audit Archives -

Searches to check search concurrency for historical or real time

The following Splunk search will output historical or real time concurrency in a timechart by host. *NOTE* Change the text <search_head> to your search heads name, alternatively use a *.

<span class="il">index</span>=<span class="il">_internal</span> host=<search_head> source=*metrics.log group=search_concurrency "system total" NOT user=* | timechart max(active_hist_searches) by host

1	<span class="il">index</span>=<span class="il">_internal</span> host=<search_head> source=metrics.log group=search_concurrency "system total" NOT user= \| timechart max(active_hist_searches) by host

<span class="il">index</span>=<span class="il">_internal</span> host=<search_head> source=*metrics.log group=search_concurrency "system total" NOT user=* | timechart max(active_realtime_searches) by host

1	<span class="il">index</span>=<span class="il">_internal</span> host=<search_head> source=metrics.log group=search_concurrency "system total" NOT user= \| timechart max(active_realtime_searches) by host

Continue Reading →

Show Searches with Details (Who | When | What)

The following Splunk search will show a list of searches ran on a splunk server with the following details: Who ran the search What sourcetype was used What index was used What the search string was When the search was last ran

index=_audit action=search sourcetype=audittrail search_id=* NOT (user=splunk-system-user) search!="'typeahead*"
| rex "search\=\'(search|\s+)\s(?P<search>[\n\S\s]+?(?=\'))"
| rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)" 
| rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)"
| stats latest(_time) as Latest by user search SourcetypeUsed IndexUsed
| convert ctime(Latest)

index=_audit action=search sourcetype=audittrail search_id=* NOT (user=splunk-system-user) search!="'typeahead*"

| rex "search\=\'(search|\s+)\s(?P<search>[\n\S\s]+?(?=\'))"

| rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)"

| rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)"

| stats latest(_time) as Latest by user search SourcetypeUsed IndexUsed

| convert ctime(Latest)

Continue Reading →

List of Legitimate Account Names in Windows

This splunk query will list all successful logins by account name for a given time range. This query will work on a variety of Windows Operating systems to include XP, 2003, Vista, 2008, 7, 8, and server 2012. I’ve tested in some capacity in Windows 10 for some of my queries, so far they appear […]

Continue Reading →

Unintended Windows Shutdowns

This splunk query will show any unintended Windows system Shutdowns. Ensure the Splunk App for Windows is installed, you can grab it here: https://apps.splunk.com/app/742/

sourcetype="WinEventLog:system" EventCode=6008 | eval Date=strftime(_time, "%Y/%m/%d") | table  Date host, index, Message  | sort  - Date

1	sourcetype="WinEventLog:system" EventCode=6008 \| eval Date=strftime(_time, "%Y/%m/%d") \| table Date host, index, Message \| sort - Date

Continue Reading →

Count of Unique Users in a Linux Environment

This splunk query will return the total number of unique users in a given time range.

sourcetype=linux_secure | rex "\suser[^'](?<User>\S+\w+)" | stats dc(User)

1	sourcetype=linux_secure \| rex "\suser[^'](?<User>\S+\w+)" \| stats dc(User)

Continue Reading →

Tag: audit

Searches to check search concurrency for historical or real time

Show Searches with Details (Who | When | What)

List of Legitimate Account Names in Windows

Unintended Windows Shutdowns

Count of Unique Users in a Linux Environment