sysmon - Find Processes with Renamed Executables

▲ 0 ▼ 0

by jwalzer

spl

Detailed list of Errors Per Host

▲ 4 ▼ 0

by ItsJohnLocke

spl

Get KV Store Metrics

▲ 6 ▼ 0

by ccloutier

spl

splunkd _internal

Detailed list of Universal Forwarders Reporting to Indexer

▲ 14 ▼ 0

by SplunkNinja

spl

DNS search for encoded data

▲ 3 ▼ 0

by Azeemering

spl

Enterprise Security

Correlation Search Audit Search

▲ 2 ▼ 0

by Azeemering

spl

RFQ - Request For Query

Unable to get a search to work properly

▲ 0 ▼ 1

by irishjd

spl

Qualys Hosts not Scanned in 30 days+

▲ 0 ▼ 0

by CattyWampus

spl

SSL Certificates expired

▲ 4 ▼ 0

by Ronald (Access42)

spl

Top 10 most vulnerable systems (Tenable)

▲ 4 ▼ 0

by Ronald (Access42)

spl

Get Sourcetype and Index Info via TSTATS

▲ 10 ▼ 0

by john117

spl

Visits by Days of the Week in IIS

▲ 1 ▼ 0

by SplunkNinja

spl

Successful Linux Logons by Username

▲ 5 ▼ 1

by ItsJohnLocke

spl

Convert Seconds to Hours Minutes Seconds HHMMSS

▲ 9 ▼ 0

by SplunkNinja

spl

List of Sourcetypes Sent by Forwarder

▲ 4 ▼ 4

by SplunkNinja

spl

WinEventLog:Security

Windows Failed Logons with Average Overlay

▲ 7 ▼ 0

by ItsJohnLocke

spl

Weekend Web Traffic Summary in IIS

▲ 0 ▼ 0

by SplunkNinja

spl

WinEventLog:Security

Time between Account Creation and Account Deletion

▲ 1 ▼ 0

by SplunkNinja

spl

Fun Stuff & Helpful Hints

Easter egg that created sample data

▲ 9 ▼ 0

by Azeemering

spl

WinEventLog:Security

Account Enabled in Windows

▲ 0 ▼ 0

by SplunkNinja

spl

_audit _internal

Show Searches with Details (Who | When | What)

▲ 16 ▼ 0

by SplunkNinja

spl

Top 25 Most Vulnerable Systems by OS - Qualys

▲ 1 ▼ 0

by SplunkNinja

spl

Index Modifications

▲ 1 ▼ 1

by john117

spl

Investigate by MAC, IP all VPN authentications through CISCO_ISE

▲ 1 ▼ 0

by Opeyemi Olatunji

spl

Timestamp vs Indextime of Events (Diagnostic Query)

▲ 11 ▼ 0

by SplunkNinja

spl

Groundspeed Violation/Improbable Access

▲ 6 ▼ 0

by riparino

spl

WinEventLog:Security

User Logon, Logoff, and Duration

▲ 12 ▼ 5

by kme723

spl

List permissions for Users, roles, allowed indexes and indexes searched by default

▲ 10 ▼ 0

by sedi

spl

_internal audittrail

Splunk Server Restart Duration

▲ 6 ▼ 2

by ItsJohnLocke

spl

Top 25 Most Prevailing Vulnerabilities with Patches Available (Multiple OSs)- Qualys

▲ 0 ▼ 0

by SplunkNinja

spl

Events Sent to Null Que - Internal Logs

▲ 0 ▼ 0

by john117

spl

Total Hits on Most Active Day in IIS

▲ 0 ▼ 0

by SplunkNinja

spl

License Usage by Sourcetypes

▲ 9 ▼ 0

by SplunkNinja

spl

Sysmon - Outbound Connections by Process

▲ 0 ▼ 0

by jwalzer

spl

WinEventLog:Security

Failed Attempt to Login to a Disabled Account

▲ 12 ▼ 2

by SplunkNinja

spl

Searches to check search concurrency for historical or real time

▲ 2 ▼ 2

by rsimmons

spl

_internal splunkd

Count of Host added to Splunk by Month

▲ 4 ▼ 0

by kishorebk

spl

Top 5 License Consuming Hosts

▲ 1 ▼ 0

by SplunkNinja

spl

WinEventLog:Security

Failed Logins Windows

▲ 2 ▼ 3

by SplunkNinja

spl

WinEventLog:Security

Accounts Deleted within 24 Hours of Creation

▲ 12 ▼ 0

by SplunkNinja

spl

Permissions for splunk users

▲ 5 ▼ 0

by manderso

spl

List Inputs using REST

▲ 0 ▼ 0

by ItsJohnLocke

spl

Internal Splunk User Modifications

▲ 2 ▼ 0

by CattyWampus

spl

WinEventLog:Security

Gauge of Windows Successful Logons

▲ 1 ▼ 0

by Go Splunk

spl

WinEventLog:System WinEventLog:Application

Event Logs | System Logs | Warnings and Errors

▲ 8 ▼ 0

by kharris

spl

Search for duplicate events in Splunk

▲ 16 ▼ 2

by Azeemering

spl

IPS Traffic Increase

▲ 2 ▼ 6

by SplunkMasterFlex

spl

Fun Stuff & Helpful Hints

Baselining Dashboard

▲ 2 ▼ 0

by SplunkMasterFlex

spl

Port usage for opsec sourcetype

▲ 1 ▼ 0

by pradeep577

spl

Memory Usage and Information on Splunk Server

▲ 5 ▼ 0

by ItsJohnLocke

spl

WinEventLog:Security

DLL Serach Oreder Hijacking (mitre : T1574.001)

