Newest Queries -

Show cron frequency and scheduling of all scheduled searches

This search shows you all scheduled searches and their respective cron frequency and cron schedule. This also helps finding frequently running saved searches.

| rest splunk_server=local "/servicesNS/-/-/saved/searches/" search="is_scheduled=1" search="disabled=0" 
| fields title, cron_schedule, eai:acl.app
| rename title as savedsearch_name 
| eval pieces=split(cron_schedule, " ") 
| eval c_min=mvindex(pieces, 0), c_h=mvindex(pieces, 1), c_d=mvindex(pieces, 2), c_mday=mvindex(pieces, 3), c_wday=mvindex(pieces, 4) 
| eval c_min_div=if(match(c_min, "/"), replace(c_min, "^.*/(\d+)$", "\1"), null()) 
| eval c_mins=if(match(c_min, ","), split(c_min, ","), null()) 
| eval c_min_div=if(isnotnull(c_mins), abs(tonumber(mvindex(c_mins, 1)) - tonumber(mvindex(c_mins, 0))), c_min_div) 
| eval c_hs=if(match(c_h, ","), split(c_h, ","), null()) 
| eval c_h_div=case(match(c_h, "/"), replace(c_h, "^.*/(\d+)$", "\1"), isnotnull(c_hs), abs(tonumber(mvindex(c_hs, 1)) - tonumber(mvindex(c_hs, 0))), 1=1, null()) 
| eval c_wdays=if(match(c_wday, ","), split(c_wday, ","), null()) 
| eval c_wday_div=case(match(c_wday, "/"), replace(c_wday, "^.*/(\d+)$", "\1"), isnotnull(c_wdays), abs(tonumber(mvindex(c_wdays, 1)) - tonumber(mvindex(c_wdays, 0))), 1=1, null()) 
| eval i_m=case(c_d < 29, 86400 * 28, c_d = 31, 86400 * 31, 1=1, null()) 
| eval i_h=case(isnotnull(c_h_div), c_h_div * 3600, c_h = "*", null(), match(c_h, "^\d+$"), 86400) 
| eval i_min=case(isnotnull(c_min_div), c_min_div * 60, c_min = "*", 60, match(c_min, "^\d+$"), 3600) 
| eval i_wk=case(isnotnull(c_wday_div), c_wday_div * 86400, c_wday = "*", null(), match(c_wday, "^\d+$"), 604800) 
| eval cron_minimum_freq=case(isnotnull(i_m), i_m, isnotnull(i_wk) AND isnotnull(c_min_div), i_min, isnotnull(i_wk) AND isnull(c_min_div), i_wk, isnotnull(i_h), i_h, 1=1, min(i_min)) 
| fields - c_d c_h c_hs c_h_div c_mday c_min c_min_div c_mins c_wday c_wdays c_wday_div pieces i_m i_min i_h i_wk 
| fields savedsearch_name cron_minimum_freq cron_schedule eai:acl.app

| rest splunk_server=local "/servicesNS/-/-/saved/searches/" search="is_scheduled=1" search="disabled=0"

| fields title, cron_schedule, eai:acl.app

| rename title as savedsearch_name

| eval pieces=split(cron_schedule, " ")

| eval c_min=mvindex(pieces, 0), c_h=mvindex(pieces, 1), c_d=mvindex(pieces, 2), c_mday=mvindex(pieces, 3), c_wday=mvindex(pieces, 4)

| eval c_min_div=if(match(c_min, "/"), replace(c_min, "^.*/(\d+)$", "\1"), null())

| eval c_mins=if(match(c_min, ","), split(c_min, ","), null())

| eval c_min_div=if(isnotnull(c_mins), abs(tonumber(mvindex(c_mins, 1)) - tonumber(mvindex(c_mins, 0))), c_min_div)

| eval c_hs=if(match(c_h, ","), split(c_h, ","), null())

| eval c_h_div=case(match(c_h, "/"), replace(c_h, "^.*/(\d+)$", "\1"), isnotnull(c_hs), abs(tonumber(mvindex(c_hs, 1)) - tonumber(mvindex(c_hs, 0))), 1=1, null())

| eval c_wdays=if(match(c_wday, ","), split(c_wday, ","), null())

| eval c_wday_div=case(match(c_wday, "/"), replace(c_wday, "^.*/(\d+)$", "\1"), isnotnull(c_wdays), abs(tonumber(mvindex(c_wdays, 1)) - tonumber(mvindex(c_wdays, 0))), 1=1, null())

| eval i_m=case(c_d < 29, 86400 * 28, c_d = 31, 86400 * 31, 1=1, null())

| eval i_h=case(isnotnull(c_h_div), c_h_div * 3600, c_h = "*", null(), match(c_h, "^\d+$"), 86400)

| eval i_min=case(isnotnull(c_min_div), c_min_div * 60, c_min = "*", 60, match(c_min, "^\d+$"), 3600)

| eval i_wk=case(isnotnull(c_wday_div), c_wday_div * 86400, c_wday = "*", null(), match(c_wday, "^\d+$"), 604800)

| eval cron_minimum_freq=case(isnotnull(i_m), i_m, isnotnull(i_wk) AND isnotnull(c_min_div), i_min, isnotnull(i_wk) AND isnull(c_min_div), i_wk, isnotnull(i_h), i_h, 1=1, min(i_min))

| fields - c_d c_h c_hs c_h_div c_mday c_min c_min_div c_mins c_wday c_wdays c_wday_div pieces i_m i_min i_h i_wk

| fields savedsearch_name cron_minimum_freq cron_schedule eai:acl.app

Continue Reading →

Data model Acceleration Details

This Splunk Search shows you a lot of good information about your data model acceleration and performance.

| rest /services/admin/summarization by_tstats=t splunk_server=local count=0 <br />| eval key=replace(title,(("tstats:DM_" . 'eai:acl.app') . "_"),""), datamodel=replace('summary.id',(("DM_" . 'eai:acl.app') . "_"),"") <br />| join type=left key <br />    [| rest /services/data/models splunk_server=local count=0 <br />    | table title, "acceleration.cron_schedule", "eai:digest" <br />    | rename title as key <br />    | rename "acceleration.cron_schedule" as cron] <br />| table datamodel, "eai:acl.app", "summary.access_time", "summary.is_inprogress", "summary.size", "summary.latest_time", "summary.complete", "summary.buckets_size", "summary.buckets", cron, "summary.last_error", "summary.time_range", "summary.id", "summary.mod_time", "eai:digest", "summary.earliest_time", "summary.last_sid", "summary.access_count" <br />| rename "summary.id" as summary_id, "summary.time_range" as retention, "summary.earliest_time" as earliest, "summary.latest_time" as latest, "eai:digest" as digest <br />| rename "summary.*" as "*", "eai:acl.*" as "*" <br />| sort datamodel <br />| rename access_count as "Datamodel_Acceleration.access_count", access_time as "Datamodel_Acceleration.access_time", app as "Datamodel_Acceleration.app", buckets as "Datamodel_Acceleration.buckets", buckets_size as "Datamodel_Acceleration.buckets_size", cron as "Datamodel_Acceleration.cron", complete as "Datamodel_Acceleration.complete", datamodel as "Datamodel_Acceleration.datamodel", digest as "Datamodel_Acceleration.digest", earliest as "Datamodel_Acceleration.earliest", is_inprogress as "Datamodel_Acceleration.is_inprogress", last_error as "Datamodel_Acceleration.last_error", last_sid as "Datamodel_Acceleration.last_sid", latest as "Datamodel_Acceleration.latest", mod_time as "Datamodel_Acceleration.mod_time", retention as "Datamodel_Acceleration.retention", size as "Datamodel_Acceleration.size", summary_id as "Datamodel_Acceleration.summary_id" <br />| fields + "Datamodel_Acceleration.access_count", "Datamodel_Acceleration.access_time", "Datamodel_Acceleration.app", "Datamodel_Acceleration.buckets", "Datamodel_Acceleration.buckets_size", "Datamodel_Acceleration.cron", "Datamodel_Acceleration.complete", "Datamodel_Acceleration.datamodel", "Datamodel_Acceleration.digest", "Datamodel_Acceleration.earliest", "Datamodel_Acceleration.is_inprogress", "Datamodel_Acceleration.last_error", "Datamodel_Acceleration.last_sid", "Datamodel_Acceleration.latest", "Datamodel_Acceleration.mod_time", "Datamodel_Acceleration.retention", "Datamodel_Acceleration.size", "Datamodel_Acceleration.summary_id" <br />| rename "Datamodel_Acceleration.*" as "*" <br />| join type=outer last_sid <br />    [| rest splunk_server=local count=0 /services/search/jobs reportSearch=summarize* <br />    | rename sid as last_sid <br />    | fields + last_sid, runDuration] <br />| eval "size(MB)"=round((size / 1048576),1), "retention(days)"=if((retention == 0),"unlimited",round((retention / 86400),1)), "complete(%)"=round((complete * 100),1), "runDuration(s)"=round(runDuration,1) <br />| sort 100 + datamodel <br />| table datamodel, app, cron, "retention(days)", earliest, latest, is_inprogress, "complete(%)", "size(MB)", "runDuration(s)", last_error

