Newest Queries -

List the size of lookup files with an SPL search.

| rest splunk_server=local /services/data/lookup-table-files/
| rename eai:acl.app as app 
| table app title 
| search NOT title IN (*.kmz) 
| map maxsearches=990 search="| inputlookup $title$ 
| eval size=0
| foreach * [ eval size=size+coalesce(len('<<FIELD>>'),0), app=\"$app$\", title=$title$ | fields app title size]" 
| stats sum(size) by app title
| sort - sum(size)

| rest splunk_server=local /services/data/lookup-table-files/

| rename eai:acl.app as app

| table app title

| search NOT title IN (*.kmz)

| map maxsearches=990 search="| inputlookup $title$

| eval size=0

| foreach * [ eval size=size+coalesce(len('<<FIELD>>'),0), app=\"$app$\", title=$title$ | fields app title size]"

| stats sum(size) by app title

| sort - sum(size)

Continue Reading →

Detect Credit Card Numbers using Luhn Algorithm

Description Detect if any log file in Splunk contains Credit Card numbers.

index=* ((source IN("*.log","*.bak","*.txt", "*.csv","/tmp*","/temp*","c:\tmp*")) OR (tag=web dest_content=*))
| eval comment="Match against the simple CC regex to narrow down the events in the lookup" 
| rex max_match=1 "[\"\s\'\,]{0,1}(?<CCMatch>[\d.\-\s]{11,24})[\"\s\'\,]{0,1}"
| where isnotnull(CCMatch) 
| eval comment="Apply the LUHN algorithm to see if the CC number extracted is valid" 
| eval cc=tonumber(replace(CCMatch,"[ -\.]",""))
| eval comment="Lower min to 11 to find additional CCs which may pick up POSIX timestamps as well."
| where len(cc)>=14 AND len(cc)<=16
| eval cc=printf("%024d", cc)
| eval ccd=split(cc,"") 
| foreach 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 [
| eval ccd_reverse=mvappend(ccd_reverse,mvindex(ccd,<<FIELD>>))
]
| rename ccd_reverse AS ccd
| eval cce=mvappend(mvindex(ccd,0),mvindex(ccd,2),mvindex(ccd,4),mvindex(ccd,6),mvindex(ccd,8),mvindex(ccd,10),mvindex(ccd,12),mvindex(ccd,14),mvindex(ccd,16),mvindex(ccd,18),mvindex(ccd,20),mvindex(ccd,22),mvindex(ccd,24)) 
| eval cco=mvappend(mvindex(ccd,1),mvindex(ccd,3),mvindex(ccd,5),mvindex(ccd,7),mvindex(ccd,9),mvindex(ccd,11),mvindex(ccd,13),mvindex(ccd,15),mvindex(ccd,17),mvindex(ccd,19),mvindex(ccd,21),mvindex(ccd,23)) 
| eval cco2=mvmap(cco,cco*2) 
| eval cco2HT10=mvfilter(cco2>9) 
| eval cco2LT10=mvfilter(cco2<=9) 
| eval cco2LH10dt=mvmap(cco2HT10,cco2HT10-9) 
| fillnull value=0 cco2LT10 cco2LH10dt 
| eventstats sum(cce) as t1 sum(cco2LT10) as t2 sum(cco2LH10dt) as t3 BY cc 
| eval totalChecker=t1+t2+t3 
| eval CCIsValid=if((totalChecker%10)=0,"true","false")
| fields - cc ccd cce cco cco2 cco2HT10 cco2LT10 cco2LH10dt t1 t2 t3 totalChecker raw time
| where CCIsValid="true"
| eval comment="Find the field where we found the CC number" 
| foreach _raw * 
[
| eval CCStringField=if("<<FIELD>>"!="CCMatch" AND like('<<FIELD>>',"%".CCMatch."%"),"<<FIELD>>",CCStringField)
 ] 
| table _time CCMatch CCStringField source sourcetype host src dest http_user_agent

index=* ((source IN("*.log","*.bak","*.txt", "*.csv","/tmp*","/temp*","c:\tmp*")) OR (tag=web dest_content=*))

| eval comment="Match against the simple CC regex to narrow down the events in the lookup"

| rex max_match=1 "[\"\s\'\,]{0,1}(?<CCMatch>[\d.\-\s]{11,24})[\"\s\'\,]{0,1}"

| where isnotnull(CCMatch)

| eval comment="Apply the LUHN algorithm to see if the CC number extracted is valid"

| eval cc=tonumber(replace(CCMatch,"[ -\.]",""))

| eval comment="Lower min to 11 to find additional CCs which may pick up POSIX timestamps as well."

| where len(cc)>=14 AND len(cc)<=16

| eval cc=printf("%024d", cc)

| eval ccd=split(cc,"")

| foreach 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 [

| eval ccd_reverse=mvappend(ccd_reverse,mvindex(ccd,<<FIELD>>))

]

| rename ccd_reverse AS ccd

| eval cce=mvappend(mvindex(ccd,0),mvindex(ccd,2),mvindex(ccd,4),mvindex(ccd,6),mvindex(ccd,8),mvindex(ccd,10),mvindex(ccd,12),mvindex(ccd,14),mvindex(ccd,16),mvindex(ccd,18),mvindex(ccd,20),mvindex(ccd,22),mvindex(ccd,24))

| eval cco=mvappend(mvindex(ccd,1),mvindex(ccd,3),mvindex(ccd,5),mvindex(ccd,7),mvindex(ccd,9),mvindex(ccd,11),mvindex(ccd,13),mvindex(ccd,15),mvindex(ccd,17),mvindex(ccd,19),mvindex(ccd,21),mvindex(ccd,23))

| eval cco2=mvmap(cco,cco*2)

| eval cco2HT10=mvfilter(cco2>9)

| eval cco2LT10=mvfilter(cco2<=9)

| eval cco2LH10dt=mvmap(cco2HT10,cco2HT10-9)

| fillnull value=0 cco2LT10 cco2LH10dt

| eventstats sum(cce) as t1 sum(cco2LT10) as t2 sum(cco2LH10dt) as t3 BY cc

| eval totalChecker=t1+t2+t3

| eval CCIsValid=if((totalChecker%10)=0,"true","false")

| fields - cc ccd cce cco cco2 cco2HT10 cco2LT10 cco2LH10dt t1 t2 t3 totalChecker raw time

| where CCIsValid="true"

| eval comment="Find the field where we found the CC number"

| foreach _raw *

[

| eval CCStringField=if("<<FIELD>>"!="CCMatch" AND like('<<FIELD>>',"%".CCMatch."%"),"<<FIELD>>",CCStringField)

]

| table _time CCMatch CCStringField source sourcetype host src dest http_user_agent

Continue Reading →

Indexes size and EPS

Description: SPL request to display by index : Index name Index size Events sum, min, avg, max, perc95 Events sum, min, avg, max, perc95 to work hours (8am-6pm) Required: Splunk license Query:

index=_internal source=*license_usage.log idx=z*
|  fields b idx _time| eval GB=b/1024/1024/1024, index=idx | stats sum(GB) as "Volume GB" by index
|  append extendtimerange=t
    [| tstats count where index=z* by _time index span=1s
|  stats min(count) AS "min EPS", avg(count) AS "avg EPS", max(count) AS "max EPS", sum(count) AS "sum evts", perc95(count) AS "perc95 EPS" by index]
| append extendtimerange=t
    [| tstats count where index=z*  by _time index span=1s | eval date_hour=strftime(_time, "%H")
    |  search date_hour>7 AND date_hour<19
|   stats min(count) AS "min EPS WH", avg(count) AS "avg EPS WH", max(count) AS "max EPS WH", perc95(count) AS "perc95 EPS WH" by index]
| stats first(*) as * by index
|  eval "avg EPS" = round ( 'avg EPS', 2), "perc95 EPS" = round ('perc95 EPS',2),  "Volume GB" = round ('Volume GB',2) , "avg EPS WH" = round ( 'avg EPS WH', 2), "perc95 EPS WH" = round ('perc95 EPS WH',2), "sizeGB by evt"=('Volume GB'/'sum evts'), "sizeB by evt"=(('Volume GB'/'sum evts')*1024*1024*1024)
|  table index, "Volume GB","sum evts","sizeGB by evt","sizeB by evt", "min EPS", "min EPS WH", "avg EPS","avg EPS WH", "perc95 EPS","perc95 EPS WH", "max EPS", "max EPS WH"

index=_internal source=*license_usage.log idx=z*

| fields b idx _time| eval GB=b/1024/1024/1024, index=idx | stats sum(GB) as "Volume GB" by index

| append extendtimerange=t

[| tstats count where index=z* by _time index span=1s

| stats min(count) AS "min EPS", avg(count) AS "avg EPS", max(count) AS "max EPS", sum(count) AS "sum evts", perc95(count) AS "perc95 EPS" by index]

| append extendtimerange=t

[| tstats count where index=z* by _time index span=1s | eval date_hour=strftime(_time, "%H")

| search date_hour>7 AND date_hour<19

| stats min(count) AS "min EPS WH", avg(count) AS "avg EPS WH", max(count) AS "max EPS WH", perc95(count) AS "perc95 EPS WH" by index]

| stats first(*) as * by index

| eval "avg EPS" = round ( 'avg EPS', 2), "perc95 EPS" = round ('perc95 EPS',2), "Volume GB" = round ('Volume GB',2) , "avg EPS WH" = round ( 'avg EPS WH', 2), "perc95 EPS WH" = round ('perc95 EPS WH',2), "sizeGB by evt"=('Volume GB'/'sum evts'), "sizeB by evt"=(('Volume GB'/'sum evts')*1024*1024*1024)

| table index, "Volume GB","sum evts","sizeGB by evt","sizeB by evt", "min EPS", "min EPS WH", "avg EPS","avg EPS WH", "perc95 EPS","perc95 EPS WH", "max EPS", "max EPS WH"

Continue Reading →

Software inventory

I’ve been looking a while for something like this, and decided to make it myself. This relies on the tinv_software _inventory add-on found on Splunkbase, but you can do it without, if you feel like it.