▲ 1 ▼ 0

by MaryamSaniee

spl

WinEventLog:Security

Monitor File Shares being Accessed in Windows

▲ 7 ▼ 0

by john117

spl

List All Splunk Users & Associated Roles

▲ 1 ▼ 2

by john117

spl

identify knowledge objects, permissions and extractions

▲ 5 ▼ 0

by sedi

spl

opensense Networking

Blocked Firewall Scanning Activity with indicator if Source has been allowed.

▲ 4 ▼ 1

by thall

spl

Universal Forwarder Splunk Versions

▲ 2 ▼ 0

by jaracan

spl

WinEventLog:Security

Timechart of the status of an Locked Out Account

▲ 3 ▼ 0

by Azeemering

spl

WinEventLog:Security

Windows File Access Attempts

▲ 1 ▼ 0

by SplunkNinja

spl

Top Offending SSH Failure by Source IP

▲ 3 ▼ 0

by DaveyBoy

spl

Who's Using Splunk?

▲ 3 ▼ 1

by tokenwander

spl

apache access_combined

Utilizing tstats for Page Views within Apache Web Logs

▲ 1 ▼ 0

by SplunkNinja

spl

Concurrent Users on Apache Web

▲ 2 ▼ 0

by SplunkNinja

spl

WinEventLog:System

Windows Power Off Duration

▲ 1 ▼ 0

by SplunkNinja

spl

Detect Dying Sourcetypes

▲ 0 ▼ 0

by riparino

spl

WinEventLog:Security

File Deletion Attempts In Windows

▲ 1 ▼ 0

by SplunkNinja

spl

See who is using Splunk by user, app and view

▲ 8 ▼ 0

by tnesavich

spl

WinEventLog:Security

Failed Logon Attempts - Windows

▲ 3 ▼ 0

by SplunkNinja

spl

Percentage of skipped searches

▲ 2 ▼ 0

by Azeemering

spl

List forwarders generating socket errors due to unkown SSL protocol

▲ 0 ▼ 0

by wrangler2x

spl

Detect ShellShock Attempts in Apache Logs

▲ 6 ▼ 0

by mjeffery

spl

Sourcetype missing in Datamodels

▲ 0 ▼ 0

by AzJimbo

spl

Percentage of Daily License Usage

▲ 6 ▼ 5

by SplunkNinja

spl

List Ports Forwarders are Using

▲ 1 ▼ 0

by ItsJohnLocke

spl

List Deployment Client

▲ 3 ▼ 0

by Opeyemi Olatunji

spl

Qualys 30 Day trending of Re-Opened Vulnerabilities

▲ 0 ▼ 0

by CattyWampus

spl

Search All Traffic by src / action - Creates Table

▲ 1 ▼ 1

by pocketaces

spl

Failed Login to OSX

▲ 0 ▼ 0

by ItsJohnLocke

spl

List of Forwarders that are Deployment Clients

▲ 2 ▼ 1

by SplunkNinja

spl

_internal splunkd

Introspection - Memory used by SID (Search ID)

▲ 3 ▼ 0

by chubbybunny

spl

Find duplicate events

▲ 0 ▼ 0

by gr33nlant3rn

spl

access_combined

Worldmap with unique visitors last 24 hours

▲ 1 ▼ 0

by m1ll3n1umf4lc0n

spl

Bucket Count by indexer/index

▲ 3 ▼ 0

by Azeemering

spl

Parsing Military Time Zones

▲ 1 ▼ 0

by masdeeper

spl

Find queues that are nearly full

▲ 2 ▼ 0

by xoff00

spl

Enterprise Security Fun Stuff & Helpful Hints

List all ES Correlation Searches

▲ 17 ▼ 0

by akhamis

spl

Comparing Stats Time Over Time

▲ 6 ▼ 0

by kfeagans

spl

check expected splunk version with reality

▲ 1 ▼ 0

by sedi

spl

Monitoring linux_secure

Compare Successful Internal Vs External Connections

▲ 5 ▼ 1

by DaveyBoy

spl

Last Time a Forwarder Checked In

▲ 6 ▼ 0

by SplunkNinja

spl

License Usage Prediction

▲ 4 ▼ 2

by ItsJohnLocke

spl

Removal of USB Storage Device

▲ 5 ▼ 0

by SplunkNinja

spl

WinEventLog:Security

Successful Logons - Windows

▲ 2 ▼ 0

by SplunkNinja

spl

IIS: 401 and 403 errors

▲ 0 ▼ 0

by Ronald (Access42)

spl

Count of Attackers on Juniper Devices

▲ 3 ▼ 8

by ItsJohnLocke

spl

skipped searches and why

▲ 6 ▼ 0

by sedi

spl

WinEventLog:Security

File Accesses in a Windows Environment by user

▲ 1 ▼ 0

by Go Splunk

spl

Data model Acceleration Details

▲ 0 ▼ 3

by Azeemering