| rest /services/admin/summarization by_tstats=t splunk_server=local count=0 <br />| eval key=replace(title,(("tstats:DM_" . 'eai:acl.app') . "_"),""), datamodel=replace('summary.id',(("DM_" . 'eai:acl.app') . "_"),"") <br />| join type=left key <br /> [| rest /services/data/models splunk_server=local count=0 <br /> | table title, "acceleration.cron_schedule", "eai:digest" <br /> | rename title as key <br /> | rename "acceleration.cron_schedule" as cron] <br />| table datamodel, "eai:acl.app", "summary.access_time", "summary.is_inprogress", "summary.size", "summary.latest_time", "summary.complete", "summary.buckets_size", "summary.buckets", cron, "summary.last_error", "summary.time_range", "summary.id", "summary.mod_time", "eai:digest", "summary.earliest_time", "summary.last_sid", "summary.access_count" <br />| rename "summary.id" as summary_id, "summary.time_range" as retention, "summary.earliest_time" as earliest, "summary.latest_time" as latest, "eai:digest" as digest <br />| rename "summary.*" as "*", "eai:acl.*" as "*" <br />| sort datamodel <br />| rename access_count as "Datamodel_Acceleration.access_count", access_time as "Datamodel_Acceleration.access_time", app as "Datamodel_Acceleration.app", buckets as "Datamodel_Acceleration.buckets", buckets_size as "Datamodel_Acceleration.buckets_size", cron as "Datamodel_Acceleration.cron", complete as "Datamodel_Acceleration.complete", datamodel as "Datamodel_Acceleration.datamodel", digest as "Datamodel_Acceleration.digest", earliest as "Datamodel_Acceleration.earliest", is_inprogress as "Datamodel_Acceleration.is_inprogress", last_error as "Datamodel_Acceleration.last_error", last_sid as "Datamodel_Acceleration.last_sid", latest as "Datamodel_Acceleration.latest", mod_time as "Datamodel_Acceleration.mod_time", retention as "Datamodel_Acceleration.retention", size as "Datamodel_Acceleration.size", summary_id as "Datamodel_Acceleration.summary_id" <br />| fields + "Datamodel_Acceleration.access_count", "Datamodel_Acceleration.access_time", "Datamodel_Acceleration.app", "Datamodel_Acceleration.buckets", "Datamodel_Acceleration.buckets_size", "Datamodel_Acceleration.cron", "Datamodel_Acceleration.complete", "Datamodel_Acceleration.datamodel", "Datamodel_Acceleration.digest", "Datamodel_Acceleration.earliest", "Datamodel_Acceleration.is_inprogress", "Datamodel_Acceleration.last_error", "Datamodel_Acceleration.last_sid", "Datamodel_Acceleration.latest", "Datamodel_Acceleration.mod_time", "Datamodel_Acceleration.retention", "Datamodel_Acceleration.size", "Datamodel_Acceleration.summary_id" <br />| rename "Datamodel_Acceleration.*" as "*" <br />| join type=outer last_sid <br /> [| rest splunk_server=local count=0 /services/search/jobs reportSearch=summarize* <br /> | rename sid as last_sid <br /> | fields + last_sid, runDuration] <br />| eval "size(MB)"=round((size / 1048576),1), "retention(days)"=if((retention == 0),"unlimited",round((retention / 86400),1)), "complete(%)"=round((complete * 100),1), "runDuration(s)"=round(runDuration,1) <br />| sort 100 + datamodel <br />| table datamodel, app, cron, "retention(days)", earliest, latest, is_inprogress, "complete(%)", "size(MB)", "runDuration(s)", last_error

Continue Reading →

Splunk CIM Assist

Got tired of having to go through each data source to determine what indexes should go into the Splunk_SA_CIM search macros, this does the leg work.

index=*
| fields index, tag, user, action, object_category
| eval datamodel = if(tag="alert", index."."."alert", datamodel)
| eval datamodel = if(tag="listening" AND tag="port", index."."."application_state_deprecated"."."."endpoint", datamodel)
| eval datamodel = if(tag="process" AND tag="report", index."."."application_state_deprecated"."."."endpoint", datamodel)
| eval datamodel = if(tag="service" AND tag="report", index."."."application_state_deprecated"."."."endpoint", datamodel)
| eval datamodel = if(tag="authentication" AND action!="success" AND user!="*$", index."."."authentication", datamodel)
| eval datamodel = if(tag="certificate", index."."."certificates", datamodel)
| eval datamodel = if(tag="change" AND NOT (object_category=file OR object_category=directory OR object_category=registry), index."."."change"."."."change_analysis_deprecated", datamodel)
| eval datamodel = if(tag="dlp" AND tag="incident", index."."."data_loss_prevention", datamodel)
| eval datamodel = if(tag="database", index."."."database", datamodel)
| eval datamodel = if(tag="email", index."."."email", datamodel)
| eval datamodel = if(tag="endpoint" AND tag="filesystem", index."."."endpoint", datamodel)
| eval datamodel = if(tag="endpoint" AND tag="registry", index."."."endpoint", datamodel)
| eval datamodel = if(tag="track_event_signatures" AND (signature="*" OR signature_id="*"), index."."."event_signatures", datamodel)
| eval datamodel = if(tag="messaging", index."."."interprocess_messaging", datamodel)
| eval datamodel = if(tag="ids" AND tag="attack", index."."."intrusion_detection", datamodel)
| eval datamodel = if(tag="inventory" AND (tag="cpu" OR tag="memory" OR tag="network" OR tag="storage" OR (tag="system" AND tag="version") OR tag="user" OR tag="virtual"), index."."."inventory", datamodel)
| eval datamodel = if(tag="jvm", index."."."jvm", datamodel)
| eval datamodel = if(tag="malware" AND tag="attack", index."."."malware", datamodel)
| eval datamodel = if(tag="network" AND tag="resolution" AND tag="dns", index."."."network_resolution_dns", datamodel)
| eval datamodel = if(tag="network" AND tag="session", index."."."network_sessions", datamodel)
| eval datamodel = if(tag="network" AND tag="communicate", index."."."network_traffic", datamodel)
| eval datamodel = if(tag="performance" AND (tag="cpu" OR tag="facilities" OR tag="memory" OR tag="storage" OR tag="network" OR (tag="os" AND ((tag="time" AND tag="synchronize") OR tag="uptime"))), index."."."performance", datamodel)
| eval datamodel = if(tag="ticketing", index."."."ticket_managment", datamodel)
| eval datamodel = if(tag="update" AND tag="status", index."."."updates", datamodel)
| eval datamodel = if(tag="vulnerability" AND tag="report", index."."."vulnerabilities", datamodel)
| eval datamodel = if(tag="web", index."."."web", datamodel)
| rex field=datamodel "(?<index>[^\\.]+)\.(?<datamodel>.*)"
| makemv delim="." datamodel
| stats values(index) as index by datamodel

index=*

| fields index, tag, user, action, object_category

| eval datamodel = if(tag="alert", index."."."alert", datamodel)

| eval datamodel = if(tag="listening" AND tag="port", index."."."application_state_deprecated"."."."endpoint", datamodel)

| eval datamodel = if(tag="process" AND tag="report", index."."."application_state_deprecated"."."."endpoint", datamodel)

| eval datamodel = if(tag="service" AND tag="report", index."."."application_state_deprecated"."."."endpoint", datamodel)

| eval datamodel = if(tag="authentication" AND action!="success" AND user!="*$", index."."."authentication", datamodel)

| eval datamodel = if(tag="certificate", index."."."certificates", datamodel)

| eval datamodel = if(tag="change" AND NOT (object_category=file OR object_category=directory OR object_category=registry), index."."."change"."."."change_analysis_deprecated", datamodel)

| eval datamodel = if(tag="dlp" AND tag="incident", index."."."data_loss_prevention", datamodel)

| eval datamodel = if(tag="database", index."."."database", datamodel)

| eval datamodel = if(tag="email", index."."."email", datamodel)

| eval datamodel = if(tag="endpoint" AND tag="filesystem", index."."."endpoint", datamodel)

| eval datamodel = if(tag="endpoint" AND tag="registry", index."."."endpoint", datamodel)

| eval datamodel = if(tag="track_event_signatures" AND (signature="*" OR signature_id="*"), index."."."event_signatures", datamodel)

| eval datamodel = if(tag="messaging", index."."."interprocess_messaging", datamodel)

| eval datamodel = if(tag="ids" AND tag="attack", index."."."intrusion_detection", datamodel)

| eval datamodel = if(tag="inventory" AND (tag="cpu" OR tag="memory" OR tag="network" OR tag="storage" OR (tag="system" AND tag="version") OR tag="user" OR tag="virtual"), index."."."inventory", datamodel)

| eval datamodel = if(tag="jvm", index."."."jvm", datamodel)

| eval datamodel = if(tag="malware" AND tag="attack", index."."."malware", datamodel)

| eval datamodel = if(tag="network" AND tag="resolution" AND tag="dns", index."."."network_resolution_dns", datamodel)

| eval datamodel = if(tag="network" AND tag="session", index."."."network_sessions", datamodel)

| eval datamodel = if(tag="network" AND tag="communicate", index."."."network_traffic", datamodel)

| eval datamodel = if(tag="performance" AND (tag="cpu" OR tag="facilities" OR tag="memory" OR tag="storage" OR tag="network" OR (tag="os" AND ((tag="time" AND tag="synchronize") OR tag="uptime"))), index."."."performance", datamodel)

| eval datamodel = if(tag="ticketing", index."."."ticket_managment", datamodel)

| eval datamodel = if(tag="update" AND tag="status", index."."."updates", datamodel)

| eval datamodel = if(tag="vulnerability" AND tag="report", index."."."vulnerabilities", datamodel)

| eval datamodel = if(tag="web", index."."."web", datamodel)

| rex field=datamodel "(?<index>[^\\.]+)\.(?<datamodel>.*)"

| makemv delim="." datamodel

| stats values(index) as index by datamodel

Continue Reading →

Search for disabled AD accounts that have been re-enabled

This is a search you can use as an alert or whatever you desire to look for AD accounts that have been disabled in the past 90 days then re-enabled in the past 24h. You can tweak as needed.

