Detect Dying Sourcetypes

This alert is used for looking at a prior dataset of indexes and sourcetypes reporting over time, and then involves pairing to a closer, temporal dataset. Appending the results allows you to view sourcetypes that have stopped reporting, but existed in the prior period.   | tstats count where earliest=-90d latest=-60d index=proxies_na by _time sourcetype […]

Continue Reading →

Search Traffic by Source IP

GoSplunk Admin Notes: If you have a data model enabled that matches the search below, this might work for you! | datamodel Network_Traffic All_Traffic search | search All_Traffic.src_ip=10.x.x.x | stats count by All_Traffic.src_ip, All_Traffic.dest,All_Traffic.action, dstcountry | dedup All_Traffic.dest

Continue Reading →

Permissions for splunk users

Another view for which splunk user can do what in your splunk environment | rest /services/authentication/users | mvexpand roles | table realname, title, roles, email | join roles [ rest /services/authorization/roles | rename title as roles | search srchIndexesAllowed=* | table roles srchIndexesAllowed]

Continue Reading →