Newest Queries -

Bucket Status Dashboard

Shows status of buckets per indexer host, when they rolled from warm to cold, and cold to frozen. Gives a timechart and table of each, as well as detailed bucket names per index & host.

<form>
  <label>Bucket Status</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="multiselect" token="hostpicker" searchWhenChanged="true">
      <label>Which Host</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd component=BucketMover warm_to_cold idx!="_i*" idx!="_a*" Role=Indexer 
| stats count by host 
|  fields - count</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <delimiter>  OR host=</delimiter>
    </input>
    <input type="multiselect" token="idx_picker" searchWhenChanged="true">
      <label>Which Index</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>idx_name</fieldForLabel>
      <fieldForValue>idx_name</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd component=BucketMover "*starting warm_to_cold*" OR "*freeze succeeded*"
| rex field=event_message "indexes\/(?&lt;idx_name&gt;.+?(?=\/))"
| stats count by idx_name 
|  fields - count</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <delimiter>  OR idx_name=</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Warm to Cold Timechart</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd component=BucketMover "*starting warm_to_cold*" host=$hostpicker$
| rex field=event_message "indexes\/(?&lt;idx_name&gt;.+?(?=\/))"
| search idx_name=$idx_picker$ NOT idx_name="_*"
| timechart count by  idx_name</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">log</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
    <panel>
      <title>Cold to Frozen Timechart</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd component=BucketMover "*will attempt to freeze*" host=$hostpicker$
| rex field=event_message "indexes\/(?&lt;idx_name&gt;.+?(?=\/))"
| search idx_name=$idx_picker$ NOT idx_name="_*"
| timechart count by  idx_name</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Buckets moving from warm to cold</title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd component=BucketMover warm_to_cold idx!="_i*" idx!="_a*" host=$hostpicker$ 
| rex field=event_message "indexes\/(?&lt;idx_name&gt;.+?(?=\/))"
| search idx_name=$idx_picker$ NOT idx_name="_*"
| stats count by  idx_name
| sort - count</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>Buckets rolling to Frozen</title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd component=BucketMover candidate!="*_i*" candidate!="*_a*" host=$hostpicker$ "*will attempt to freeze*"
| rex field=event_message "indexes\/(?&lt;idx_name&gt;.+?(?=\/))"
| search idx_name=$idx_picker$ NOT idx_name="_*"
| stats count by  idx_name
| sort - count</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Index, Host and Bucket</title>
      <table>
        <title>cold to frozen uses bkt, warm to cold uses bucket</title>
        <search>
          <query>index=_internal sourcetype=splunkd component=BucketMover "*starting warm_to_cold*" OR "*freeze succeeded*" host=$hostpicker$
| rex field=event_message "indexes\/(?&lt;idx_name&gt;.+?(?=\/))"
| fillnull value=NULL
| search idx_name=$idx_picker$ NOT idx_name="_*"
| eval Message=if(like(event_message, "%warm_to_cold%"), "Warm to Cold", "Cold to Frozen")
| stats count by idx_name bucket bkt host Message| fields - count</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">25</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

<form>

<label>Bucket Status</label>

</default>

</input>

<label>Which Host</label>

<query>index=_internal sourcetype=splunkd component=BucketMover warm_to_cold idx!="_i*" idx!="_a*" Role=Indexer

| stats count by host

| fields - count</query>

</search>

</input>

<label>Which Index</label>

<query>index=_internal sourcetype=splunkd component=BucketMover "*starting warm_to_cold*" OR "*freeze succeeded*"

| rex field=event_message "indexes\/(?<idx_name>.+?(?=\/))"

| stats count by idx_name

| fields - count</query>

</search>

</input>

</fieldset>

<row>

<panel>

<title>Warm to Cold Timechart</title>

<chart>

<query>index=_internal sourcetype=splunkd component=BucketMover "*starting warm_to_cold*" host=$hostpicker$

| rex field=event_message "indexes\/(?<idx_name>.+?(?=\/))"

| search idx_name=$idx_picker$ NOT idx_name="_*"

| timechart count by idx_name</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.mode">standard</option>