index=YOURINDEX EventCode IN (4725,4722) earliest=-90d 
| eval account=mvindex(Account_Name,1) ```separate out the account from the logs and create a field for it```
| stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent, latest(Account_Name) as lastAccounts, earliest(Account_Name) as firstAccounts by account ```get the stats values of these fields and rename them for further manipulation```
| eval last_action_user=mvindex(lastAccounts,0), first_action_user=mvindex(firstAccounts, 0) ```separate out the accounts that did the disabling & re-enabling and create fields for them```
| replace "4722" with "enabled" in firstEvent, lastEvent
| replace "4725" with "disabled" in firstEvent, lastEvent
| search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
| eval enabled_DT=mvindex(times,-1), disabled_DT=mvindex(times, -1-1) ```create fields to show when the affected account was disabled then re-enabled```
| where enabled_DT > relative_time(now(), "-1h@h") ```this determines what range to look for the re-enabling```
| table first_action_user, account, last_action_user, disabled_DT, enabled_DT
| rename first_action_user as "Disable Actioning Account", account as "Enabled Account", last_action_user as "Enable Actioning Account", disabled_DT as "DateTime Disabled", enabled_DT as "DateTime Enabled"
| convert ctime("DateTime Disabled"), ctime("DateTime Enabled") ```need to convert the time from Unix Epoch to standard time```

index=YOURINDEX EventCode IN (4725,4722) earliest=-90d

| eval account=mvindex(Account_Name,1) ```separate out the account from the logs and create a field for it```

| stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent, latest(Account_Name) as lastAccounts, earliest(Account_Name) as firstAccounts by account ```get the stats values of these fields and rename them for further manipulation```

| eval last_action_user=mvindex(lastAccounts,0), first_action_user=mvindex(firstAccounts, 0) ```separate out the accounts that did the disabling & re-enabling and create fields for them```

| replace "4722" with "enabled" in firstEvent, lastEvent

| replace "4725" with "disabled" in firstEvent, lastEvent

| search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"

| eval enabled_DT=mvindex(times,-1), disabled_DT=mvindex(times, -1-1) ```create fields to show when the affected account was disabled then re-enabled```

| where enabled_DT > relative_time(now(), "-1h@h") ```this determines what range to look for the re-enabling```

| table first_action_user, account, last_action_user, disabled_DT, enabled_DT

| rename first_action_user as "Disable Actioning Account", account as "Enabled Account", last_action_user as "Enable Actioning Account", disabled_DT as "DateTime Disabled", enabled_DT as "DateTime Enabled"

| convert ctime("DateTime Disabled"), ctime("DateTime Enabled") ```need to convert the time from Unix Epoch to standard time```

Continue Reading →

Query for when PowerShell execution policy is set to Bypass

index="windows" sourcetype=WinRegistry key_path="HKLM\\software\\microsoft\\powershell\\1\\shellids\\microsoft.powershell\\executionpolicy"
| table _time, host, registry_type, registry_value_data, registry_value_name
| rename host as Host, registry_type as Action, registry_value_data as "Registry Value", registry_value_name as "Registry Value Name"

index="windows" sourcetype=WinRegistry key_path="HKLM\\software\\microsoft\\powershell\\1\\shellids\\microsoft.powershell\\executionpolicy"

| table _time, host, registry_type, registry_value_data, registry_value_name

| rename host as Host, registry_type as Action, registry_value_data as "Registry Value", registry_value_name as "Registry Value Name"

Continue Reading →

Reports Owned by Admin Users and Writable by Others

| rest /servicesNS/-/-/saved/searches splunk_server=local
| where [|rest /services/authentication/users splunk_server=local | search roles="admin" |fields title | rename title as author] OR author="nobody" 
| rename title AS savedsearch_name, eai:acl.app as app, eai:acl.perms.write as write_roles
| table author write_roles splunk_server app savedsearch_name splunk_server
| mvexpand write_roles
| where NOT write_roles IN("","admin")
| mvcombine write_roles
| eval search_name_for_link=savedsearch_name
| rex field=search_name_for_link mode=sed "s:%:%25:g s: :%20:g s:<:%3C:g s:>:%3E:g s:#:%23:g s:{:%7B:g s:}:%7D:g s:\|:%7C:g s:\\\:%5C:g s:\^:%5E:g s:~:%7E:g s:\[:%5B:g s:\]:%5D:g s:`:%60:g s:;:%3B:g s:/:%2F:g s:\?:%3F:g s/:/%3A/g s:@:%40:g s:=:%3D:g s:&:%26:g s:\$:%24:g s:\!:%21:g s:\*:%2A:g"
| eval link="https://".splunk_server."/en-US/manager/".app."/admin/directory?ns=".app."&pwnr=-&app_only=1&search=".search_name_for_link
| fields - search_name_for_link splunk_server

| rest /servicesNS/-/-/saved/searches splunk_server=local

| rename title AS savedsearch_name, eai:acl.app as app, eai:acl.perms.write as write_roles

| table author write_roles splunk_server app savedsearch_name splunk_server

| mvexpand write_roles

| where NOT write_roles IN("","admin")

| mvcombine write_roles

| eval search_name_for_link=savedsearch_name

| rex field=search_name_for_link mode=sed "s:%:%25:g s: :%20:g s:<:%3C:g s:>:%3E:g s:#:%23:g s:{:%7B:g s:}:%7D:g s:\|:%7C:g s:\\\:%5C:g s:\^:%5E:g s:~:%7E:g s:\[:%5B:g s:\]:%5D:g s:`:%60:g s:;:%3B:g s:/:%2F:g s:\?:%3F:g s/:/%3A/g s:@:%40:g s:=:%3D:g s:&:%26:g s:\$:%24:g s:\!:%21:g s:\*:%2A:g"

| eval link="https://".splunk_server."/en-US/manager/".app."/admin/directory?ns=".app."&pwnr=-&app_only=1&search=".search_name_for_link

| fields - search_name_for_link splunk_server

I got a little fancy there with

search_name_for_link

1	search_name_for_link

. The link is for clicking from the inline table of the alert email. You can easily skip that.

Continue Reading →

Remove mulitple values from a multivalue field

This Splunk search is an example on how to remove unwanted values from multivalue fields using mvfilter.

| gentimes start=-1 | eval field1="pink,fluffy,unicorns" | table field1 | makemv field1 delim="," | eval field1_filtered=mvfilter(NOT match(field1,"pink") AND NOT match(field1,"fluffy"))

1	\| gentimes start=-1 \| eval field1="pink,fluffy,unicorns" \| table field1 \| makemv field1 delim="," \| eval field1_filtered=mvfilter(NOT match(field1,"pink") AND NOT match(field1,"fluffy"))

Continue Reading →

List all your existing indexes or check if index exists

With this spl you can check what indexes exist or if you want to search for a specific index. List all indexes:

|rest /services/data/indexes | fields title | rename title AS index

1	\|rest /services/data/indexes \| fields title \| rename title AS index

Or check if a specific index exist use:

 |rest /services/data/indexes | fields title | rename title AS index | search index=yourindex

1	\|rest /services/data/indexes \| fields title \| rename title AS index \| search index=yourindex

Continue Reading →

Deployed application status

Created this dashboard to see when or if an application was deployed successfully. Close to splunkninja’s query, this will also show if the host in question also restarted to apply the new app.