<form>
  <label>Software Inventory</label>
  <fieldset submitButton="false" autoRun="false">
    <input type="dropdown" token="software_picker" searchWhenChanged="true">
      <label>Software</label>
      <choice value="&quot;falcon-sensor&quot; &quot;Crowdstrike Windows Sensor&quot;">Crowdstrike</choice>
      <choice value="&quot;*qualys*&quot;">Qualys</choice>
      <choice value="&quot;*SecureConnector*&quot;">Forescout</choice>
      <prefix>tinv_software_name IN (</prefix>
      <suffix>)</suffix>
      <default>"falcon-sensor" "Crowdstrike Windows Sensor"</default>
    </input>
    <input type="dropdown" token="environment_picker" searchWhenChanged="true">
      <label>Environment</label>
      <choice value="On-Prem">On-Prem</choice>
      <choice value="AWS">AWS</choice>
      <choice value="env2">env2</choice>
      <choice value="env3">env3</choice>
      <choice value="env4">env4</choice>
      <prefix>Environment IN (</prefix>
      <suffix>)</suffix>
      <default>On-Prem</default>
    </input>
    <input type="dropdown" token="os_picker" searchWhenChanged="true">
      <label>Operating System</label>
      <choice value="windows">Windows</choice>
      <choice value="unix">Linux</choice>
      <default>windows</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| tstats count where index IN ($os_picker$) host!=*.txt by host 
| eval host=lower(host) 
| eval Environment=case(host LIKE "%desktop%" OR host LIKE "%z1-%" OR host LIKE "ec2%" OR host LIKE "%z2-%" OR host LIKE "%z-%" OR host LIKE "%z3-%" OR host LIKE "i-%", "AWS", host LIKE "cc%", "Communicorp",host LIKE "%win%" OR host LIKE "%awn%", "Argus", host LIKE "%empoweredbenefits.com", "Empowered Benefits",1=1,"On-Prem")
| search $environment_picker$
| join host type=outer 
    [| search index=$os_picker$ tag=software tag=inventory $software_picker$ 
    | eval host=lower(host) 
    | fields host  tinv_software_name tinv_software_version
        ] 
| fillnull value="-" tinv_software_name
| rename tinv_software_name AS "Software Name" tinv_software_version AS "Version"
| fields host  "Software Name" "Version" Environment
| sort -tinv_software_name</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

<form>

<label>Software Inventory</label>

<label>Software</label>

<choice value=""falcon-sensor" "Crowdstrike Windows Sensor"">Crowdstrike</choice>

<choice value=""*qualys*"">Qualys</choice>

<choice value=""*SecureConnector*"">Forescout</choice>

<prefix>tinv_software_name IN (</prefix>

<default>"falcon-sensor" "Crowdstrike Windows Sensor"</default>

</input>

<label>Environment</label>

<prefix>Environment IN (</prefix>

</input>

<label>Operating System</label>

<choice value="windows">Windows</choice>

<choice value="unix">Linux</choice>

<default>windows</default>

</input>

</fieldset>

<row>

<panel>

<table>

<query>| tstats count where index IN ($os_picker$) host!=*.txt by host

| eval host=lower(host)

| eval Environment=case(host LIKE "%desktop%" OR host LIKE "%z1-%" OR host LIKE "ec2%" OR host LIKE "%z2-%" OR host LIKE "%z-%" OR host LIKE "%z3-%" OR host LIKE "i-%", "AWS", host LIKE "cc%", "Communicorp",host LIKE "%win%" OR host LIKE "%awn%", "Argus", host LIKE "%empoweredbenefits.com", "Empowered Benefits",1=1,"On-Prem")

| search $environment_picker$

| join host type=outer

[| search index=$os_picker$ tag=software tag=inventory $software_picker$

| eval host=lower(host)

| fields host tinv_software_name tinv_software_version

]

| fillnull value="-" tinv_software_name

| rename tinv_software_name AS "Software Name" tinv_software_version AS "Version"

| fields host "Software Name" "Version" Environment

| sort -tinv_software_name</query>

</search>

<option name="percentagesRow">false</option>

<option name="refresh.display">progressbar</option>

<option name="totalsRow">false</option>

</table>

</panel>

</row>

</form>

Hope this helps. Let me know if you have any suggestions.

Continue Reading →

DNS search for encoded data

Description: Use this Splunk search to find Base64 encoded content in DNS queries. The goal is to examine the DNS query field of the dns events to find subdomain streams that contain only Base64 valid characters. Utilizing DNS queries with encoded information is a known method to exfiltrate data. But you do not know if […]

Continue Reading →

Show cron frequency and scheduling of all scheduled searches

This search shows you all scheduled searches and their respective cron frequency and cron schedule. This also helps finding frequently running saved searches.

| rest splunk_server=local "/servicesNS/-/-/saved/searches/" search="is_scheduled=1" search="disabled=0" 
| fields title, cron_schedule, eai:acl.app
| rename title as savedsearch_name 
| eval pieces=split(cron_schedule, " ") 
| eval c_min=mvindex(pieces, 0), c_h=mvindex(pieces, 1), c_d=mvindex(pieces, 2), c_mday=mvindex(pieces, 3), c_wday=mvindex(pieces, 4) 
| eval c_min_div=if(match(c_min, "/"), replace(c_min, "^.*/(\d+)$", "\1"), null()) 
| eval c_mins=if(match(c_min, ","), split(c_min, ","), null()) 
| eval c_min_div=if(isnotnull(c_mins), abs(tonumber(mvindex(c_mins, 1)) - tonumber(mvindex(c_mins, 0))), c_min_div) 
| eval c_hs=if(match(c_h, ","), split(c_h, ","), null()) 
| eval c_h_div=case(match(c_h, "/"), replace(c_h, "^.*/(\d+)$", "\1"), isnotnull(c_hs), abs(tonumber(mvindex(c_hs, 1)) - tonumber(mvindex(c_hs, 0))), 1=1, null()) 
| eval c_wdays=if(match(c_wday, ","), split(c_wday, ","), null()) 
| eval c_wday_div=case(match(c_wday, "/"), replace(c_wday, "^.*/(\d+)$", "\1"), isnotnull(c_wdays), abs(tonumber(mvindex(c_wdays, 1)) - tonumber(mvindex(c_wdays, 0))), 1=1, null()) 
| eval i_m=case(c_d < 29, 86400 * 28, c_d = 31, 86400 * 31, 1=1, null()) 
| eval i_h=case(isnotnull(c_h_div), c_h_div * 3600, c_h = "*", null(), match(c_h, "^\d+$"), 86400) 
| eval i_min=case(isnotnull(c_min_div), c_min_div * 60, c_min = "*", 60, match(c_min, "^\d+$"), 3600) 
| eval i_wk=case(isnotnull(c_wday_div), c_wday_div * 86400, c_wday = "*", null(), match(c_wday, "^\d+$"), 604800) 
| eval cron_minimum_freq=case(isnotnull(i_m), i_m, isnotnull(i_wk) AND isnotnull(c_min_div), i_min, isnotnull(i_wk) AND isnull(c_min_div), i_wk, isnotnull(i_h), i_h, 1=1, min(i_min)) 
| fields - c_d c_h c_hs c_h_div c_mday c_min c_min_div c_mins c_wday c_wdays c_wday_div pieces i_m i_min i_h i_wk 
| fields savedsearch_name cron_minimum_freq cron_schedule eai:acl.app

| rest splunk_server=local "/servicesNS/-/-/saved/searches/" search="is_scheduled=1" search="disabled=0"

| fields title, cron_schedule, eai:acl.app

| rename title as savedsearch_name

| eval pieces=split(cron_schedule, " ")

| eval c_min=mvindex(pieces, 0), c_h=mvindex(pieces, 1), c_d=mvindex(pieces, 2), c_mday=mvindex(pieces, 3), c_wday=mvindex(pieces, 4)

| eval c_min_div=if(match(c_min, "/"), replace(c_min, "^.*/(\d+)$", "\1"), null())

| eval c_mins=if(match(c_min, ","), split(c_min, ","), null())