<option name="charting.legend.placement">right</option>

<option name="refresh.display">progressbar</option>

<option name="trellis.size">medium</option>

</chart>

</panel>

<panel>

<title>Cold to Frozen Timechart</title>

<chart>

<query>index=_internal sourcetype=splunkd component=BucketMover "*will attempt to freeze*" host=$hostpicker$

| rex field=event_message "indexes\/(?<idx_name>.+?(?=\/))"

| search idx_name=$idx_picker$ NOT idx_name="_*"

| timechart count by idx_name</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.mode">standard</option>

<option name="charting.legend.placement">right</option>

<option name="refresh.display">progressbar</option>

<option name="trellis.size">medium</option>

</chart>

</panel>

</row>

<row>

<panel>

<title>Buckets moving from warm to cold</title>

<table>

<query>index=_internal sourcetype=splunkd component=BucketMover warm_to_cold idx!="_i*" idx!="_a*" host=$hostpicker$

| rex field=event_message "indexes\/(?<idx_name>.+?(?=\/))"

| search idx_name=$idx_picker$ NOT idx_name="_*"

| stats count by idx_name

| sort - count</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="percentagesRow">false</option>

<option name="refresh.display">progressbar</option>

<option name="rowNumbers">false</option>

<option name="totalsRow">false</option>

</table>

</panel>

<panel>

<title>Buckets rolling to Frozen</title>

<table>

<query>index=_internal sourcetype=splunkd component=BucketMover candidate!="*_i*" candidate!="*_a*" host=$hostpicker$ "*will attempt to freeze*"

| rex field=event_message "indexes\/(?<idx_name>.+?(?=\/))"

| search idx_name=$idx_picker$ NOT idx_name="_*"

| stats count by idx_name

| sort - count</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="percentagesRow">false</option>

<option name="refresh.display">progressbar</option>

<option name="rowNumbers">false</option>

<option name="totalsRow">false</option>

</table>

</panel>

</row>

<row>

<panel>

<title>Index, Host and Bucket</title>

<table>

<title>cold to frozen uses bkt, warm to cold uses bucket</title>

<query>index=_internal sourcetype=splunkd component=BucketMover "*starting warm_to_cold*" OR "*freeze succeeded*" host=$hostpicker$

| rex field=event_message "indexes\/(?<idx_name>.+?(?=\/))"

| fillnull value=NULL

| search idx_name=$idx_picker$ NOT idx_name="_*"

| eval Message=if(like(event_message, "%warm_to_cold%"), "Warm to Cold", "Cold to Frozen")

| stats count by idx_name bucket bkt host Message| fields - count</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="percentagesRow">false</option>

<option name="rowNumbers">false</option>

<option name="totalsRow">false</option>

</table>

</panel>

</row>

</form>

Continue Reading →

This alert is used for looking at a prior dataset of indexes and sourcetypes reporting over time, and then involves pairing to a closer, temporal dataset. Appending the results allows you to view sourcetypes that have stopped reporting, but existed in the prior period.

| tstats count where earliest=-90d latest=-60d index=proxies_na by _time sourcetype span=1d
| append
[ | tstats count where earliest=-30d latest=now index=proxies_na by _time sourcetype span=1d | where count=0 ]
| timechart span=1d values(count) AS count by sourcetype
| streamstats avg(count) as avgCount by sourcetype

| tstats count where earliest=-90d latest=-60d index=proxies_na by _time sourcetype span=1d

| append

[ | tstats count where earliest=-30d latest=now index=proxies_na by _time sourcetype span=1d | where count=0 ]

| timechart span=1d values(count) AS count by sourcetype

| streamstats avg(count) as avgCount by sourcetype

Continue Reading →

Alerts in a Panel with Drilldown

A quick dashboard panel you can plop anywhere and get a view of alerts that have recently fired, including a drilldown based on the SID of the fired alert.