<form>
  <label>Deployed Applications</label>
  <fieldset submitButton="false">
    <input type="checkbox" token="loglevelpicker" searchWhenChanged="true">
      <label>Log Level</label>
      <choice value="INFO">INFO</choice>
      <choice value="WARN*">WARNING</choice>
      <choice value="ERROR">ERROR</choice>
      <default>INFO,WARN*,ERROR</default>
      <valuePrefix>log_level=</valuePrefix>
      <delimiter> OR </delimiter>
    </input>
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="multiselect" token="hostpicker">
      <label>Host</label>
      <choice value="*">All</choice>
      <default>*</default>
      <valuePrefix>host=</valuePrefix>
      <delimiter> OR </delimiter>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd component=DeployedApplication
| stats count by host</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="multiselect" token="apppicker" searchWhenChanged="true">
      <label>Application</label>
      <choice value="*">All</choice>
      <valuePrefix>*</valuePrefix>
      <valueSuffix>*</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>applicationx</fieldForLabel>
      <fieldForValue>applicationx</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd component=DeployedApplication
| rex field=file "var(\/|\\\\)run(\/|\\\\)\w+(\/|\\\\)(?&lt;app2&gt;\w+)-" 
| rex field=message "(etc|run)(\/|\\\\)(apps|\w+)(\/|\\\\)(?&lt;app3&gt;\w+)-\d+\.bundle" 
| rex field=message "etc(\/|\\\\)apps(\/|\\\\)(?&lt;app5&gt;[^\/|\\\\|']+)" 
| eval applicationx=coalesce(app,app2,app3,app5,application) 
| stats count by applicationx 
| fields - count</query>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd component=DeployedApplication $loglevelpicker$ $hostpicker$ $apppicker$
| table _time host app log_level event_message 
| sort - _time</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Last restart time</title>
      <event>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=INFO $hostpicker$ component=loader event_message="Splunkd starting*"</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">0</option>
        <option name="raw.drilldown">full</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</form>

100

101

102

<form>

<label>Deployed Applications</label>

<label>Log Level</label>

<choice value="WARN*">WARNING</choice>

<choice value="ERROR">ERROR</choice>

<default>INFO,WARN*,ERROR</default>

<valuePrefix>log_level=</valuePrefix>

</input>

</default>

</input>

<query>index=_internal sourcetype=splunkd component=DeployedApplication

| stats count by host</query>

</search>

</input>

<label>Application</label>

<fieldForLabel>applicationx</fieldForLabel>

<fieldForValue>applicationx</fieldForValue>

<query>index=_internal sourcetype=splunkd component=DeployedApplication

| rex field=file "var(\/|\\\\)run(\/|\\\\)\w+(\/|\\\\)(?<app2>\w+)-"

| rex field=message "etc(\/|\\\\)apps(\/|\\\\)(?<app5>[^\/|\\\\|']+)"

| eval applicationx=coalesce(app,app2,app3,app5,application)

| stats count by applicationx

| fields - count</query>

</search>

</input>

</fieldset>

<row>

<panel>

<table>

<query>index=_internal sourcetype=splunkd component=DeployedApplication $loglevelpicker$ $hostpicker$ $apppicker$

| table _time host app log_level event_message

| sort - _time</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="percentagesRow">false</option>

<option name="refresh.display">progressbar</option>

<option name="rowNumbers">false</option>

<option name="totalsRow">false</option>

</table>

</panel>

</row>

<row>

<panel>

<title>Last restart time</title>

<event>

<query>index=_internal sourcetype=splunkd log_level=INFO $hostpicker$ component=loader event_message="Splunkd starting*"</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="refresh.display">progressbar</option>

</event>

</panel>

</row>

</form>

Continue Reading →

Splunk Apps added to an instance

| rest /services/deployment/server/clients splunk_server=local | table hostname applications*.stateOnClient | untable hostname applications value | eval applications=replace(applications,"applications\.(\w+)\.stateOnClient","\1") | stats values(applications) as applications by hostname

1	\| rest /services/deployment/server/clients splunk_server=local \| table hostname applications*.stateOnClient \| untable hostname applications value \| eval applications=replace(applications,"applications\.(\w+)\.stateOnClient","\1") \| stats values(applications) as applications by hostname

Continue Reading →

emoji bonanza

Have you ever wanted to truly express your emotions related to your search results but wasn’t sure how? Why not use an emoji? But how, you ask? Well, problem solved. Welcome to the emoji bonanza!

<form theme="light" hideFilters="true">
<label>emoji bonanza</label>
<!---
Welcome to the emoji bonanza. A friend figured out how to get emoji in a dashboard, and I built this to see what was available.
There are many more available; I'll add them as time permits.

Punch list: find more character sets and make it easier to get to the selection options.

If you need a touch of humor, poop is 128169. It always makes me chuckle.

James Callahan www.professionalparanoid.com 1 Nov 2020 (waiting for the election during the pandemic, I needed a disctration).

-->
<!--
this row to debug and see how tokens are being set
<row>
<panel>
<html>unicode: $unicode$ pass: $pass$ count: $count$ base: $base$ setter: $setter$</html>
</panel>
</row>
-->
<fieldset submitButton="false">
<input type="checkbox" token="MoaT" searchWhenChanged="true">
<label> </label>
<choice value="Moat">Select Different Unicode Sets</choice>
</input>
</fieldset>

<row><panel>
<html>
<details>
<summary>Using Unicode Characters in Splunk Dashboards</summary>
<details>
<summary>What is this?</summary>
This is a way to review how different Unicode Character will present in a dashboard.<br/>
It also provides the Splunk eval statement necessary to add it to your query.<br/>
</details>
<details>
<summary>Selecting different character sets</summary>
Use the <font color="blue"><b>'Show Filters'</b></font> option above then select the check box. Some of the other character sets available will present in a row below. These are grouped according to a list found <a href="https://www.vertex42.com/ExcelTips/unicode-symbols.html" target="blank">here.</a> <br/>
The official repository for unicode is <a href="https://unicode.org/emoji/charts/full-emoji-list.html" target="_blank">here</a>.<br/>
One thing I noticed is that some icons that would fit in one category appear in others (musical notes for example), So, if you're looking for something specific, you may have to dig a bit.<br/>
</details>
<details>
<summary>How to use this</summary>
<p>If you see a character you might want to use, click on it in the table and it will present in the sample panels with both light and dark theme background colors.</p>
Eventually, the goal is to figure out how to label these with names, but that will involve a lookup table, and right now this is just a single dashboard and not a full app.<br/>
Here's a sample of how you can use this:<a href="
/app/search/search?q=%7Cmakeresults%20count%3D1%0A%7Ceval%20weather%3D(%22rain%22)%0A%7Ceval%20show%3Dcase(weather%3D%22rain%22%2Cprintf(%22%25c%22%2C%20127782)%2C%20weather%3D%22clouds%22%2C%20printf(%22%25c%22%2C%20127781)%2C%20weather%3D%22snow%22%2Cprintf(%22%25c%22%2C%20128169)%2C1%3D1%2Cprintf(%22%25c%22%2C%20127774))%0A%7Ctable%20show&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;workload_pool=&amp;earliest=-24h%40h&amp;latest=now&amp;display.page.search.tab=visualizations&amp;display.general.type=visualizations&amp;display.visualizations.type=singlevalue&amp;display.visualizations.singlevalueHeight=214" target="_blank"> <b>Sample.</b> </a> When this opens in a new tab, adjust the 'weather' to one of the options (rain/clouds/snow) or to anything else to see the results. This should present as a single value visualization, but you can put these in any panel.
</details>
</details>
</html>
</panel></row>

<row depends="$MoaT$"><panel>

<input type="checkbox" token="emoji" searchWhenChanged="true">
<label></label>
<choice value="emoji">Emoji</choice>
</input>
<input type="checkbox" token="char" searchWhenChanged="true">
<label> </label>
<choice value="char">Characters</choice>
</input>
<input type="checkbox" token="game" searchWhenChanged="true">
<label> </label>
<choice value="game">Music/Games</choice>
</input>
<input type="checkbox" token="misc" searchWhenChanged="true">
<label> </label>
<choice value="misc">Miscellaneous</choice>
</input>
<input type="checkbox" token="graphic" searchWhenChanged="true">
<label> </label>
<choice value="graphics">Graphics</choice>
</input>
<input type="checkbox" token="arrow" searchWhenChanged="true">
<label> </label>
<choice value="arrow">Arrows</choice>
</input>
<input type="checkbox" token="math" searchWhenChanged="true">
<label> </label>
<choice value="math">Math</choice>
</input>
</panel>
<panel>

<!-- unique boxes -->
<input type="radio" token="checkbox" depends="$emoji$">
<label>Emoji &amp; Pictrographs</label>
<choice value="checkbox27">Emoticons</choice>
<choice value="checkbox20">Misc Symbols</choice>
<choice value="checkbox21">Dingbats</choice>
<choice value="checkbox28">Pictographs</choice>
<choice value="checkbox29">More Pictrographs</choice>

<default>checkbox28</default>
<change>
<condition value="checkbox20">
<set token="unicode">9728</set>
<set token="count">256</set>
<set token="base">9727</set>
</condition>
<condition value="checkbox21">
<set token="unicode">9984</set>
<set token="count">192</set>
<set token="base">9983</set>
</condition>
<condition value="checkbox27">
<set token="unicode">128521</set>
<set token="count">71</set>
<set token="base">128520</set>
</condition>
<condition value="checkbox28">
<set token="unicode">127790</set>
<set token="count">768</set>
<set token="base">127743</set>
</condition>
<condition value="checkbox29">
<set token="unicode">129305</set>
<set token="count">252</set>
<set token="base">129279</set>
</condition>
</change>
</input>
<input type="radio" token="checkbox" depends="$misc$">
<label>Misc</label>
<default>checkbox17</default>
<choice value="checkbox15">Misc-Tech</choice>
<choice value="checkbox30">Transport and Map</choice>
<choice value="checkbox31"> Control Pictures</choice>
<change>
<condition value="checkbox15">
<set token="unicode">9009</set>
<set token="count">256</set>
<set token="base">8959</set>
</condition>
<condition value="checkbox30">
<set token="unicode">128640</set>
<set token="count">128</set>
<set token="base">128639</set>
</condition>
<condition value="checkbox31">
<set token="unicode">9249</set>
<set token="count">96</set>
<set token="base">9216</set>
</condition>