| eval c_min_div=if(isnotnull(c_mins), abs(tonumber(mvindex(c_mins, 1)) - tonumber(mvindex(c_mins, 0))), c_min_div)

| eval c_hs=if(match(c_h, ","), split(c_h, ","), null())

| eval c_h_div=case(match(c_h, "/"), replace(c_h, "^.*/(\d+)$", "\1"), isnotnull(c_hs), abs(tonumber(mvindex(c_hs, 1)) - tonumber(mvindex(c_hs, 0))), 1=1, null())

| eval c_wdays=if(match(c_wday, ","), split(c_wday, ","), null())

| eval c_wday_div=case(match(c_wday, "/"), replace(c_wday, "^.*/(\d+)$", "\1"), isnotnull(c_wdays), abs(tonumber(mvindex(c_wdays, 1)) - tonumber(mvindex(c_wdays, 0))), 1=1, null())

| eval i_m=case(c_d < 29, 86400 * 28, c_d = 31, 86400 * 31, 1=1, null())

| eval i_h=case(isnotnull(c_h_div), c_h_div * 3600, c_h = "*", null(), match(c_h, "^\d+$"), 86400)

| eval i_min=case(isnotnull(c_min_div), c_min_div * 60, c_min = "*", 60, match(c_min, "^\d+$"), 3600)

| eval i_wk=case(isnotnull(c_wday_div), c_wday_div * 86400, c_wday = "*", null(), match(c_wday, "^\d+$"), 604800)

| eval cron_minimum_freq=case(isnotnull(i_m), i_m, isnotnull(i_wk) AND isnotnull(c_min_div), i_min, isnotnull(i_wk) AND isnull(c_min_div), i_wk, isnotnull(i_h), i_h, 1=1, min(i_min))

| fields - c_d c_h c_hs c_h_div c_mday c_min c_min_div c_mins c_wday c_wdays c_wday_div pieces i_m i_min i_h i_wk

| fields savedsearch_name cron_minimum_freq cron_schedule eai:acl.app

Continue Reading →

Data model Acceleration Details

This Splunk Search shows you a lot of good information about your data model acceleration and performance.

| rest /services/admin/summarization by_tstats=t splunk_server=local count=0 <br />| eval key=replace(title,(("tstats:DM_" . 'eai:acl.app') . "_"),""), datamodel=replace('summary.id',(("DM_" . 'eai:acl.app') . "_"),"") <br />| join type=left key <br />    [| rest /services/data/models splunk_server=local count=0 <br />    | table title, "acceleration.cron_schedule", "eai:digest" <br />    | rename title as key <br />    | rename "acceleration.cron_schedule" as cron] <br />| table datamodel, "eai:acl.app", "summary.access_time", "summary.is_inprogress", "summary.size", "summary.latest_time", "summary.complete", "summary.buckets_size", "summary.buckets", cron, "summary.last_error", "summary.time_range", "summary.id", "summary.mod_time", "eai:digest", "summary.earliest_time", "summary.last_sid", "summary.access_count" <br />| rename "summary.id" as summary_id, "summary.time_range" as retention, "summary.earliest_time" as earliest, "summary.latest_time" as latest, "eai:digest" as digest <br />| rename "summary.*" as "*", "eai:acl.*" as "*" <br />| sort datamodel <br />| rename access_count as "Datamodel_Acceleration.access_count", access_time as "Datamodel_Acceleration.access_time", app as "Datamodel_Acceleration.app", buckets as "Datamodel_Acceleration.buckets", buckets_size as "Datamodel_Acceleration.buckets_size", cron as "Datamodel_Acceleration.cron", complete as "Datamodel_Acceleration.complete", datamodel as "Datamodel_Acceleration.datamodel", digest as "Datamodel_Acceleration.digest", earliest as "Datamodel_Acceleration.earliest", is_inprogress as "Datamodel_Acceleration.is_inprogress", last_error as "Datamodel_Acceleration.last_error", last_sid as "Datamodel_Acceleration.last_sid", latest as "Datamodel_Acceleration.latest", mod_time as "Datamodel_Acceleration.mod_time", retention as "Datamodel_Acceleration.retention", size as "Datamodel_Acceleration.size", summary_id as "Datamodel_Acceleration.summary_id" <br />| fields + "Datamodel_Acceleration.access_count", "Datamodel_Acceleration.access_time", "Datamodel_Acceleration.app", "Datamodel_Acceleration.buckets", "Datamodel_Acceleration.buckets_size", "Datamodel_Acceleration.cron", "Datamodel_Acceleration.complete", "Datamodel_Acceleration.datamodel", "Datamodel_Acceleration.digest", "Datamodel_Acceleration.earliest", "Datamodel_Acceleration.is_inprogress", "Datamodel_Acceleration.last_error", "Datamodel_Acceleration.last_sid", "Datamodel_Acceleration.latest", "Datamodel_Acceleration.mod_time", "Datamodel_Acceleration.retention", "Datamodel_Acceleration.size", "Datamodel_Acceleration.summary_id" <br />| rename "Datamodel_Acceleration.*" as "*" <br />| join type=outer last_sid <br />    [| rest splunk_server=local count=0 /services/search/jobs reportSearch=summarize* <br />    | rename sid as last_sid <br />    | fields + last_sid, runDuration] <br />| eval "size(MB)"=round((size / 1048576),1), "retention(days)"=if((retention == 0),"unlimited",round((retention / 86400),1)), "complete(%)"=round((complete * 100),1), "runDuration(s)"=round(runDuration,1) <br />| sort 100 + datamodel <br />| table datamodel, app, cron, "retention(days)", earliest, latest, is_inprogress, "complete(%)", "size(MB)", "runDuration(s)", last_error

| rest /services/admin/summarization by_tstats=t splunk_server=local count=0 <br />| eval key=replace(title,(("tstats:DM_" . 'eai:acl.app') . "_"),""), datamodel=replace('summary.id',(("DM_" . 'eai:acl.app') . "_"),"") <br />| join type=left key <br /> [| rest /services/data/models splunk_server=local count=0 <br /> | table title, "acceleration.cron_schedule", "eai:digest" <br /> | rename title as key <br /> | rename "acceleration.cron_schedule" as cron] <br />| table datamodel, "eai:acl.app", "summary.access_time", "summary.is_inprogress", "summary.size", "summary.latest_time", "summary.complete", "summary.buckets_size", "summary.buckets", cron, "summary.last_error", "summary.time_range", "summary.id", "summary.mod_time", "eai:digest", "summary.earliest_time", "summary.last_sid", "summary.access_count" <br />| rename "summary.id" as summary_id, "summary.time_range" as retention, "summary.earliest_time" as earliest, "summary.latest_time" as latest, "eai:digest" as digest <br />| rename "summary.*" as "*", "eai:acl.*" as "*" <br />| sort datamodel <br />| rename access_count as "Datamodel_Acceleration.access_count", access_time as "Datamodel_Acceleration.access_time", app as "Datamodel_Acceleration.app", buckets as "Datamodel_Acceleration.buckets", buckets_size as "Datamodel_Acceleration.buckets_size", cron as "Datamodel_Acceleration.cron", complete as "Datamodel_Acceleration.complete", datamodel as "Datamodel_Acceleration.datamodel", digest as "Datamodel_Acceleration.digest", earliest as "Datamodel_Acceleration.earliest", is_inprogress as "Datamodel_Acceleration.is_inprogress", last_error as "Datamodel_Acceleration.last_error", last_sid as "Datamodel_Acceleration.last_sid", latest as "Datamodel_Acceleration.latest", mod_time as "Datamodel_Acceleration.mod_time", retention as "Datamodel_Acceleration.retention", size as "Datamodel_Acceleration.size", summary_id as "Datamodel_Acceleration.summary_id" <br />| fields + "Datamodel_Acceleration.access_count", "Datamodel_Acceleration.access_time", "Datamodel_Acceleration.app", "Datamodel_Acceleration.buckets", "Datamodel_Acceleration.buckets_size", "Datamodel_Acceleration.cron", "Datamodel_Acceleration.complete", "Datamodel_Acceleration.datamodel", "Datamodel_Acceleration.digest", "Datamodel_Acceleration.earliest", "Datamodel_Acceleration.is_inprogress", "Datamodel_Acceleration.last_error", "Datamodel_Acceleration.last_sid", "Datamodel_Acceleration.latest", "Datamodel_Acceleration.mod_time", "Datamodel_Acceleration.retention", "Datamodel_Acceleration.size", "Datamodel_Acceleration.summary_id" <br />| rename "Datamodel_Acceleration.*" as "*" <br />| join type=outer last_sid <br /> [| rest splunk_server=local count=0 /services/search/jobs reportSearch=summarize* <br /> | rename sid as last_sid <br /> | fields + last_sid, runDuration] <br />| eval "size(MB)"=round((size / 1048576),1), "retention(days)"=if((retention == 0),"unlimited",round((retention / 86400),1)), "complete(%)"=round((complete * 100),1), "runDuration(s)"=round(runDuration,1) <br />| sort 100 + datamodel <br />| table datamodel, app, cron, "retention(days)", earliest, latest, is_inprogress, "complete(%)", "size(MB)", "runDuration(s)", last_error