<row>
<panel>
<table>
<title>Alerts Fired</title>
<search>
<query>index=_audit action=alert_fired |rename ss_name AS Alert 
|stats latest(_time) AS "Last Fired" count AS "Times Fired" sparkline AS "Alerts in the Last 72 Hours" 
first(sid) AS sid by Alert 
|convert ctime("Last Fired")</query>
<earliest>-72h</earliest>
<latest>now</latest>
<refresh>90s</refresh>
</search>
<fields>Alert, "Last Fired", "Times Fired", "Alerts in the Last 72 Hours"</fields>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">heatmap</option>
<option name="count">10</option>
<option name="link.inspectSearch.visible">false</option>
<option name="link.openSearch.visible">false</option>
<format field="Alerts in the Last 72 Hours" type="sparkline">
<option name="type">bar</option>
<option name="barColor">green</option>
<option name="colorMap">
<option name="1:3">navy</option>
<option name="3:7">orange</option>
<option name="8:">red</option>
</option>
</format>
<drilldown target="_blank">
<link>search?sid=$row.sid$</link>
</drilldown>
<option name="drilldown">cell</option>
</table>
<html>
<p>
Location specific instructions in html

</p>
</html>
</panel>
</row>

<row>

<panel>

<table>

<title>Alerts Fired</title>

<query>index=_audit action=alert_fired |rename ss_name AS Alert

|stats latest(_time) AS "Last Fired" count AS "Times Fired" sparkline AS "Alerts in the Last 72 Hours"

first(sid) AS sid by Alert

|convert ctime("Last Fired")</query>

</search>

<fields>Alert, "Last Fired", "Times Fired", "Alerts in the Last 72 Hours"</fields>

<option name="rowNumbers">false</option>

<option name="dataOverlayMode">heatmap</option>

<option name="link.inspectSearch.visible">false</option>

<option name="link.openSearch.visible">false</option>

<option name="barColor">green</option>

<option name="3:7">orange</option>

</option>

</format>

</drilldown>

</table>

<html>

<p>

Location specific instructions in html

</p>

</html>

</panel>

</row>

Continue Reading →

Triggered Alert Analytics

Primary Dashboards Contains alert analytics for both triggered alerts and saved searches. Please replace $name$ with the saved search naming convention you utilize (ie. 0001 – AlertName). You will need an outputlookup to generate the bottom two tables; it will be based on the query that generates the second table in the dashboard.

<form theme="dark">
<label>Triggered Alert Analytics</label>
<description>Metrics tracker for triggered alerts.</description>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<title>alert_fired count for Triggered Alerts</title>
<input type="time" token="upperTime" searchWhenChanged="true">
<label></label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<chart>
<title>Dashboard for counting per-alert totals, contingent on alerts having the 'Alert Action: Add to Triggered Alerts'</title>
<search>
<query>index=_audit action=alert_fired ss_app=* ss_name="$name$" 
| timechart span=1d sum(triggered_alerts) by ss_name useother=f limit=0 
| sort -count</query>
<earliest>$upperTime.earliest$</earliest>
<latest>$upperTime.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">log</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">ss_name</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>All Modified Alerts (-7d)</title>
<input type="time" token="lowerTime" searchWhenChanged="true">
<label></label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<table>
<search>
<query>| rest /servicesNS/-/-/saved/searches 
| search title="$name$" 
| rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV" 
| eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") 
| table title lastUpdated, nextRunTime, emailTo action.lookup.filename, query, severity
| fillnull value="" 
| sort -lastUpdated</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">true</option>
<option name="wrap">false</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Daily Alert Modification Report</title>
<search ref="Daily Alert Modification Report"></search>
<option name="drilldown">none</option>
</table>
</panel>
<panel>
<table>
<title>From 'all_modified_alerts.csv'</title>
<search>
<query>| from lookup:all_modified_alerts.csv</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="count">1</option>
<option name="drilldown">cell</option>
<option name="totalsRow">true</option>
</table>
</panel>
</row>
</form>

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

<label>Triggered Alert Analytics</label>

<description>Metrics tracker for triggered alerts.</description>

<row>

<panel>

<title>alert_fired count for Triggered Alerts</title>

</default>

</input>

<chart>

<title>Dashboard for counting per-alert totals, contingent on alerts having the 'Alert Action: Add to Triggered Alerts'</title>

<query>index=_audit action=alert_fired ss_app=* ss_name="$name$"

| timechart span=1d sum(triggered_alerts) by ss_name useother=f limit=0

| sort -count</query>

<earliest>$upperTime.earliest$</earliest>

<latest>$upperTime.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.mode">standard</option>