</change>
</input>
<input type="radio" token="checkbox" depends="$game$">
<label>Music &amp; Games</label>
<default>checkbox2</default>
<choice value="checkbox24">Music</choice>
<choice value="checkbox25">Dominos</choice>
<choice value="checkbox26">Cards</choice>
<change>
<condition value="checkbox24">
<set token="unicode">119070</set>
<set token="count">256</set>
<set token="base">119039</set>
</condition>
<condition value="checkbox25">
<set token="unicode">127098</set>
<set token="count">112</set>
<set token="base">127023</set>
</condition>
<condition value="checkbox26">
<set token="unicode">127137</set>
<set token="count">96</set>
<set token="base">127135</set>
</condition>
</change>
</input>
<input id="radiochar" type="radio" token="checkbox" depends="$char$">
<label>Character Set</label>
<default>checkbox2</default>
<choice value="checkbox1">Standard Character Set</choice>
<choice value="checkbox2">General Punctuation</choice>
<choice value="checkbox3">Super and subscripts</choice>
<choice value="checkbox16">Enclosed Characters</choice>
<choice value="checkbox4">Currency</choice>
<choice value="checkbox5">Letterlike</choice>
<choice value="checkbox6">Greek</choice>
<choice value="checkbox22">Braille</choice>
<change>
<condition value="checkbox1">
<set token="unicode">74</set>
<set token="count">256</set>
<set token="base">-1</set>
</condition>
<condition value="checkbox2">
<set token="unicode">8253</set>
<set token="count">95</set>
<set token="base">8191</set>
</condition>
<condition value="checkbox3">
<set token="unicode">8304</set>
<set token="count">48</set>
<set token="base">8303</set>
</condition>
<condition value="checkbox4">
<set token="unicode">8364</set>
<set token="count">48</set>
<set token="base">8351</set>
</condition>
<condition value="checkbox5">
<set token="unicode">8478</set>
<set token="count">80</set>
<set token="base">8447</set>
</condition>
<condition value="checkbox16">
<set token="unicode">9312</set>
<set token="count">160</set>
<set token="base">9311</set>
</condition>
<condition value="checkbox6">
<set token="unicode">937</set>
<set token="count">57</set>
<set token="base">912</set>
</condition>
<condition value="checkbox22">
<set token="unicode">10269</set>
<set token="count">256</set>
<set token="base">10239</set>
</condition>
</change>
</input>
<input type="radio" token="checkbox" depends="$graphic$">
<label>Graphics</label>
<default>checkbox18</default>
<choice value="checkbox17">Box Drawing</choice>
<choice value="checkbox18">Block Elements</choice>
<choice value="checkbox19">More Geometric Shapes</choice>
<change>
<condition value="checkbox17">
<set token="unicode">9568</set>
<set token="count">128</set>
<set token="base">9471</set>
</condition>
<condition value="checkbox18">
<set token="unicode">9600</set>
<set token="count">32</set>
<set token="base">9599</set>
</condition>
<condition value="checkbox19">
<set token="unicode">128896</set>
<set token="count">128</set>
<set token="base">128895</set>
</condition>
</change>
</input>
<input type="radio" token="checkbox" depends="$arrow$">
<label>Arrows</label>
<default>checkbox8</default>
<choice value="checkbox8">Arrows</choice>
<choice value="checkbox9">More Arrows A</choice>
<choice value="checkbox10">More Arrows C</choice>
<choice value="checkbox11">More Arrows A</choice>
<choice value="checkbox23">More Misc Symb and Arrows</choice>
<change>
<condition value="checkbox8">
<set token="unicode">8592</set>
<set token="count">112</set>
<set token="base">8591</set>
</condition>
<condition value="checkbox9">
<set token="unicode">10224</set>
<set token="count">15</set>
<set token="base">10223</set>
</condition>
<condition value="checkbox10">
<set token="unicode">10496</set>
<set token="count">132</set>
<set token="base">10495</set>
</condition>
<condition value="checkbox11">
<set token="unicode">129024</set>
<set token="count">706</set>
<set token="base">129023</set>
</condition>
<condition value="checkbox23">
<set token="unicode">11008</set>
<set token="count">256</set>
<set token="base">11007</set>
</condition>
</change>
</input>
<input type="radio" token="checkbox" depends="$math$">
<label>Math</label>
<default>checkbox12</default>
<choice value="checkbox12">Math</choice>
<choice value="checkbox13">more Math A</choice>
<choice value="checkbox14">more Math B</choice>
<choice value="checkbox7">Number forms</choice>
<change>
<condition value="checkbox12">
<set token="unicode">8734</set>
<set token="count">256</set>
<set token="base">8703</set>
</condition>
<condition value="checkbox13">
<set token="unicode">10624</set>
<set token="count">128</set>
<set token="base">10623</set>
</condition>
<condition value="checkbox14">
<set token="unicode">10752</set>
<set token="count">256</set>
<set token="base">10751</set>
</condition>
<condition value="checkbox7">
<set token="unicode">8555</set>
<set token="count">64</set>
<set token="base">8527</set>
</condition>
</change>
</input>
</panel>
</row>

<row depends="$hide$">
<panel>
<html>
<style>
#radiosample div[data-test="radio-list"]{
display: inline;
}

#radiosample div[data-test="option"]{
display: inline;
margin-top: 0px;
margin-right: 10px;
margin-bottom: 0px;
margin-left: 0px
}
#radiosample {
width:100%;
}
</style>
<style>
table tbody tr td{
font-size:125% !important;
}
</style>

</html>
</panel>
</row>

<!-- Show this stuff -->

<row>
<panel>
<title>Light Theme for $unicode$</title>
<single>
<search>
<query>|makeresults count=1
|eval emoji=printf("%c", $unicode$)
|table emoji</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">all</option>
<option name="height">358</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x53a051", "0x0877a6", "0xf8be34", "0xf1813f", "0xdc4e41"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<title>Dark Theme for $unicode$</title>
<single>
<search>
<query>|makeresults count=1
|eval emoji=printf("%c", $unicode$)
|table emoji</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="height">358</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x555","0xdc4e41"]</option>
<option name="rangeValues">[10000000]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<html>

<div style="text-align: center;">
<br/>
<font size="+1">Code for your dashboard:</font><p>
<br/>
<br/>
<font size="+3" color="blue">|eval emoji=printf("%c", $unicode$)</font>
</p>
<br/>
<br/>
Copy and paste into your query and rename 'emoji' to your field name.
<p><a href="https://unicode.org/emoji/charts/full-emoji-list.html" target="_blanl">Full emoji list from unicode.org</a></p>
</div>
</html>
</panel>
</row>
<row depends="$nevershow$">
<panel>
<table>
<search>
<query>
|makeresults count=1
|eval passmeplease=("$pass$")
|rex field=passmeplease "\S\s+(?&lt;unicode&gt;\d+)"

</query>
<done>
<set token="unicode">$result.unicode$</set>
</done>
</search>
</table>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>
|makeresults count=$count$
|eval base = tonumber("1F380",16) |eval base = $base$
|streamstats count
|eval unicode_value = base + count
|sort unicode_value
|eval emoji=printf("%c", unicode_value)
|eval chartme=(emoji+" "+unicode_value)
|eval sets = count % 6
|eval fields_{sets} = chartme
|stats values(fields_*) as fields_*
|rename fields_1 as "fields ", fields_2 as "fields ", fields_3 as "fields ", fields_4 as "fields ", fields_5 as "fields ", fields_0 as "fields"
|table "fields ","fields ","fields ","fields ","fields ", "fields"
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<fields>"fields ","fields ","fields ","fields ","fields ", "fields"</fields>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="pass">$click.value2$</set>
</drilldown>
</table>
</panel>
</row>
</form>

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

<label>emoji bonanza</label>

<!---

Welcome to the emoji bonanza. A friend figured out how to get emoji in a dashboard, and I built this to see what was available.

There are many more available; I'll add them as time permits.

Punch list: find more character sets and make it easier to get to the selection options.

If you need a touch of humor, poop is 128169. It always makes me chuckle.

James Callahan www.professionalparanoid.com 1 Nov 2020 (waiting for the election during the pandemic, I needed a disctration).

-->

<!--

this row to debug and see how tokens are being set

<row>

<panel>

<html>unicode: $unicode$ pass: $pass$ count: $count$ base: $base$ setter: $setter$</html>

</panel>

</row>

-->

<choice value="Moat">Select Different Unicode Sets</choice>

</input>

</fieldset>

<html>

<summary>Using Unicode Characters in Splunk Dashboards</summary>

This is a way to review how different Unicode Character will present in a dashboard.<br/>

It also provides the Splunk eval statement necessary to add it to your query.<br/>

</details>

<summary>Selecting different character sets</summary>

Use the <font color="blue"><b>'Show Filters'</b></font> option above then select the check box. Some of the other character sets available will present in a row below. These are grouped according to a list found <a href="https://www.vertex42.com/ExcelTips/unicode-symbols.html" target="blank">here.</a> <br/>

The official repository for unicode is <a href="https://unicode.org/emoji/charts/full-emoji-list.html" target="_blank">here</a>.<br/>

One thing I noticed is that some icons that would fit in one category appear in others (musical notes for example), So, if you're looking for something specific, you may have to dig a bit.<br/>

</details>

<p>If you see a character you might want to use, click on it in the table and it will present in the sample panels with both light and dark theme background colors.</p>

Eventually, the goal is to figure out how to label these with names, but that will involve a lookup table, and right now this is just a single dashboard and not a full app.<br/>

Here's a sample of how you can use this:<a href="

/app/search/search?q=%7Cmakeresults%20count%3D1%0A%7Ceval%20weather%3D(%22rain%22)%0A%7Ceval%20show%3Dcase(weather%3D%22rain%22%2Cprintf(%22%25c%22%2C%20127782)%2C%20weather%3D%22clouds%22%2C%20printf(%22%25c%22%2C%20127781)%2C%20weather%3D%22snow%22%2Cprintf(%22%25c%22%2C%20128169)%2C1%3D1%2Cprintf(%22%25c%22%2C%20127774))%0A%7Ctable%20show&display.page.search.mode=verbose&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.page.search.tab=visualizations&display.general.type=visualizations&display.visualizations.type=singlevalue&display.visualizations.singlevalueHeight=214" target="_blank"> <b>Sample.</b> </a> When this opens in a new tab, adjust the 'weather' to one of the options (rain/clouds/snow) or to anything else to see the results. This should present as a single value visualization, but you can put these in any panel.

