Data Usage for Indexer and Forwarders

In my previous role I created this dashboard to identify how much data a Splunk forwarder had sent to my indexers.  This was a daily check that either myself of someone on my team would review.  This check helped us identify a misconfiguration across all of my production Windows servers.  I was able to drilldown […]

Continue Reading →

Windows Sysmon Process Dashboard

Working with a customer I started this dashboard to give a high level overview of Windows Sysmon data.  I have been evolving the dashboard in my home environment and will take any feedback to improve the effectiveness of this dashboard. First is getting sysmon data into your splunk environment.  My home computers are running Windows […]

Continue Reading →

Get KV Store Metrics

This Splunk REST query will return KV Store Metrics:

Continue Reading →

Searches to check search concurrency for historical or real time

The following Splunk search will output historical or real time concurrency in a timechart by host. *NOTE* Change the text <search_head> to your search heads name, alternatively use a *.

Continue Reading →

LDAP Search Dashboard

Description: This dashboard is designed to simplify Splunk’s LDAPSEARCH command. LDAP must be configured in your Splunk instance for this to work.  

Continue Reading →

Show your triggered alerts

This search shows all the alerts that where triggered in your splunk environment:

Continue Reading →

Apps Deployed from Deployment Server

Want to show what apps have been deployed to forwarders from a deployment server (DS)? Try this Splunk Search:

Continue Reading →

Successful Logons to WordPress Admin Area

Ever want more detailed information on authentications to your WordPress Admin Area? This Splunk Query will show detailed information on successful authentications to the wp-admin section of your site:

Screenshot: Notes: Please comment if this is successful or unsuccessful for you, I have limited access to WordPress data. That said this worked for me.

Continue Reading →

See who is using Splunk by user, app and view

########## Admin Notes This query is a modified version of one submitted by tokenwander here: https://gosplunk.com/whos-using-splunk/ ##########

Continue Reading →

Host not sending logs for x days

This Splunk Query will show hosts that stopped sending logs for at least 48 hours. You’ll want to change the time range to be relevant to your environment, and you may need to tweak the 48 hour range to something that is more appropriate for your environment.

Continue Reading →

License and Storage Usage Dashboard

This relies on the search posted earlier: This will display storage and license usage broken down by groups, predefined in the chargeback app customers.csv

Continue Reading →

Build License usage by Group

This was cobbled together from multiple searches I found. This search feeds the license and storage dashboard posted here: It relies on the Chargeback app for the customers.csv form.

 

Continue Reading →

Detailed User Activity

Continue Reading →

Exclude single event type from logs

Do this on HF   transforms.conf:

  props.conf:

Continue Reading →

Who’s Using Splunk?

I often get asked how much a certain dashboard gets looked at, or how many times a user looks at a specific app. I wrote this quick query to answer that question.

Continue Reading →