<option name="charting.legend.placement">right</option>

<option name="refresh.display">preview</option>

<option name="trellis.size">medium</option>

</chart>

</panel>

</row>

<row>

<panel>

<title>All Modified Alerts (-7d)</title>

</default>

</input>

<table>

<query>| rest /servicesNS/-/-/saved/searches

| search title="$name$"

| rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV"

| eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1")

| table title lastUpdated, nextRunTime, emailTo action.lookup.filename, query, severity

| fillnull value=""

| sort -lastUpdated</query>

</search>

<option name="percentagesRow">false</option>

<option name="refresh.display">preview</option>

<option name="rowNumbers">false</option>

<option name="wrap">false</option>

</table>

</panel>

</row>

<row>

<panel>

<table>

<title>Daily Alert Modification Report</title>

</table>

</panel>

<panel>

<table>

<title>From 'all_modified_alerts.csv'</title>

<query>| from lookup:all_modified_alerts.csv</query>

</search>

</table>

</panel>

</row>

</form>

Report […]

Continue Reading →

F5 SL ASM iRule Parser for Hosted Deployments

sourcetype=f5:silverline:asm irule=* vs_ip=*
| rex "(?<log>.*)"
| eval log_stripped = replace(log, "\\\\","")
| rex field=log_stripped "data=\"(?<data_section>.*?)\", irule="
| spath input=data_section

sourcetype=f5:silverline:asm irule=* vs_ip=*

| rex "(?<log>.*)"

| eval log_stripped = replace(log, "\\\\","")

| rex field=log_stripped "data=\"(?<data_section>.*?)\", irule="

| spath input=data_section

Continue Reading →

Groundspeed Violation/Improbable Access

Oftentimes we are required to determine impossible or improbably access events. Typically, this is a relatively simple thing to do in a modern SIEM, however Splunk, without ESS, does not have a “great” way to handle this type of temporal correlation aside from appends or joins back to the original data. I constructed the following […]

Continue Reading →

F5 BigIP Brute Force and Session Abuse

F5
riparino
1 0

Multiple Users with Authentications from Singular, non-Whitelisted IP Basically I needed a way to determine if a series of users are connecting from a singular IP. This is particular useful during COVID-19 WFH constraints. The search is intended to look at the VPN index for a new session initiation, excluding all RFC1918 traffic as a […]

Continue Reading →

CrowdStrike Audit Event Correlation

Summary CrowdStrike creates logs in JSON format and sends 2 different datasets to the same sourcetype; security events from their detection tools and audit events from their management tool. These audit tools contain analyst data about when they mark events as true positive, and withing CrowdStrike these are joined with the security event itself. To […]

Continue Reading →

Listing incident review and the closing comments

index=_audit sourcetype="incident_review"
| table rule_name comment status
| rename rule_name as "Notable Event" comment as "Closing Comment" status as Status
| eval Status=if(Status=5,"Closed",if(Status=2,"In Progress","Not assigned"))
| dedup "Closing Comment"

index=_audit sourcetype="incident_review"

| table rule_name comment status

| rename rule_name as "Notable Event" comment as "Closing Comment" status as Status

| eval Status=if(Status=5,"Closed",if(Status=2,"In Progress","Not assigned"))

| dedup "Closing Comment"

Continue Reading →

Investigate by MAC, IP all VPN authentications through CISCO_ISE

Helps to investigate authentications through CISCO_ISE device. This identifies who logs in, the MAC address and IP for any use cases

index=<your cisco index> "<your IP>"
|rex field="cisco_av_pair" "mdm-tlv=device-mac=(?<MAC_ID>\w+-\w+-\w+-\w+-\w+-\w+)" |rex field="cisco_av_pair" "mdm-tlv=device-platform=(?<OS>\w+)" 
|rex field=_raw "(?<IP><IP regex>)" 
|iplocation IP
|stats c sum(Acct_Input_Packets) as Packets_In sum(Acct_Output_Packets) as Packets_Out by _time User_Name Framed_Protocol src_mac City Country Region IP MAC_ID OS Acct_Status_Type
|rename _time as Time RequestLatency as LoadTime Acct_Status_Type as Status IP as <your choice> |convert ctime(Time)
|fields + Time User_Name MAC_ID OS "SourceIP - DestIP" City Country Region Framed_Protocol Status Packets_Out Packets_In

index=<your cisco index> "<your IP>"