Continue Reading →

Splunk CIM Assist

Got tired of having to go through each data source to determine what indexes should go into the Splunk_SA_CIM search macros, this does the leg work.

index=*
| fields index, tag, user, action, object_category
| eval datamodel = if(tag="alert", index."."."alert", datamodel)
| eval datamodel = if(tag="listening" AND tag="port", index."."."application_state_deprecated"."."."endpoint", datamodel)
| eval datamodel = if(tag="process" AND tag="report", index."."."application_state_deprecated"."."."endpoint", datamodel)
| eval datamodel = if(tag="service" AND tag="report", index."."."application_state_deprecated"."."."endpoint", datamodel)
| eval datamodel = if(tag="authentication" AND action!="success" AND user!="*$", index."."."authentication", datamodel)
| eval datamodel = if(tag="certificate", index."."."certificates", datamodel)
| eval datamodel = if(tag="change" AND NOT (object_category=file OR object_category=directory OR object_category=registry), index."."."change"."."."change_analysis_deprecated", datamodel)
| eval datamodel = if(tag="dlp" AND tag="incident", index."."."data_loss_prevention", datamodel)
| eval datamodel = if(tag="database", index."."."database", datamodel)
| eval datamodel = if(tag="email", index."."."email", datamodel)
| eval datamodel = if(tag="endpoint" AND tag="filesystem", index."."."endpoint", datamodel)
| eval datamodel = if(tag="endpoint" AND tag="registry", index."."."endpoint", datamodel)
| eval datamodel = if(tag="track_event_signatures" AND (signature="*" OR signature_id="*"), index."."."event_signatures", datamodel)
| eval datamodel = if(tag="messaging", index."."."interprocess_messaging", datamodel)
| eval datamodel = if(tag="ids" AND tag="attack", index."."."intrusion_detection", datamodel)
| eval datamodel = if(tag="inventory" AND (tag="cpu" OR tag="memory" OR tag="network" OR tag="storage" OR (tag="system" AND tag="version") OR tag="user" OR tag="virtual"), index."."."inventory", datamodel)
| eval datamodel = if(tag="jvm", index."."."jvm", datamodel)
| eval datamodel = if(tag="malware" AND tag="attack", index."."."malware", datamodel)
| eval datamodel = if(tag="network" AND tag="resolution" AND tag="dns", index."."."network_resolution_dns", datamodel)
| eval datamodel = if(tag="network" AND tag="session", index."."."network_sessions", datamodel)
| eval datamodel = if(tag="network" AND tag="communicate", index."."."network_traffic", datamodel)
| eval datamodel = if(tag="performance" AND (tag="cpu" OR tag="facilities" OR tag="memory" OR tag="storage" OR tag="network" OR (tag="os" AND ((tag="time" AND tag="synchronize") OR tag="uptime"))), index."."."performance", datamodel)
| eval datamodel = if(tag="ticketing", index."."."ticket_managment", datamodel)
| eval datamodel = if(tag="update" AND tag="status", index."."."updates", datamodel)
| eval datamodel = if(tag="vulnerability" AND tag="report", index."."."vulnerabilities", datamodel)
| eval datamodel = if(tag="web", index."."."web", datamodel)
| rex field=datamodel "(?<index>[^\\.]+)\.(?<datamodel>.*)"
| makemv delim="." datamodel
| stats values(index) as index by datamodel

index=*

| fields index, tag, user, action, object_category

| eval datamodel = if(tag="alert", index."."."alert", datamodel)

| eval datamodel = if(tag="listening" AND tag="port", index."."."application_state_deprecated"."."."endpoint", datamodel)

| eval datamodel = if(tag="process" AND tag="report", index."."."application_state_deprecated"."."."endpoint", datamodel)

| eval datamodel = if(tag="service" AND tag="report", index."."."application_state_deprecated"."."."endpoint", datamodel)

| eval datamodel = if(tag="authentication" AND action!="success" AND user!="*$", index."."."authentication", datamodel)

| eval datamodel = if(tag="certificate", index."."."certificates", datamodel)

| eval datamodel = if(tag="change" AND NOT (object_category=file OR object_category=directory OR object_category=registry), index."."."change"."."."change_analysis_deprecated", datamodel)

| eval datamodel = if(tag="dlp" AND tag="incident", index."."."data_loss_prevention", datamodel)

| eval datamodel = if(tag="database", index."."."database", datamodel)

| eval datamodel = if(tag="email", index."."."email", datamodel)

| eval datamodel = if(tag="endpoint" AND tag="filesystem", index."."."endpoint", datamodel)

| eval datamodel = if(tag="endpoint" AND tag="registry", index."."."endpoint", datamodel)

| eval datamodel = if(tag="track_event_signatures" AND (signature="*" OR signature_id="*"), index."."."event_signatures", datamodel)

| eval datamodel = if(tag="messaging", index."."."interprocess_messaging", datamodel)

| eval datamodel = if(tag="ids" AND tag="attack", index."."."intrusion_detection", datamodel)

| eval datamodel = if(tag="inventory" AND (tag="cpu" OR tag="memory" OR tag="network" OR tag="storage" OR (tag="system" AND tag="version") OR tag="user" OR tag="virtual"), index."."."inventory", datamodel)

| eval datamodel = if(tag="jvm", index."."."jvm", datamodel)

| eval datamodel = if(tag="malware" AND tag="attack", index."."."malware", datamodel)

| eval datamodel = if(tag="network" AND tag="resolution" AND tag="dns", index."."."network_resolution_dns", datamodel)

| eval datamodel = if(tag="network" AND tag="session", index."."."network_sessions", datamodel)

| eval datamodel = if(tag="network" AND tag="communicate", index."."."network_traffic", datamodel)

| eval datamodel = if(tag="performance" AND (tag="cpu" OR tag="facilities" OR tag="memory" OR tag="storage" OR tag="network" OR (tag="os" AND ((tag="time" AND tag="synchronize") OR tag="uptime"))), index."."."performance", datamodel)

| eval datamodel = if(tag="ticketing", index."."."ticket_managment", datamodel)

| eval datamodel = if(tag="update" AND tag="status", index."."."updates", datamodel)

| eval datamodel = if(tag="vulnerability" AND tag="report", index."."."vulnerabilities", datamodel)

| eval datamodel = if(tag="web", index."."."web", datamodel)

| rex field=datamodel "(?<index>[^\\.]+)\.(?<datamodel>.*)"

| makemv delim="." datamodel

| stats values(index) as index by datamodel

Continue Reading →

Search for disabled AD accounts that have been re-enabled

This is a search you can use as an alert or whatever you desire to look for AD accounts that have been disabled in the past 90 days then re-enabled in the past 24h. You can tweak as needed.

index=YOURINDEX EventCode IN (4725,4722) earliest=-90d 
| eval account=mvindex(Account_Name,1) ```separate out the account from the logs and create a field for it```
| stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent, latest(Account_Name) as lastAccounts, earliest(Account_Name) as firstAccounts by account ```get the stats values of these fields and rename them for further manipulation```
| eval last_action_user=mvindex(lastAccounts,0), first_action_user=mvindex(firstAccounts, 0) ```separate out the accounts that did the disabling & re-enabling and create fields for them```
| replace "4722" with "enabled" in firstEvent, lastEvent
| replace "4725" with "disabled" in firstEvent, lastEvent
| search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
| eval enabled_DT=mvindex(times,-1), disabled_DT=mvindex(times, -1-1) ```create fields to show when the affected account was disabled then re-enabled```
| where enabled_DT > relative_time(now(), "-1h@h") ```this determines what range to look for the re-enabling```
| table first_action_user, account, last_action_user, disabled_DT, enabled_DT
| rename first_action_user as "Disable Actioning Account", account as "Enabled Account", last_action_user as "Enable Actioning Account", disabled_DT as "DateTime Disabled", enabled_DT as "DateTime Enabled"
| convert ctime("DateTime Disabled"), ctime("DateTime Enabled") ```need to convert the time from Unix Epoch to standard time```

index=YOURINDEX EventCode IN (4725,4722) earliest=-90d

| eval account=mvindex(Account_Name,1) ```separate out the account from the logs and create a field for it```

| stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent, latest(Account_Name) as lastAccounts, earliest(Account_Name) as firstAccounts by account ```get the stats values of these fields and rename them for further manipulation```

| eval last_action_user=mvindex(lastAccounts,0), first_action_user=mvindex(firstAccounts, 0) ```separate out the accounts that did the disabling & re-enabling and create fields for them```

| replace "4722" with "enabled" in firstEvent, lastEvent

| replace "4725" with "disabled" in firstEvent, lastEvent

| search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"

| eval enabled_DT=mvindex(times,-1), disabled_DT=mvindex(times, -1-1) ```create fields to show when the affected account was disabled then re-enabled```

| where enabled_DT > relative_time(now(), "-1h@h") ```this determines what range to look for the re-enabling```

| table first_action_user, account, last_action_user, disabled_DT, enabled_DT

| rename first_action_user as "Disable Actioning Account", account as "Enabled Account", last_action_user as "Enable Actioning Account", disabled_DT as "DateTime Disabled", enabled_DT as "DateTime Enabled"

| convert ctime("DateTime Disabled"), ctime("DateTime Enabled") ```need to convert the time from Unix Epoch to standard time```