</details>

</html>

</panel></row>

<choice value="emoji">Emoji</choice>

</input>

<choice value="char">Characters</choice>

</input>

<choice value="game">Music/Games</choice>

</input>

<choice value="misc">Miscellaneous</choice>

</input>

<choice value="graphics">Graphics</choice>

</input>

<choice value="arrow">Arrows</choice>

</input>

</input>

</panel>

<panel>

<label>Emoji & Pictrographs</label>

<choice value="checkbox27">Emoticons</choice>

<choice value="checkbox20">Misc Symbols</choice>

<choice value="checkbox21">Dingbats</choice>

<choice value="checkbox28">Pictographs</choice>

<choice value="checkbox29">More Pictrographs</choice>

<default>checkbox28</default>

</condition>

</condition>

</condition>

</condition>

</condition>

</change>

</input>

<default>checkbox17</default>

<choice value="checkbox30">Transport and Map</choice>

<choice value="checkbox31"> Control Pictures</choice>

</condition>

</condition>

</condition>

</change>

</input>

<label>Music & Games</label>

<default>checkbox2</default>

<choice value="checkbox24">Music</choice>

<choice value="checkbox25">Dominos</choice>

<choice value="checkbox26">Cards</choice>

</condition>

</condition>

</condition>

</change>

</input>

<label>Character Set</label>

<default>checkbox2</default>

<choice value="checkbox1">Standard Character Set</choice>

<choice value="checkbox2">General Punctuation</choice>

<choice value="checkbox3">Super and subscripts</choice>

<choice value="checkbox16">Enclosed Characters</choice>

<choice value="checkbox4">Currency</choice>

<choice value="checkbox5">Letterlike</choice>

<choice value="checkbox6">Greek</choice>

<choice value="checkbox22">Braille</choice>

</condition>

</condition>

</condition>

</condition>

</condition>

</condition>

</condition>

</condition>

</change>

</input>

<label>Graphics</label>

<default>checkbox18</default>

<choice value="checkbox17">Box Drawing</choice>

<choice value="checkbox18">Block Elements</choice>

<choice value="checkbox19">More Geometric Shapes</choice>

</condition>

</condition>

</condition>

</change>

</input>

<label>Arrows</label>

<default>checkbox8</default>

<choice value="checkbox8">Arrows</choice>

<choice value="checkbox9">More Arrows A</choice>

<choice value="checkbox10">More Arrows C</choice>

<choice value="checkbox11">More Arrows A</choice>

<choice value="checkbox23">More Misc Symb and Arrows</choice>

</condition>

</condition>

</condition>

</condition>

</condition>

</change>

</input>

<default>checkbox12</default>

<choice value="checkbox7">Number forms</choice>

</condition>

</condition>

</condition>

</condition>

</change>

</input>

</panel>

</row>

<panel>

<html>

<style>

#radiosample div[data-test="radio-list"]{

display: inline;

}

#radiosample div[data-test="option"]{

display: inline;

margin-top: 0px;

margin-right: 10px;

margin-bottom: 0px;

margin-left: 0px

}

#radiosample {

width:100%;

}

</style>

<style>

table tbody tr td{

font-size:125% !important;

}

</style>

</html>

</panel>

</row>

<row>

<panel>

<title>Light Theme for $unicode$</title>

<query>|makeresults count=1

|eval emoji=printf("%c", $unicode$)

|table emoji</query>

</search>

<option name="colorBy">value</option>

<option name="trellis.size">medium</option>

<option name="trendColorInterpretation">standard</option>

<option name="trendDisplayMode">absolute</option>

<option name="unitPosition">after</option>

</single>

</panel>

<panel>

<title>Dark Theme for $unicode$</title>

<query>|makeresults count=1

|eval emoji=printf("%c", $unicode$)

|table emoji</query>

</search>

<option name="colorBy">value</option>

<option name="colorMode">block</option>

<option name="trellis.size">medium</option>

<option name="trendColorInterpretation">standard</option>

<option name="trendDisplayMode">absolute</option>

<option name="unitPosition">after</option>

</single>

</panel>

<panel>

<html>

<br/>

<font size="+1">Code for your dashboard:</font><p>

<br/>

<font size="+3" color="blue">|eval emoji=printf("%c", $unicode$)</font>

</p>

<br/>

Copy and paste into your query and rename 'emoji' to your field name.

<p><a href="https://unicode.org/emoji/charts/full-emoji-list.html" target="_blanl">Full emoji list from unicode.org</a></p>

</div>

</html>

</panel>

</row>

<panel>

<table>

<query>

|makeresults count=1

|eval passmeplease=("$pass$")

|rex field=passmeplease "\S\s+(?<unicode>\d+)"

</query>

<done>

<set token="unicode">$result.unicode$</set>

</done>

</search>

</table>

</panel>

</row>

<row>

<panel>

<table>

<query>

|makeresults count=$count$

|eval base = tonumber("1F380",16) |eval base = $base$

|streamstats count

|eval unicode_value = base + count

|sort unicode_value

|eval emoji=printf("%c", unicode_value)

|eval chartme=(emoji+" "+unicode_value)

|eval sets = count % 6

|eval fields_{sets} = chartme

|stats values(fields_*) as fields_*

|rename fields_1 as "fields ", fields_2 as "fields ", fields_3 as "fields ", fields_4 as "fields ", fields_5 as "fields ", fields_0 as "fields"

|table "fields ","fields ","fields ","fields ","fields ", "fields"

</query>

</search>

<fields>"fields ","fields ","fields ","fields ","fields ", "fields"</fields>

<option name="percentagesRow">false</option>

<option name="rowNumbers">false</option>

<option name="totalsRow">false</option>

<set token="pass">$click.value2$</set>

</drilldown>

</table>

</panel>

</row>

</form>

Continue Reading →

Identifying Hosts not sending data for more than 6 hours

| tstats latest(_time) as latest where index!="*_" earliest=-9h by host index sourcetype
| eval recent = if(latest > relative_time(now(),"-360m"),"1","0"), LastReceiptTime = strftime(latest,"%c")
| where recent=0
| sort LastReceiptTime
| eval age=now()-latest
| eval age=round((age/60/60),1)
| eval age=age."hour"
| fields - recent latest

| tstats latest(_time) as latest where index!="*_" earliest=-9h by host index sourcetype

| eval recent = if(latest > relative_time(now(),"-360m"),"1","0"), LastReceiptTime = strftime(latest,"%c")

| where recent=0

| sort LastReceiptTime

| eval age=now()-latest

| eval age=round((age/60/60),1)

| eval age=age."hour"

| fields - recent latest

Continue Reading →

Get unexpected shutdown date with downtime duration

Mainly saving you the headache of handling hidden characters which made field extraction harder than it needed to be.

source="*WinEventLog:System" EventCode=6008 "unexpected"
| rex "shutdown\s+at\s+(?<time>.*)\s+on\s+[^\d]?(?<month>\d+)\/[^\d]?(?<day>\d+)\/[^\d]?(?<year>\d+)\s+was"
| eval shutdownTime = strptime(year."-".month."-".day." ".time,"%Y-%m-%d %M:%H:%S %p")
| eval downTimeDays = round((_time-shutdownTime)/86400,2)
| eval shutdownTime = strftime(shutdownTime,"%c")
| table _time, host, shutdownTime, downTimeDays

source="*WinEventLog:System" EventCode=6008 "unexpected"

| rex "shutdown\s+at\s+(?<time>.*)\s+on\s+[^\d]?(?<month>\d+)\/[^\d]?(?<day>\d+)\/[^\d]?(?<year>\d+)\s+was"

| eval shutdownTime = strptime(year."-".month."-".day." ".time,"%Y-%m-%d %M:%H:%S %p")

| eval downTimeDays = round((_time-shutdownTime)/86400,2)

| eval shutdownTime = strftime(shutdownTime,"%c")

| table _time, host, shutdownTime, downTimeDays

Continue Reading →

Zerologon Detection (CVE-2020-1472)