|rex field="cisco_av_pair" "mdm-tlv=device-mac=(?<MAC_ID>\w+-\w+-\w+-\w+-\w+-\w+)" |rex field="cisco_av_pair" "mdm-tlv=device-platform=(?<OS>\w+)"

|rex field=_raw "(?<IP><IP regex>)"

|iplocation IP

|stats c sum(Acct_Input_Packets) as Packets_In sum(Acct_Output_Packets) as Packets_Out by _time User_Name Framed_Protocol src_mac City Country Region IP MAC_ID OS Acct_Status_Type

|rename _time as Time RequestLatency as LoadTime Acct_Status_Type as Status IP as <your choice> |convert ctime(Time)

|fields + Time User_Name MAC_ID OS "SourceIP - DestIP" City Country Region Framed_Protocol Status Packets_Out Packets_In

Continue Reading →

Investigate an IP through Palo Alto Logs

index=
<strong><your palo alto index> <IP you want to investigate></strong>
|stats c sum(bytes) as Bytes_Out by _time user application action dest_ip dest_location src_ip client_ip client_location session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive" |fields + _time user application action dest_ip dest_location client_ip client_location Bytes_Out session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive"
|rename client_ip as SourceIP |fields - user session_end_reason "app:prone_to_misuse" "app:used_by_malware" "app:evasive" dest_ip

index=

|stats c sum(bytes) as Bytes_Out by _time user application action dest_ip dest_location src_ip client_ip client_location session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive" |fields + _time user application action dest_ip dest_location client_ip client_location Bytes_Out session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive"

|rename client_ip as SourceIP |fields - user session_end_reason "app:prone_to_misuse" "app:used_by_malware" "app:evasive" dest_ip

Continue Reading →

List Deployment Client

index=_internal sourcetype=splunkd "deployment_client" 
|stats latest(_time) as LatestReportTime values(server_name) as Server_Name by host |convert ctime(LatestReportTime) |rename host as Host
|fields + Host Server_Name LatestReportTime

index=_internal sourcetype=splunkd "deployment_client"

|stats latest(_time) as LatestReportTime values(server_name) as Server_Name by host |convert ctime(LatestReportTime) |rename host as Host

|fields + Host Server_Name LatestReportTime

Continue Reading →

List Reports and Wrap the text

|rest /servicesNS/-/-/saved/searches |table search title description alert_type "alert.expires" "alert.suppress" "alert.suppress.fields" 
|search alert_type="always"
|fillnull value=0 triggered_alert_count
|sort "triggered_alert_count" desc
|rex max_match=100 field="search" "(?<split__regex>.{0,100}(?:\s|$)|.{100})" | rename split__regex as search

|rest /servicesNS/-/-/saved/searches |table search title description alert_type "alert.expires" "alert.suppress" "alert.suppress.fields"

|search alert_type="always"

|fillnull value=0 triggered_alert_count

|sort "triggered_alert_count" desc

|rex max_match=100 field="search" "(?<split__regex>.{0,100}(?:\s|$)|.{100})" | rename split__regex as search

Continue Reading →

Timestamps from the future.

Tensore
2 0

Shows all hosts that are sending events with timestamps greater than 5 mins (300 seconds) from the current time.

| metadata type=hosts 
| where lastTime>now()+300
| eval mins_in_future=(lastTime-now())/60
| eval years_in_future=mins_in_future/60/24/365
| fieldformat lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S %Z")
| table lastTime, host, mins_in_future, years_in_future
| sort - mins_in_future

| metadata type=hosts

| where lastTime>now()+300

| eval mins_in_future=(lastTime-now())/60

| eval years_in_future=mins_in_future/60/24/365

| fieldformat lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S %Z")

| table lastTime, host, mins_in_future, years_in_future

| sort - mins_in_future

Continue Reading →

Search All Traffic by src / action – Creates Table

This is a magical query for tracking down all internal resources connecting to or from external IPs and Countries

src!=10.0.0.0/8 AND src!=192.168.0.0/12 AND src!=192.168.0.0/16 action="allowed"
| iplocation src 
| search Country=*
| table Country, src, action, bytes_out, packets_out 
| dedup src
| sort Country

src!=10.0.0.0/8 AND src!=192.168.0.0/12 AND src!=192.168.0.0/16 action="allowed"

| iplocation src

| search Country=*

| table Country, src, action, bytes_out, packets_out

| dedup src

| sort Country

Continue Reading →

List Notable events with closing history details

Opeyemi Olatunji
1 0

`notable`
| stats latest(lastTime) as LastTimeSeen values(rule_name) as "Rule Name" values(comment) as "Historical Analysis" values(user) as User by _time event_id, urgency
| eval LastTimeSeen=strftime(LastTimeSeen,"%+")