Continue Reading →

Query for when PowerShell execution policy is set to Bypass

index="windows" sourcetype=WinRegistry key_path="HKLM\\software\\microsoft\\powershell\\1\\shellids\\microsoft.powershell\\executionpolicy"
| table _time, host, registry_type, registry_value_data, registry_value_name
| rename host as Host, registry_type as Action, registry_value_data as "Registry Value", registry_value_name as "Registry Value Name"

index="windows" sourcetype=WinRegistry key_path="HKLM\\software\\microsoft\\powershell\\1\\shellids\\microsoft.powershell\\executionpolicy"

| table _time, host, registry_type, registry_value_data, registry_value_name

| rename host as Host, registry_type as Action, registry_value_data as "Registry Value", registry_value_name as "Registry Value Name"

Continue Reading →

Reports Owned by Admin Users and Writable by Others

| rest /servicesNS/-/-/saved/searches splunk_server=local
| where [|rest /services/authentication/users splunk_server=local | search roles="admin" |fields title | rename title as author] OR author="nobody" 
| rename title AS savedsearch_name, eai:acl.app as app, eai:acl.perms.write as write_roles
| table author write_roles splunk_server app savedsearch_name splunk_server
| mvexpand write_roles
| where NOT write_roles IN("","admin")
| mvcombine write_roles
| eval search_name_for_link=savedsearch_name
| rex field=search_name_for_link mode=sed "s:%:%25:g s: :%20:g s:<:%3C:g s:>:%3E:g s:#:%23:g s:{:%7B:g s:}:%7D:g s:\|:%7C:g s:\\\:%5C:g s:\^:%5E:g s:~:%7E:g s:\[:%5B:g s:\]:%5D:g s:`:%60:g s:;:%3B:g s:/:%2F:g s:\?:%3F:g s/:/%3A/g s:@:%40:g s:=:%3D:g s:&:%26:g s:\$:%24:g s:\!:%21:g s:\*:%2A:g"
| eval link="https://".splunk_server."/en-US/manager/".app."/admin/directory?ns=".app."&pwnr=-&app_only=1&search=".search_name_for_link
| fields - search_name_for_link splunk_server

| rest /servicesNS/-/-/saved/searches splunk_server=local

| rename title AS savedsearch_name, eai:acl.app as app, eai:acl.perms.write as write_roles

| table author write_roles splunk_server app savedsearch_name splunk_server

| mvexpand write_roles

| where NOT write_roles IN("","admin")

| mvcombine write_roles

| eval search_name_for_link=savedsearch_name

| rex field=search_name_for_link mode=sed "s:%:%25:g s: :%20:g s:<:%3C:g s:>:%3E:g s:#:%23:g s:{:%7B:g s:}:%7D:g s:\|:%7C:g s:\\\:%5C:g s:\^:%5E:g s:~:%7E:g s:\[:%5B:g s:\]:%5D:g s:`:%60:g s:;:%3B:g s:/:%2F:g s:\?:%3F:g s/:/%3A/g s:@:%40:g s:=:%3D:g s:&:%26:g s:\$:%24:g s:\!:%21:g s:\*:%2A:g"

| eval link="https://".splunk_server."/en-US/manager/".app."/admin/directory?ns=".app."&pwnr=-&app_only=1&search=".search_name_for_link

| fields - search_name_for_link splunk_server

I got a little fancy there with

search_name_for_link

1	search_name_for_link

. The link is for clicking from the inline table of the alert email. You can easily skip that.

Continue Reading →

Remove mulitple values from a multivalue field

This Splunk search is an example on how to remove unwanted values from multivalue fields using mvfilter.

| gentimes start=-1 | eval field1="pink,fluffy,unicorns" | table field1 | makemv field1 delim="," | eval field1_filtered=mvfilter(NOT match(field1,"pink") AND NOT match(field1,"fluffy"))

1	\| gentimes start=-1 \| eval field1="pink,fluffy,unicorns" \| table field1 \| makemv field1 delim="," \| eval field1_filtered=mvfilter(NOT match(field1,"pink") AND NOT match(field1,"fluffy"))

Continue Reading →

List all your existing indexes or check if index exists

With this spl you can check what indexes exist or if you want to search for a specific index. List all indexes:

|rest /services/data/indexes | fields title | rename title AS index

1	\|rest /services/data/indexes \| fields title \| rename title AS index

Or check if a specific index exist use:

 |rest /services/data/indexes | fields title | rename title AS index | search index=yourindex

1	\|rest /services/data/indexes \| fields title \| rename title AS index \| search index=yourindex

Continue Reading →

Deployed application status

Created this dashboard to see when or if an application was deployed successfully. Close to splunkninja’s query, this will also show if the host in question also restarted to apply the new app.

<form>
  <label>Deployed Applications</label>
  <fieldset submitButton="false">
    <input type="checkbox" token="loglevelpicker" searchWhenChanged="true">
      <label>Log Level</label>
      <choice value="INFO">INFO</choice>
      <choice value="WARN*">WARNING</choice>
      <choice value="ERROR">ERROR</choice>
      <default>INFO,WARN*,ERROR</default>
      <valuePrefix>log_level=</valuePrefix>
      <delimiter> OR </delimiter>
    </input>
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="multiselect" token="hostpicker">
      <label>Host</label>
      <choice value="*">All</choice>
      <default>*</default>
      <valuePrefix>host=</valuePrefix>
      <delimiter> OR </delimiter>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd component=DeployedApplication
| stats count by host</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="multiselect" token="apppicker" searchWhenChanged="true">
      <label>Application</label>
      <choice value="*">All</choice>
      <valuePrefix>*</valuePrefix>
      <valueSuffix>*</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>applicationx</fieldForLabel>
      <fieldForValue>applicationx</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd component=DeployedApplication
| rex field=file "var(\/|\\\\)run(\/|\\\\)\w+(\/|\\\\)(?&lt;app2&gt;\w+)-" 
| rex field=message "(etc|run)(\/|\\\\)(apps|\w+)(\/|\\\\)(?&lt;app3&gt;\w+)-\d+\.bundle" 
| rex field=message "etc(\/|\\\\)apps(\/|\\\\)(?&lt;app5&gt;[^\/|\\\\|']+)" 
| eval applicationx=coalesce(app,app2,app3,app5,application) 
| stats count by applicationx 
| fields - count</query>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd component=DeployedApplication $loglevelpicker$ $hostpicker$ $apppicker$
| table _time host app log_level event_message 
| sort - _time</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Last restart time</title>
      <event>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=INFO $hostpicker$ component=loader event_message="Splunkd starting*"</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">0</option>
        <option name="raw.drilldown">full</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</form>

100

101

102

<form>

<label>Deployed Applications</label>

<label>Log Level</label>

<choice value="WARN*">WARNING</choice>

<choice value="ERROR">ERROR</choice>

<default>INFO,WARN*,ERROR</default>

<valuePrefix>log_level=</valuePrefix>

</input>

</default>

</input>

<query>index=_internal sourcetype=splunkd component=DeployedApplication

| stats count by host</query>

</search>

</input>

<label>Application</label>

<fieldForLabel>applicationx</fieldForLabel>

<fieldForValue>applicationx</fieldForValue>

<query>index=_internal sourcetype=splunkd component=DeployedApplication

| rex field=file "var(\/|\\\\)run(\/|\\\\)\w+(\/|\\\\)(?<app2>\w+)-"

| rex field=message "etc(\/|\\\\)apps(\/|\\\\)(?<app5>[^\/|\\\\|']+)"

| eval applicationx=coalesce(app,app2,app3,app5,application)

| stats count by applicationx

| fields - count</query>

</search>

</input>

</fieldset>

<row>

<panel>

<table>

<query>index=_internal sourcetype=splunkd component=DeployedApplication $loglevelpicker$ $hostpicker$ $apppicker$

| table _time host app log_level event_message

| sort - _time</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="percentagesRow">false</option>

<option name="refresh.display">progressbar</option>

<option name="rowNumbers">false</option>

<option name="totalsRow">false</option>

</table>

</panel>

</row>

<row>

<panel>

<title>Last restart time</title>

<event>

<query>index=_internal sourcetype=splunkd log_level=INFO $hostpicker$ component=loader event_message="Splunkd starting*"</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="refresh.display">progressbar</option>

</event>

</panel>

</row>

</form>

Continue Reading →

Splunk Apps added to an instance

| rest /services/deployment/server/clients splunk_server=local | table hostname applications*.stateOnClient | untable hostname applications value | eval applications=replace(applications,"applications\.(\w+)\.stateOnClient","\1") | stats values(applications) as applications by hostname

1	\| rest /services/deployment/server/clients splunk_server=local \| table hostname applications*.stateOnClient \| untable hostname applications value \| eval applications=replace(applications,"applications\.(\w+)\.stateOnClient","\1") \| stats values(applications) as applications by hostname

Continue Reading →

emoji bonanza

Have you ever wanted to truly express your emotions related to your search results but wasn’t sure how? Why not use an emoji? But how, you ask? Well, problem solved. Welcome to the emoji bonanza!