Primary Search for Local Domain Controller Exploitation by Zerologon

index="<windows_index>" (sourcetype="<windows_sourcetype_security>" OR source="windows_source_security") EventCode="4742" OR EventCode="4624" AND (src_user="*anonymous*" OR member_id="*S-1-0*")
`comment("This looks for all 4624 and 4742 events under an 'ANONYMOUS USER', which are tied to the exploitation of Zerologon")`
| eval local_system=mvindex(upper(split(user,"$")),0)
`comment("This effectively splits the user field, which when parsed with the TA for Windows, may also appear as the Target User. Since the exploit would specifically occur using a local account on the Domain Controller, it stands to reason that detecting a modified user object, modified by a local system account, would be evidence of the exploit. The split removes the '$', creating a new field, deriving the local_system name via the original user field [ie. user='NameOfDC$' would become local_system='NameofDC']")`
| search host=local_system
`comment("A search to only find instances of these events when the host (DC) is the same as the extracted local_system account name performing the action")`
| table _time EventCode dest host ComputerName src_user Account_Name local_system user Security_ID member_id src_nt_domain dest_nt_domain

index="<windows_index>" (sourcetype="<windows_sourcetype_security>" OR source="windows_source_security") EventCode="4742" OR EventCode="4624" AND (src_user="*anonymous*" OR member_id="*S-1-0*")

`comment("This looks for all 4624 and 4742 events under an 'ANONYMOUS USER', which are tied to the exploitation of Zerologon")`

| eval local_system=mvindex(upper(split(user,"$")),0)

`comment("This effectively splits the user field, which when parsed with the TA for Windows, may also appear as the Target User. Since the exploit would specifically occur using a local account on the Domain Controller, it stands to reason that detecting a modified user object, modified by a local system account, would be evidence of the exploit. The split removes the '$', creating a new field, deriving the local_system name via the original user field [ie. user='NameOfDC$' would become local_system='NameofDC']")`

| search host=local_system

`comment("A search to only find instances of these events when the host (DC) is the same as the extracted local_system account name performing the action")`

| table _time EventCode dest host ComputerName src_user Account_Name local_system user Security_ID member_id src_nt_domain dest_nt_domain

You can also modify this search to only look at your Active Directory DCs. If you have common naming schemas, you can use that as well. Please see the report linked to get more info about the CVE itself.

Continue Reading →

Splunk dashboard that displays User searches

_audit
thall
16 0

Built this dashboard to give a high level overview of user search activity. The search powering the dashboard is looking that the _audit index and you will need to ensure that you have proper access to the internal Splunk indexes. The dashboard includes a TimeRange picker, radio button to include or exclude Splunk’s system user, […]

Continue Reading →

Windows Software Matrix

TeamC
1 0

Description: This query will generate a software matrix or viewing the versions and names of all software installed on windows hosts reporting to Splunk. It requires the Stanza [script://.\bin\win_installed_apps.bat] enabled in the Splunk_TA_Windows Add-on. We run this once a day and have a dashboard for viewing the data that’s hard set for the past 24 […]

Continue Reading →

ProofPoint TAP Dashboard

<form>
  <label>TAP Dashboard</label>
  <description>Direct pull from TAP API</description>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" token="time" searchWhenChanged="true">
      <label>Select Time</label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Quarantine Trends</title>
      <chart>
        <search>
          <query>sourcetype=proofpoint_tap quarantineFolder=* AND quarantineFolder!="" | stats dc(messageID) AS distinct_message_ids by quarantineFolder 
| sort -distinct_message_ids</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.legend.placement">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Top 10 recipients</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" | top 10 recipient{} | rename recipient{} as Recipient count as Count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>All Events Timeline</title>
        <search>
          <query>index=email_na index=email_na sourcetype="proofpoint_tap" eventType!=NULL | timechart count by eventType</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.text">Time</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>All Event Types</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" eventType!=NULL | chart count by eventType | rename count as Count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Message Event Timeline</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" eventType=message* threatsInfoMap{}.classification!=NULL | timechart count by threatsInfoMap{}.classification</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.text">Time</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Top TAP Classification</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" | eval classification=if(isnotnull(classification), classification, 'threatsInfoMap{}.classification') | top limit=20 classification | rename classification as Classification count as Count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Blocked Message Threat Types</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" eventType=messagesBlocked threatsInfoMap{}.threatType!=NULL | chart count as Count by threatsInfoMap{}.threatType | rename "threatsInfoMap{}.threatType" as "Threat Type"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>All Message Threat Types</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" threatsInfoMap{}.threatType!=NULL | chart count as Count by threatsInfoMap{}.threatType | rename "threatsInfoMap{}.threatType" as "Threat Type"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Message Spam Types</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" eventType=message* | eval spamType=if(malwareScore &gt; 0, "Malware", if(phishScore &gt; 0,"Phishing", if(spamScore &gt; 0, "Spam", if(imposterScore &gt; 0, "imposter", "notSpam")))) | top limit=20 spamType | rename "spamType" as "Spam Type" count as Count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Delivered Message Threat Types</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" eventType=messagesDelivered threatsInfoMap{}.threatType!=NULL | chart count as Count by threatsInfoMap{}.threatType | rename "threatsInfoMap{}.threatType" as "Threat Type"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Click Event Timeline</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" eventType=click* classification!=NULL | timechart count as Count by classification | rename classification as Classification</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Click Event Types</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" eventType=click* classification!=NULL | chart count as Count by classification | rename classification as Classification</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Clicked SpamType Timeline</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" eventType=click* | eval spamType=if(malwareScore &gt; 0, "Malware", if(phishScore &gt; 0,"Phishing", if(spamScore &gt; 0, "Spam", if(imposterScore &gt; 0, "imposter", "notSpam"))))| timechart count as Count by spamType | rename "spamType" as "Spam Type"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
      </table>
    </panel>
    <panel>
      <chart>
        <title>Click Spam Types for Today</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" eventType=click* | eval spamType=if(malwareScore &gt; 0, "Malware", if(phishScore &gt; 0,"Phishing", if(spamScore &gt; 0, "Spam", if(imposterScore &gt; 0, "imposter", "notSpam"))))| top limit=20 spamType | rename "spamType" as "Spam Type" count as Count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
  </row>
</form>

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

<form>

<label>TAP Dashboard</label>

<description>Direct pull from TAP API</description>

<label>Select Time</label>

</default>

</input>

</fieldset>

<row>

<panel>

<title>Quarantine Trends</title>

<chart>

<query>sourcetype=proofpoint_tap quarantineFolder=* AND quarantineFolder!="" | stats dc(messageID) AS distinct_message_ids by quarantineFolder

| sort -distinct_message_ids</query>

<earliest>$earliest$</earliest>

<latest>$latest$</latest>

</search>

<option name="refresh.display">progressbar</option>

</chart>

</panel>

<panel>

<chart>

<title>Top 10 recipients</title>

<query>index=email_na sourcetype="proofpoint_tap" | top 10 recipient{} | rename recipient{} as Recipient count as Count</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

</chart>

</panel>

</row>

<row>

<panel>

<chart>

<title>All Events Timeline</title>

<query>index=email_na index=email_na sourcetype="proofpoint_tap" eventType!=NULL | timechart count by eventType</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart">column</option>

<option name="charting.chart.stackMode">stacked</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.placement">right</option>

</chart>

</panel>

<panel>

<chart>

<title>All Event Types</title>

<query>index=email_na sourcetype="proofpoint_tap" eventType!=NULL | chart count by eventType | rename count as Count</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

</chart>

</panel>

</row>

<row>

<panel>

<chart>

<title>Message Event Timeline</title>

<query>index=email_na sourcetype="proofpoint_tap" eventType=message* threatsInfoMap{}.classification!=NULL | timechart count by threatsInfoMap{}.classification</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart">column</option>

<option name="charting.chart.stackMode">stacked</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.placement">right</option>

</chart>

</panel>

<panel>

<chart>

<title>Top TAP Classification</title>

<query>index=email_na sourcetype="proofpoint_tap" | eval classification=if(isnotnull(classification), classification, 'threatsInfoMap{}.classification') | top limit=20 classification | rename classification as Classification count as Count</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

</chart>

</panel>

</row>

<row>

<panel>

<chart>

<title>Blocked Message Threat Types</title>

<query>index=email_na sourcetype="proofpoint_tap" eventType=messagesBlocked threatsInfoMap{}.threatType!=NULL | chart count as Count by threatsInfoMap{}.threatType | rename "threatsInfoMap{}.threatType" as "Threat Type"</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

</chart>

</panel>

<panel>

<chart>

<title>All Message Threat Types</title>

<query>index=email_na sourcetype="proofpoint_tap" threatsInfoMap{}.threatType!=NULL | chart count as Count by threatsInfoMap{}.threatType | rename "threatsInfoMap{}.threatType" as "Threat Type"</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

</chart>

</panel>

<panel>

<chart>

<title>Message Spam Types</title>

<query>index=email_na sourcetype="proofpoint_tap" eventType=message* | eval spamType=if(malwareScore > 0, "Malware", if(phishScore > 0,"Phishing", if(spamScore > 0, "Spam", if(imposterScore > 0, "imposter", "notSpam")))) | top limit=20 spamType | rename "spamType" as "Spam Type" count as Count</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

</chart>

</panel>

<panel>

<chart>

<title>Delivered Message Threat Types</title>

<query>index=email_na sourcetype="proofpoint_tap" eventType=messagesDelivered threatsInfoMap{}.threatType!=NULL | chart count as Count by threatsInfoMap{}.threatType | rename "threatsInfoMap{}.threatType" as "Threat Type"</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