`notable`

| stats latest(lastTime) as LastTimeSeen values(rule_name) as "Rule Name" values(comment) as "Historical Analysis" values(user) as User by _time event_id, urgency

| eval LastTimeSeen=strftime(LastTimeSeen,"%+")

Continue Reading →

Datamodel Search Performance

See how well your DM searches are running. Run this search using the Line Chart visualization:

index=_internal sourcetype=scheduler component=SavedSplunker ACCELERATE NOT skipped run_time=* 
| rex field=savedsearch_id "ACCELERATE_(?:[A-F0-9\-]{36}_)?(?<acceleration>.*?)_ACCELERATE"
| timechart span=5m max(run_time) AS run_time by acceleration

index=_internal sourcetype=scheduler component=SavedSplunker ACCELERATE NOT skipped run_time=*

| rex field=savedsearch_id "ACCELERATE_(?:[A-F0-9\-]{36}_)?(?<acceleration>.*?)_ACCELERATE"

| timechart span=5m max(run_time) AS run_time by acceleration

Continue Reading →

Listing Data models

|datamodel

|rex field=_raw "\"description\":\"(?<Description>\w+|\w+\s+\w+|\w+\s+\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+)\"\,"

|rex field=_raw "\"modelName\":\"(?<DataSetName>\w+|\w+\s+\w+|\w+\s+\w+\s+\w+)\"\,"

|rex field=_raw "\"parentName\":\"(?<ParentName>\w+|\w+\s+\w+|\w+\s+\w+\s+\w+)\"\,"

|rex field=_raw "\"autoextractSearch\":(?<SearchDetails>.*\")\,\"previewSearch.*"

|table Description DataSetName SearchDetails

|eval SearchDetails=replace(SearchDetails,",\"previewSearch.*","")

|fillnull Description value="Description not available"

|datamodel

|rex field=_raw "\"modelName\":\"(?<DataSetName>\w+|\w+\s+\w+|\w+\s+\w+\s+\w+)\"\,"

|rex field=_raw "\"parentName\":\"(?<ParentName>\w+|\w+\s+\w+|\w+\s+\w+\s+\w+)\"\,"

|rex field=_raw "\"autoextractSearch\":(?<SearchDetails>.*\")\,\"previewSearch.*"

|table Description DataSetName SearchDetails

|eval SearchDetails=replace(SearchDetails,",\"previewSearch.*","")

|fillnull Description value="Description not available"

Continue Reading →

exploremydata – data explorer

This dashboard provides and overview of the data that is available to query. Click on the index below to review source types in that index, and then a sourcetype to review fields. Finally, you can click on a field to see sample values in that field. Click “Show Filters” above to open a search window […]

Continue Reading →

Significant Data Ingress/Egress

Generally, one expects a client-server conversation to be greater on the download side rather than more data uploaded. This search can detect greater upload than download over a time period, like a client sending significantly more data than it receives from a server (e.g. data ex-filtration). For the best search results, query on a sourcetype […]

Continue Reading →

Splunk Query Repository

Bucket Status Dashboard

Detect Dying Sourcetypes

Alerts in a Panel with Drilldown

Triggered Alert Analytics

F5 SL ASM iRule Parser for Hosted Deployments

Groundspeed Violation/Improbable Access

F5 BigIP Brute Force and Session Abuse

CrowdStrike Audit Event Correlation

Listing incident review and the closing comments

Investigate by MAC, IP all VPN authentications through CISCO_ISE

Investigate an IP through Palo Alto Logs

List Deployment Client

List Reports and Wrap the text

Timestamps from the future.

Search All Traffic by src / action – Creates Table

List Notable events with closing history details

Datamodel Search Performance

Listing Data models

exploremydata – data explorer

Significant Data Ingress/Egress