<form theme="light" hideFilters="true">
<label>emoji bonanza</label>
<!---
Welcome to the emoji bonanza. A friend figured out how to get emoji in a dashboard, and I built this to see what was available.
There are many more available; I'll add them as time permits.

Punch list: find more character sets and make it easier to get to the selection options.

If you need a touch of humor, poop is 128169. It always makes me chuckle.

James Callahan www.professionalparanoid.com 1 Nov 2020 (waiting for the election during the pandemic, I needed a disctration).

-->
<!--
this row to debug and see how tokens are being set
<row>
<panel>
<html>unicode: $unicode$ pass: $pass$ count: $count$ base: $base$ setter: $setter$</html>
</panel>
</row>
-->
<fieldset submitButton="false">
<input type="checkbox" token="MoaT" searchWhenChanged="true">
<label> </label>
<choice value="Moat">Select Different Unicode Sets</choice>
</input>
</fieldset>

<row><panel>
<html>
<details>
<summary>Using Unicode Characters in Splunk Dashboards</summary>
<details>
<summary>What is this?</summary>
This is a way to review how different Unicode Character will present in a dashboard.<br/>
It also provides the Splunk eval statement necessary to add it to your query.<br/>
</details>
<details>
<summary>Selecting different character sets</summary>
Use the <font color="blue"><b>'Show Filters'</b></font> option above then select the check box. Some of the other character sets available will present in a row below. These are grouped according to a list found <a href="https://www.vertex42.com/ExcelTips/unicode-symbols.html" target="blank">here.</a> <br/>
The official repository for unicode is <a href="https://unicode.org/emoji/charts/full-emoji-list.html" target="_blank">here</a>.<br/>
One thing I noticed is that some icons that would fit in one category appear in others (musical notes for example), So, if you're looking for something specific, you may have to dig a bit.<br/>
</details>
<details>
<summary>How to use this</summary>
<p>If you see a character you might want to use, click on it in the table and it will present in the sample panels with both light and dark theme background colors.</p>
Eventually, the goal is to figure out how to label these with names, but that will involve a lookup table, and right now this is just a single dashboard and not a full app.<br/>
Here's a sample of how you can use this:<a href="
/app/search/search?q=%7Cmakeresults%20count%3D1%0A%7Ceval%20weather%3D(%22rain%22)%0A%7Ceval%20show%3Dcase(weather%3D%22rain%22%2Cprintf(%22%25c%22%2C%20127782)%2C%20weather%3D%22clouds%22%2C%20printf(%22%25c%22%2C%20127781)%2C%20weather%3D%22snow%22%2Cprintf(%22%25c%22%2C%20128169)%2C1%3D1%2Cprintf(%22%25c%22%2C%20127774))%0A%7Ctable%20show&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;workload_pool=&amp;earliest=-24h%40h&amp;latest=now&amp;display.page.search.tab=visualizations&amp;display.general.type=visualizations&amp;display.visualizations.type=singlevalue&amp;display.visualizations.singlevalueHeight=214" target="_blank"> <b>Sample.</b> </a> When this opens in a new tab, adjust the 'weather' to one of the options (rain/clouds/snow) or to anything else to see the results. This should present as a single value visualization, but you can put these in any panel.
</details>
</details>
</html>
</panel></row>

<row depends="$MoaT$"><panel>

<input type="checkbox" token="emoji" searchWhenChanged="true">
<label></label>
<choice value="emoji">Emoji</choice>
</input>
<input type="checkbox" token="char" searchWhenChanged="true">
<label> </label>
<choice value="char">Characters</choice>
</input>
<input type="checkbox" token="game" searchWhenChanged="true">
<label> </label>
<choice value="game">Music/Games</choice>
</input>
<input type="checkbox" token="misc" searchWhenChanged="true">
<label> </label>
<choice value="misc">Miscellaneous</choice>
</input>
<input type="checkbox" token="graphic" searchWhenChanged="true">
<label> </label>
<choice value="graphics">Graphics</choice>
</input>
<input type="checkbox" token="arrow" searchWhenChanged="true">
<label> </label>
<choice value="arrow">Arrows</choice>
</input>
<input type="checkbox" token="math" searchWhenChanged="true">
<label> </label>
<choice value="math">Math</choice>
</input>
</panel>
<panel>

<!-- unique boxes -->
<input type="radio" token="checkbox" depends="$emoji$">
<label>Emoji &amp; Pictrographs</label>
<choice value="checkbox27">Emoticons</choice>
<choice value="checkbox20">Misc Symbols</choice>
<choice value="checkbox21">Dingbats</choice>
<choice value="checkbox28">Pictographs</choice>
<choice value="checkbox29">More Pictrographs</choice>

<default>checkbox28</default>
<change>
<condition value="checkbox20">
<set token="unicode">9728</set>
<set token="count">256</set>
<set token="base">9727</set>
</condition>
<condition value="checkbox21">
<set token="unicode">9984</set>
<set token="count">192</set>
<set token="base">9983</set>
</condition>
<condition value="checkbox27">
<set token="unicode">128521</set>
<set token="count">71</set>
<set token="base">128520</set>
</condition>
<condition value="checkbox28">
<set token="unicode">127790</set>
<set token="count">768</set>
<set token="base">127743</set>
</condition>
<condition value="checkbox29">
<set token="unicode">129305</set>
<set token="count">252</set>
<set token="base">129279</set>
</condition>
</change>
</input>
<input type="radio" token="checkbox" depends="$misc$">
<label>Misc</label>
<default>checkbox17</default>
<choice value="checkbox15">Misc-Tech</choice>
<choice value="checkbox30">Transport and Map</choice>
<choice value="checkbox31"> Control Pictures</choice>
<change>
<condition value="checkbox15">
<set token="unicode">9009</set>
<set token="count">256</set>
<set token="base">8959</set>
</condition>
<condition value="checkbox30">
<set token="unicode">128640</set>
<set token="count">128</set>
<set token="base">128639</set>
</condition>
<condition value="checkbox31">
<set token="unicode">9249</set>
<set token="count">96</set>
<set token="base">9216</set>
</condition>

</change>
</input>
<input type="radio" token="checkbox" depends="$game$">
<label>Music &amp; Games</label>
<default>checkbox2</default>
<choice value="checkbox24">Music</choice>
<choice value="checkbox25">Dominos</choice>
<choice value="checkbox26">Cards</choice>
<change>
<condition value="checkbox24">
<set token="unicode">119070</set>
<set token="count">256</set>
<set token="base">119039</set>
</condition>
<condition value="checkbox25">
<set token="unicode">127098</set>
<set token="count">112</set>
<set token="base">127023</set>
</condition>
<condition value="checkbox26">
<set token="unicode">127137</set>
<set token="count">96</set>
<set token="base">127135</set>
</condition>
</change>
</input>
<input id="radiochar" type="radio" token="checkbox" depends="$char$">
<label>Character Set</label>
<default>checkbox2</default>
<choice value="checkbox1">Standard Character Set</choice>
<choice value="checkbox2">General Punctuation</choice>
<choice value="checkbox3">Super and subscripts</choice>
<choice value="checkbox16">Enclosed Characters</choice>
<choice value="checkbox4">Currency</choice>
<choice value="checkbox5">Letterlike</choice>
<choice value="checkbox6">Greek</choice>
<choice value="checkbox22">Braille</choice>
<change>
<condition value="checkbox1">
<set token="unicode">74</set>
<set token="count">256</set>
<set token="base">-1</set>
</condition>
<condition value="checkbox2">
<set token="unicode">8253</set>
<set token="count">95</set>
<set token="base">8191</set>
</condition>
<condition value="checkbox3">
<set token="unicode">8304</set>
<set token="count">48</set>
<set token="base">8303</set>
</condition>
<condition value="checkbox4">
<set token="unicode">8364</set>
<set token="count">48</set>
<set token="base">8351</set>
</condition>
<condition value="checkbox5">
<set token="unicode">8478</set>
<set token="count">80</set>
<set token="base">8447</set>
</condition>
<condition value="checkbox16">
<set token="unicode">9312</set>
<set token="count">160</set>
<set token="base">9311</set>
</condition>
<condition value="checkbox6">
<set token="unicode">937</set>
<set token="count">57</set>
<set token="base">912</set>
</condition>
<condition value="checkbox22">
<set token="unicode">10269</set>
<set token="count">256</set>
<set token="base">10239</set>
</condition>
</change>
</input>
<input type="radio" token="checkbox" depends="$graphic$">
<label>Graphics</label>
<default>checkbox18</default>
<choice value="checkbox17">Box Drawing</choice>
<choice value="checkbox18">Block Elements</choice>
<choice value="checkbox19">More Geometric Shapes</choice>
<change>
<condition value="checkbox17">
<set token="unicode">9568</set>
<set token="count">128</set>
<set token="base">9471</set>
</condition>
<condition value="checkbox18">
<set token="unicode">9600</set>
<set token="count">32</set>
<set token="base">9599</set>
</condition>
<condition value="checkbox19">
<set token="unicode">128896</set>
<set token="count">128</set>
<set token="base">128895</set>
</condition>
</change>
</input>
<input type="radio" token="checkbox" depends="$arrow$">
<label>Arrows</label>
<default>checkbox8</default>
<choice value="checkbox8">Arrows</choice>
<choice value="checkbox9">More Arrows A</choice>
<choice value="checkbox10">More Arrows C</choice>
<choice value="checkbox11">More Arrows A</choice>
<choice value="checkbox23">More Misc Symb and Arrows</choice>
<change>
<condition value="checkbox8">
<set token="unicode">8592</set>
<set token="count">112</set>
<set token="base">8591</set>
</condition>
<condition value="checkbox9">
<set token="unicode">10224</set>
<set token="count">15</set>
<set token="base">10223</set>
</condition>
<condition value="checkbox10">
<set token="unicode">10496</set>
<set token="count">132</set>
<set token="base">10495</set>
</condition>
<condition value="checkbox11">
<set token="unicode">129024</set>
<set token="count">706</set>
<set token="base">129023</set>
</condition>
<condition value="checkbox23">
<set token="unicode">11008</set>
<set token="count">256</set>
<set token="base">11007</set>
</condition>
</change>
</input>
<input type="radio" token="checkbox" depends="$math$">
<label>Math</label>
<default>checkbox12</default>
<choice value="checkbox12">Math</choice>
<choice value="checkbox13">more Math A</choice>
<choice value="checkbox14">more Math B</choice>
<choice value="checkbox7">Number forms</choice>
<change>
<condition value="checkbox12">
<set token="unicode">8734</set>
<set token="count">256</set>
<set token="base">8703</set>
</condition>
<condition value="checkbox13">
<set token="unicode">10624</set>
<set token="count">128</set>
<set token="base">10623</set>
</condition>
<condition value="checkbox14">
<set token="unicode">10752</set>
<set token="count">256</set>
<set token="base">10751</set>
</condition>
<condition value="checkbox7">
<set token="unicode">8555</set>
<set token="count">64</set>
<set token="base">8527</set>
</condition>
</change>
</input>
</panel>
</row>