</chart>

</panel>

</row>

<row>

<panel>

<chart>

<title>Click Event Timeline</title>

<query>index=email_na sourcetype="proofpoint_tap" eventType=click* classification!=NULL | timechart count as Count by classification | rename classification as Classification</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart">column</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.placement">right</option>

</chart>

</panel>

<panel>

<chart>

<title>Click Event Types</title>

<query>index=email_na sourcetype="proofpoint_tap" eventType=click* classification!=NULL | chart count as Count by classification | rename classification as Classification</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

</chart>

</panel>

</row>

<row>

<panel>

<table>

<title>Clicked SpamType Timeline</title>

<query>index=email_na sourcetype="proofpoint_tap" eventType=click* | eval spamType=if(malwareScore > 0, "Malware", if(phishScore > 0,"Phishing", if(spamScore > 0, "Spam", if(imposterScore > 0, "imposter", "notSpam"))))| timechart count as Count by spamType | rename "spamType" as "Spam Type"</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

</table>

</panel>

<panel>

<chart>

<title>Click Spam Types for Today</title>

<query>index=email_na sourcetype="proofpoint_tap" eventType=click* | eval spamType=if(malwareScore > 0, "Malware", if(phishScore > 0,"Phishing", if(spamScore > 0, "Spam", if(imposterScore > 0, "imposter", "notSpam"))))| top limit=20 spamType | rename "spamType" as "Spam Type" count as Count</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

</chart>

</panel>

</row>

</form>

Continue Reading →

REST API: Table all Splunk User Email Addresses

The following simple Splunk query will put all Splunk User accounts with an email address into a panel for copy and paste purposes (such as copying all email addresses to send in an email). I’ve added a semi colon delimiter in order to literally be copy and paste into an application such as Microsoft Outlook. […]

Continue Reading →

Bucket Status Dashboard

Shows status of buckets per indexer host, when they rolled from warm to cold, and cold to frozen. Gives a timechart and table of each, as well as detailed bucket names per index & host.

<form>
  <label>Bucket Status</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="multiselect" token="hostpicker" searchWhenChanged="true">
      <label>Which Host</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd component=BucketMover warm_to_cold idx!="_i*" idx!="_a*" Role=Indexer 
| stats count by host 
|  fields - count</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <delimiter>  OR host=</delimiter>
    </input>
    <input type="multiselect" token="idx_picker" searchWhenChanged="true">
      <label>Which Index</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>idx_name</fieldForLabel>
      <fieldForValue>idx_name</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd component=BucketMover "*starting warm_to_cold*" OR "*freeze succeeded*"
| rex field=event_message "indexes\/(?&lt;idx_name&gt;.+?(?=\/))"
| stats count by idx_name 
|  fields - count</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <delimiter>  OR idx_name=</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Warm to Cold Timechart</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd component=BucketMover "*starting warm_to_cold*" host=$hostpicker$
| rex field=event_message "indexes\/(?&lt;idx_name&gt;.+?(?=\/))"
| search idx_name=$idx_picker$ NOT idx_name="_*"
| timechart count by  idx_name</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">log</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
    <panel>
      <title>Cold to Frozen Timechart</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd component=BucketMover "*will attempt to freeze*" host=$hostpicker$
| rex field=event_message "indexes\/(?&lt;idx_name&gt;.+?(?=\/))"
| search idx_name=$idx_picker$ NOT idx_name="_*"
| timechart count by  idx_name</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Buckets moving from warm to cold</title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd component=BucketMover warm_to_cold idx!="_i*" idx!="_a*" host=$hostpicker$ 
| rex field=event_message "indexes\/(?&lt;idx_name&gt;.+?(?=\/))"
| search idx_name=$idx_picker$ NOT idx_name="_*"
| stats count by  idx_name
| sort - count</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>Buckets rolling to Frozen</title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd component=BucketMover candidate!="*_i*" candidate!="*_a*" host=$hostpicker$ "*will attempt to freeze*"
| rex field=event_message "indexes\/(?&lt;idx_name&gt;.+?(?=\/))"
| search idx_name=$idx_picker$ NOT idx_name="_*"
| stats count by  idx_name
| sort - count</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Index, Host and Bucket</title>
      <table>
        <title>cold to frozen uses bkt, warm to cold uses bucket</title>
        <search>
          <query>index=_internal sourcetype=splunkd component=BucketMover "*starting warm_to_cold*" OR "*freeze succeeded*" host=$hostpicker$
| rex field=event_message "indexes\/(?&lt;idx_name&gt;.+?(?=\/))"
| fillnull value=NULL
| search idx_name=$idx_picker$ NOT idx_name="_*"
| eval Message=if(like(event_message, "%warm_to_cold%"), "Warm to Cold", "Cold to Frozen")
| stats count by idx_name bucket bkt host Message| fields - count</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">25</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

<form>

<label>Bucket Status</label>

</default>

</input>

<label>Which Host</label>

<query>index=_internal sourcetype=splunkd component=BucketMover warm_to_cold idx!="_i*" idx!="_a*" Role=Indexer

| stats count by host

| fields - count</query>

</search>

</input>

<label>Which Index</label>

<query>index=_internal sourcetype=splunkd component=BucketMover "*starting warm_to_cold*" OR "*freeze succeeded*"

| rex field=event_message "indexes\/(?<idx_name>.+?(?=\/))"

| stats count by idx_name

| fields - count</query>

</search>

</input>

</fieldset>

<row>

<panel>

<title>Warm to Cold Timechart</title>

<chart>

<query>index=_internal sourcetype=splunkd component=BucketMover "*starting warm_to_cold*" host=$hostpicker$

| rex field=event_message "indexes\/(?<idx_name>.+?(?=\/))"

| search idx_name=$idx_picker$ NOT idx_name="_*"

| timechart count by idx_name</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.mode">standard</option>

<option name="charting.legend.placement">right</option>

<option name="refresh.display">progressbar</option>

<option name="trellis.size">medium</option>

</chart>

</panel>

<panel>

<title>Cold to Frozen Timechart</title>

<chart>

<query>index=_internal sourcetype=splunkd component=BucketMover "*will attempt to freeze*" host=$hostpicker$

| rex field=event_message "indexes\/(?<idx_name>.+?(?=\/))"

| search idx_name=$idx_picker$ NOT idx_name="_*"

| timechart count by idx_name</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.mode">standard</option>

<option name="charting.legend.placement">right</option>

<option name="refresh.display">progressbar</option>

<option name="trellis.size">medium</option>

</chart>

</panel>

</row>

<row>

<panel>

<title>Buckets moving from warm to cold</title>

<table>

<query>index=_internal sourcetype=splunkd component=BucketMover warm_to_cold idx!="_i*" idx!="_a*" host=$hostpicker$

| rex field=event_message "indexes\/(?<idx_name>.+?(?=\/))"

| search idx_name=$idx_picker$ NOT idx_name="_*"

| stats count by idx_name

| sort - count</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="percentagesRow">false</option>

<option name="refresh.display">progressbar</option>

<option name="rowNumbers">false</option>

<option name="totalsRow">false</option>

</table>

</panel>

<panel>

<title>Buckets rolling to Frozen</title>

<table>

<query>index=_internal sourcetype=splunkd component=BucketMover candidate!="*_i*" candidate!="*_a*" host=$hostpicker$ "*will attempt to freeze*"

| rex field=event_message "indexes\/(?<idx_name>.+?(?=\/))"

| search idx_name=$idx_picker$ NOT idx_name="_*"

| stats count by idx_name

| sort - count</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="percentagesRow">false</option>

<option name="refresh.display">progressbar</option>

<option name="rowNumbers">false</option>

<option name="totalsRow">false</option>

</table>

</panel>

</row>

<row>

<panel>

<title>Index, Host and Bucket</title>

<table>

<title>cold to frozen uses bkt, warm to cold uses bucket</title>

<query>index=_internal sourcetype=splunkd component=BucketMover "*starting warm_to_cold*" OR "*freeze succeeded*" host=$hostpicker$

| rex field=event_message "indexes\/(?<idx_name>.+?(?=\/))"

| fillnull value=NULL

| search idx_name=$idx_picker$ NOT idx_name="_*"

| eval Message=if(like(event_message, "%warm_to_cold%"), "Warm to Cold", "Cold to Frozen")

| stats count by idx_name bucket bkt host Message| fields - count</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="percentagesRow">false</option>

<option name="rowNumbers">false</option>

<option name="totalsRow">false</option>

</table>

</panel>

</row>

</form>

Continue Reading →

Detect Dying Sourcetypes

This alert is used for looking at a prior dataset of indexes and sourcetypes reporting over time, and then involves pairing to a closer, temporal dataset. Appending the results allows you to view sourcetypes that have stopped reporting, but existed in the prior period.

| tstats count where earliest=-90d latest=-60d index=proxies_na by _time sourcetype span=1d
| append
[ | tstats count where earliest=-30d latest=now index=proxies_na by _time sourcetype span=1d | where count=0 ]
| timechart span=1d values(count) AS count by sourcetype
| streamstats avg(count) as avgCount by sourcetype

| tstats count where earliest=-90d latest=-60d index=proxies_na by _time sourcetype span=1d

| append

[ | tstats count where earliest=-30d latest=now index=proxies_na by _time sourcetype span=1d | where count=0 ]

| timechart span=1d values(count) AS count by sourcetype

| streamstats avg(count) as avgCount by sourcetype

Continue Reading →

Splunk Query Repository