Build License usage by Group

This was cobbled together from multiple searches I found. This search feeds the license and storage dashboard posted here: It relies on the Chargeback app for the customers.csv form.

 

Continue Reading →

Detailed User Activity

Continue Reading →

Exclude single event type from logs

Do this on HF   transforms.conf:

  props.conf:

Continue Reading →

Who’s Using Splunk?

I often get asked how much a certain dashboard gets looked at, or how many times a user looks at a specific app. I wrote this quick query to answer that question.

Continue Reading →

Find unused dashboards

Use this search to find unused dashboards:

Admin Notes – Fantastic query! I modified the SPL slightly as I had an issue when I copied it to my two test environments.

Continue Reading →

skipped searches and why

Quickly identify high amounts of skipped searches in your cluster or standalone SH(s):

Adjust “[your splunk SH(s)]” to the SH(s) you want to check obviously ;)

Continue Reading →

find blocking queues

Blocked queues are (obviously) bad for your environment so here a search to identify those:

Example result:

Continue Reading →

Internal Splunk User Stats

This simple Splunk query will show us unique Splunk user logged into Splunk per day, as well as total count of log-ons.

Continue Reading →

Apache Traffic Dashboard

Description: The following Dashboard is what I use to monitor traffic to GoSplunk. It uses the built in sourcetype of access_combined. No additional add-on’s or TA’s are required. I replaced my index with index=* so it’ll work out of the box. You’ll want to change this to your index for best practices. *UPDATE – 2019/05/29* […]

Continue Reading →

List all ES Correlation Searches

Continue Reading →

Windows service activity & MSI installs

Here is a dashboard I built to help you understand the activity of services and MSI installs within a Windows machine.  This dashboard utilizes Post Processing so there is only 2 searches that are launched when the dashboard is loaded to minimize impact on search queuing. Add-on’s: Splunk Add-on for Microsoft Windows – https://splunkbase.splunk.com/app/742/ Video overview […]

Continue Reading →

Simple File Integrity Monitoring Management Dashboard

This is the code for my original reddit post at https://www.reddit.com/r/Splunk/comments/am3tgr/simple_file_integrity_monitoring/ This dashboard allows users to manage simple File Integrity Monitoring (FIM) within Splunk. Please note that this isn’t a full FIM suite as it only validates if a checksum has been changed on a file, but I have included a simple TA for Linux. However, if you […]

Continue Reading →

Auditd hosts in all environments

Shows the login activity to our linux environments, sudo commands per host and users. Admin Notes: index=main was changed to index=* due to not everyone using the same index. This dashboard has been tested for code errors, but not for search errors. Please comment if you have any issues!  

 

Continue Reading →

Searching Your Searches

Below is the raw XML of a dashboard we wrote about on our blog a couple of months ago. Click here to read that blog, or copy/paste this XML in your Splunk instance!

Continue Reading →