<row depends="$hide$">
<panel>
<html>
<style>
#radiosample div[data-test="radio-list"]{
display: inline;
}

#radiosample div[data-test="option"]{
display: inline;
margin-top: 0px;
margin-right: 10px;
margin-bottom: 0px;
margin-left: 0px
}
#radiosample {
width:100%;
}
</style>
<style>
table tbody tr td{
font-size:125% !important;
}
</style>

</html>
</panel>
</row>

<!-- Show this stuff -->

<row>
<panel>
<title>Light Theme for $unicode$</title>
<single>
<search>
<query>|makeresults count=1
|eval emoji=printf("%c", $unicode$)
|table emoji</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">all</option>
<option name="height">358</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x53a051", "0x0877a6", "0xf8be34", "0xf1813f", "0xdc4e41"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<title>Dark Theme for $unicode$</title>
<single>
<search>
<query>|makeresults count=1
|eval emoji=printf("%c", $unicode$)
|table emoji</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="height">358</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x555","0xdc4e41"]</option>
<option name="rangeValues">[10000000]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<html>

<div style="text-align: center;">
<br/>
<font size="+1">Code for your dashboard:</font><p>
<br/>
<br/>
<font size="+3" color="blue">|eval emoji=printf("%c", $unicode$)</font>
</p>
<br/>
<br/>
Copy and paste into your query and rename 'emoji' to your field name.
<p><a href="https://unicode.org/emoji/charts/full-emoji-list.html" target="_blanl">Full emoji list from unicode.org</a></p>
</div>
</html>
</panel>
</row>
<row depends="$nevershow$">
<panel>
<table>
<search>
<query>
|makeresults count=1
|eval passmeplease=("$pass$")
|rex field=passmeplease "\S\s+(?&lt;unicode&gt;\d+)"

</query>
<done>
<set token="unicode">$result.unicode$</set>
</done>
</search>
</table>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>
|makeresults count=$count$
|eval base = tonumber("1F380",16) |eval base = $base$
|streamstats count
|eval unicode_value = base + count
|sort unicode_value
|eval emoji=printf("%c", unicode_value)
|eval chartme=(emoji+" "+unicode_value)
|eval sets = count % 6
|eval fields_{sets} = chartme
|stats values(fields_*) as fields_*
|rename fields_1 as "fields ", fields_2 as "fields ", fields_3 as "fields ", fields_4 as "fields ", fields_5 as "fields ", fields_0 as "fields"
|table "fields ","fields ","fields ","fields ","fields ", "fields"
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<fields>"fields ","fields ","fields ","fields ","fields ", "fields"</fields>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="pass">$click.value2$</set>
</drilldown>
</table>
</panel>
</row>
</form>

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

<label>emoji bonanza</label>

<!---

Welcome to the emoji bonanza. A friend figured out how to get emoji in a dashboard, and I built this to see what was available.

There are many more available; I'll add them as time permits.

Punch list: find more character sets and make it easier to get to the selection options.

If you need a touch of humor, poop is 128169. It always makes me chuckle.

James Callahan www.professionalparanoid.com 1 Nov 2020 (waiting for the election during the pandemic, I needed a disctration).

-->

<!--

this row to debug and see how tokens are being set

<row>

<panel>

<html>unicode: $unicode$ pass: $pass$ count: $count$ base: $base$ setter: $setter$</html>

</panel>

</row>

-->

<choice value="Moat">Select Different Unicode Sets</choice>

</input>

</fieldset>

<html>

<summary>Using Unicode Characters in Splunk Dashboards</summary>

This is a way to review how different Unicode Character will present in a dashboard.<br/>

It also provides the Splunk eval statement necessary to add it to your query.<br/>

</details>

<summary>Selecting different character sets</summary>

Use the <font color="blue"><b>'Show Filters'</b></font> option above then select the check box. Some of the other character sets available will present in a row below. These are grouped according to a list found <a href="https://www.vertex42.com/ExcelTips/unicode-symbols.html" target="blank">here.</a> <br/>

The official repository for unicode is <a href="https://unicode.org/emoji/charts/full-emoji-list.html" target="_blank">here</a>.<br/>

One thing I noticed is that some icons that would fit in one category appear in others (musical notes for example), So, if you're looking for something specific, you may have to dig a bit.<br/>

</details>

<p>If you see a character you might want to use, click on it in the table and it will present in the sample panels with both light and dark theme background colors.</p>

Eventually, the goal is to figure out how to label these with names, but that will involve a lookup table, and right now this is just a single dashboard and not a full app.<br/>

Here's a sample of how you can use this:<a href="

/app/search/search?q=%7Cmakeresults%20count%3D1%0A%7Ceval%20weather%3D(%22rain%22)%0A%7Ceval%20show%3Dcase(weather%3D%22rain%22%2Cprintf(%22%25c%22%2C%20127782)%2C%20weather%3D%22clouds%22%2C%20printf(%22%25c%22%2C%20127781)%2C%20weather%3D%22snow%22%2Cprintf(%22%25c%22%2C%20128169)%2C1%3D1%2Cprintf(%22%25c%22%2C%20127774))%0A%7Ctable%20show&display.page.search.mode=verbose&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.page.search.tab=visualizations&display.general.type=visualizations&display.visualizations.type=singlevalue&display.visualizations.singlevalueHeight=214" target="_blank"> <b>Sample.</b> </a> When this opens in a new tab, adjust the 'weather' to one of the options (rain/clouds/snow) or to anything else to see the results. This should present as a single value visualization, but you can put these in any panel.

</details>

</html>

</panel></row>

<choice value="emoji">Emoji</choice>

</input>

<choice value="char">Characters</choice>

</input>

<choice value="game">Music/Games</choice>

</input>

<choice value="misc">Miscellaneous</choice>

</input>

<choice value="graphics">Graphics</choice>

</input>

<choice value="arrow">Arrows</choice>

</input>

</input>

</panel>

<panel>

<label>Emoji & Pictrographs</label>

<choice value="checkbox27">Emoticons</choice>

<choice value="checkbox20">Misc Symbols</choice>

<choice value="checkbox21">Dingbats</choice>

<choice value="checkbox28">Pictographs</choice>

<choice value="checkbox29">More Pictrographs</choice>

<default>checkbox28</default>

</condition>

</condition>

</condition>

</condition>

</condition>

</change>

</input>

<default>checkbox17</default>

<choice value="checkbox30">Transport and Map</choice>

<choice value="checkbox31"> Control Pictures</choice>

</condition>

</condition>

</condition>

</change>

</input>

<label>Music & Games</label>

<default>checkbox2</default>

<choice value="checkbox24">Music</choice>

<choice value="checkbox25">Dominos</choice>

<choice value="checkbox26">Cards</choice>

</condition>

</condition>

</condition>

</change>

</input>

<label>Character Set</label>

<default>checkbox2</default>

<choice value="checkbox1">Standard Character Set</choice>

<choice value="checkbox2">General Punctuation</choice>

<choice value="checkbox3">Super and subscripts</choice>

<choice value="checkbox16">Enclosed Characters</choice>

<choice value="checkbox4">Currency</choice>

<choice value="checkbox5">Letterlike</choice>

<choice value="checkbox6">Greek</choice>

<choice value="checkbox22">Braille</choice>

</condition>

</condition>

</condition>

</condition>

</condition>

</condition>

</condition>

</condition>

</change>

</input>

<label>Graphics</label>

<default>checkbox18</default>

<choice value="checkbox17">Box Drawing</choice>

<choice value="checkbox18">Block Elements</choice>

<choice value="checkbox19">More Geometric Shapes</choice>

</condition>

</condition>

</condition>

</change>

</input>

<label>Arrows</label>

<default>checkbox8</default>

<choice value="checkbox8">Arrows</choice>

<choice value="checkbox9">More Arrows A</choice>

<choice value="checkbox10">More Arrows C</choice>

<choice value="checkbox11">More Arrows A</choice>

<choice value="checkbox23">More Misc Symb and Arrows</choice>

</condition>

</condition>

</condition>

</condition>

</condition>

</change>

</input>

<default>checkbox12</default>

<choice value="checkbox7">Number forms</choice>

</condition>

</condition>

</condition>

</condition>

</change>

</input>

</panel>

</row>

<panel>

<html>

<style>

#radiosample div[data-test="radio-list"]{

display: inline;

