David Shpritz automine
meznak
/ bundlestatus.alias
Last active
February 7, 2022 20:38
— forked from xoff00/gist:fc8e074985e48287e31742730d8a3e8b
Splunk cluster bundle status on a single line
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Check indexer cluster bundle status without all the mess. | |
| # Requires $SPLUNK_HOME/bin to be in your path | |
| # one-shot status | |
| alias bundlestatus="splunk show cluster-bundle-status > .cbs.tmp && sed -n '/cluster_status/,/^ *$/p' .cbs.tmp && grep -A5 site1 .cbs.tmp | paste -d ' ' - - - - - - - | sed -r -e 's/\t/ /g' -e 's/(.uto)?.asu.edu//g' -e 's/[[:alnum:]]\{8\}(-[[:alnum:]]\{4\}){3}-[[:alnum:]]\{12\}//g' -e 's/[[:blank:]]*site1[[:blank:]]*/ /g' -e 's/_bundle=(.{8}|.)\S*/=\1/g' -e 's/_validat(ed|ion_)//g' -e 's/_required_apply//g' -e 's/last_bundle//g' -e 's/--//g' | sort -V | column -t && rm .cbs.tmp" | |
| # watch status | |
| alias bundlestatusw="watch -n10 \"splunk show cluster-bundle-status > .cbs.tmp && sed -n '/cluster_status/,/^ *$/p' .cbs.tmp && grep -A5 site1 .cbs.tmp | paste -d ' ' - - - - - - - | sed -r -e 's/\t/ /g' -e 's/(.uto)?.asu.edu//g' -e 's/[[:alnum:]]\{8\}(-[[:alnum:]]\{4\}){3}-[[:alnum:]]\{12\}//g' -e 's/[[:blank:]]*site1[[:blank:]]*/ /g' -e 's/_bundle=(.{8}|.)\S*/=\1/g' -e 's/_validat(ed|ion_)//g' |
faststeak
/ gist:5cf00f17cc1aeeb2c86fdc8392d44b4f
Last active
November 3, 2017 18:45
A nice DNS search for Splunk
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| | tstats `summariesonly` count from datamodel=Network_Resolution.DNS where DNS.record_type="A*" NOT DNS.query="SomeHostNames*" NOT DNS.query="*.arpa" NOT DNS.query="_ldap*" NOT DNS.query="_gc*" NOT DNS.query="_kerberos*" by DNS.query DNS.src | |
| | rename DNS.query as query DNS.src as src | |
| | eval query_punct=query | |
| | rex mode=sed field=query_punct "s/\w+//g" | |
| | search NOT query_punct="--.-.----" | |
| | `ut_shannon(query)` | |
| | stats sum(ut_shannon) as ut_shannon_sum values(query) as query by src | |
| | where ut_shannon_sum<1000 | |
| | sort - ut_shannon_sum |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [WinEventLog://Security] | |
| disabled = 0 | |
| start_from = oldest | |
| current_only = 0 | |
| evt_resolve_ad_obj = 1 | |
| checkpointInterval = 5 | |
| blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" | |
| blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" | |
| blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)" | |
| blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [WinEventLog:Security] | |
| #Returns most of the space savings XML would provide | |
| SEDCMD-clean0-null_sids = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g | |
| SEDCMD-clean1-summary = s/This event is generated[\S\s\r\n]+$//g | |
| SEDCMD-clean2-cert_summary = s/Certificate information is only[\S\s\r\n]+$//g | |
| SEDCMD-clean3-blank_ipv6 = s/::ffff://g | |
| SEDCMD-clean4-token_elevation_summary = s/Token Elevation Type indicates[\S\s\r\n]+$//g | |
| SEDCMD-clean5-network_share_summary = s/(?ms)(A network share object was checked to see whether.*$)//g | |
| SEDCMD-clean6-authentication_summary = s/(?ms)(The computer attempted to validate the credentials.*$)//g | |
| SEDCMD-clean7-local_ipv6 = s/(?ms)(::1)//g |