}

#radiosample div[data-test="option"]{

display: inline;

margin-top: 0px;

margin-right: 10px;

margin-bottom: 0px;

margin-left: 0px

}

#radiosample {

width:100%;

}

</style>

<style>

table tbody tr td{

font-size:125% !important;

}

</style>

</html>

</panel>

</row>

<row>

<panel>

<title>Light Theme for $unicode$</title>

<query>|makeresults count=1

|eval emoji=printf("%c", $unicode$)

|table emoji</query>

</search>

<option name="colorBy">value</option>

<option name="trellis.size">medium</option>

<option name="trendColorInterpretation">standard</option>

<option name="trendDisplayMode">absolute</option>

<option name="unitPosition">after</option>

</single>

</panel>

<panel>

<title>Dark Theme for $unicode$</title>

<query>|makeresults count=1

|eval emoji=printf("%c", $unicode$)

|table emoji</query>

</search>

<option name="colorBy">value</option>

<option name="colorMode">block</option>

<option name="trellis.size">medium</option>

<option name="trendColorInterpretation">standard</option>

<option name="trendDisplayMode">absolute</option>

<option name="unitPosition">after</option>

</single>

</panel>

<panel>

<html>

<br/>

<font size="+1">Code for your dashboard:</font><p>

<br/>

<font size="+3" color="blue">|eval emoji=printf("%c", $unicode$)</font>

</p>

<br/>

Copy and paste into your query and rename 'emoji' to your field name.

<p><a href="https://unicode.org/emoji/charts/full-emoji-list.html" target="_blanl">Full emoji list from unicode.org</a></p>

</div>

</html>

</panel>

</row>

<panel>

<table>

<query>

|makeresults count=1

|eval passmeplease=("$pass$")

|rex field=passmeplease "\S\s+(?<unicode>\d+)"

</query>

<done>

<set token="unicode">$result.unicode$</set>

</done>

</search>

</table>

</panel>

</row>

<row>

<panel>

<table>

<query>

|makeresults count=$count$

|eval base = tonumber("1F380",16) |eval base = $base$

|streamstats count

|eval unicode_value = base + count

|sort unicode_value

|eval emoji=printf("%c", unicode_value)

|eval chartme=(emoji+" "+unicode_value)

|eval sets = count % 6

|eval fields_{sets} = chartme

|stats values(fields_*) as fields_*

|rename fields_1 as "fields ", fields_2 as "fields ", fields_3 as "fields ", fields_4 as "fields ", fields_5 as "fields ", fields_0 as "fields"

|table "fields ","fields ","fields ","fields ","fields ", "fields"

</query>

</search>

<fields>"fields ","fields ","fields ","fields ","fields ", "fields"</fields>

<option name="percentagesRow">false</option>

<option name="rowNumbers">false</option>

<option name="totalsRow">false</option>

<set token="pass">$click.value2$</set>

</drilldown>

</table>

</panel>

</row>

</form>

Continue Reading →

Identifying Hosts not sending data for more than 6 hours

| tstats latest(_time) as latest where index!="*_" earliest=-9h by host index sourcetype
| eval recent = if(latest > relative_time(now(),"-360m"),"1","0"), LastReceiptTime = strftime(latest,"%c")
| where recent=0
| sort LastReceiptTime
| eval age=now()-latest
| eval age=round((age/60/60),1)
| eval age=age."hour"
| fields - recent latest

| tstats latest(_time) as latest where index!="*_" earliest=-9h by host index sourcetype

| eval recent = if(latest > relative_time(now(),"-360m"),"1","0"), LastReceiptTime = strftime(latest,"%c")

| where recent=0

| sort LastReceiptTime

| eval age=now()-latest

| eval age=round((age/60/60),1)

| eval age=age."hour"

| fields - recent latest

Continue Reading →

Get unexpected shutdown date with downtime duration

Mainly saving you the headache of handling hidden characters which made field extraction harder than it needed to be.

source="*WinEventLog:System" EventCode=6008 "unexpected"
| rex "shutdown\s+at\s+(?<time>.*)\s+on\s+[^\d]?(?<month>\d+)\/[^\d]?(?<day>\d+)\/[^\d]?(?<year>\d+)\s+was"
| eval shutdownTime = strptime(year."-".month."-".day." ".time,"%Y-%m-%d %M:%H:%S %p")
| eval downTimeDays = round((_time-shutdownTime)/86400,2)
| eval shutdownTime = strftime(shutdownTime,"%c")
| table _time, host, shutdownTime, downTimeDays

source="*WinEventLog:System" EventCode=6008 "unexpected"

| rex "shutdown\s+at\s+(?<time>.*)\s+on\s+[^\d]?(?<month>\d+)\/[^\d]?(?<day>\d+)\/[^\d]?(?<year>\d+)\s+was"

| eval shutdownTime = strptime(year."-".month."-".day." ".time,"%Y-%m-%d %M:%H:%S %p")

| eval downTimeDays = round((_time-shutdownTime)/86400,2)

| eval shutdownTime = strftime(shutdownTime,"%c")

| table _time, host, shutdownTime, downTimeDays

Continue Reading →

Zerologon Detection (CVE-2020-1472)

Primary Search for Local Domain Controller Exploitation by Zerologon

index="<windows_index>" (sourcetype="<windows_sourcetype_security>" OR source="windows_source_security") EventCode="4742" OR EventCode="4624" AND (src_user="*anonymous*" OR member_id="*S-1-0*")
`comment("This looks for all 4624 and 4742 events under an 'ANONYMOUS USER', which are tied to the exploitation of Zerologon")`
| eval local_system=mvindex(upper(split(user,"$")),0)
`comment("This effectively splits the user field, which when parsed with the TA for Windows, may also appear as the Target User. Since the exploit would specifically occur using a local account on the Domain Controller, it stands to reason that detecting a modified user object, modified by a local system account, would be evidence of the exploit. The split removes the '$', creating a new field, deriving the local_system name via the original user field [ie. user='NameOfDC$' would become local_system='NameofDC']")`
| search host=local_system
`comment("A search to only find instances of these events when the host (DC) is the same as the extracted local_system account name performing the action")`
| table _time EventCode dest host ComputerName src_user Account_Name local_system user Security_ID member_id src_nt_domain dest_nt_domain

index="<windows_index>" (sourcetype="<windows_sourcetype_security>" OR source="windows_source_security") EventCode="4742" OR EventCode="4624" AND (src_user="*anonymous*" OR member_id="*S-1-0*")

`comment("This looks for all 4624 and 4742 events under an 'ANONYMOUS USER', which are tied to the exploitation of Zerologon")`

| eval local_system=mvindex(upper(split(user,"$")),0)

`comment("This effectively splits the user field, which when parsed with the TA for Windows, may also appear as the Target User. Since the exploit would specifically occur using a local account on the Domain Controller, it stands to reason that detecting a modified user object, modified by a local system account, would be evidence of the exploit. The split removes the '$', creating a new field, deriving the local_system name via the original user field [ie. user='NameOfDC$' would become local_system='NameofDC']")`

| search host=local_system

`comment("A search to only find instances of these events when the host (DC) is the same as the extracted local_system account name performing the action")`

| table _time EventCode dest host ComputerName src_user Account_Name local_system user Security_ID member_id src_nt_domain dest_nt_domain

You can also modify this search to only look at your Active Directory DCs. If you have common naming schemas, you can use that as well. Please see the report linked to get more info about the CVE itself.

Continue Reading →

Splunk dashboard that displays User searches

_audit
thall
17 0

Built this dashboard to give a high level overview of user search activity. The search powering the dashboard is looking that the _audit index and you will need to ensure that you have proper access to the internal Splunk indexes. The dashboard includes a TimeRange picker, radio button to include or exclude Splunk’s system user, […]

Continue Reading →

Splunk Query Repository