Skip to content

Instantly share code, notes, and snippets.

View LukeMurphey's full-sized avatar

Luke LukeMurphey

78 followers · 2 following
View GitHub Profile
@LukeMurphey
LukeMurphey / Splunk timesince macro
Last active January 23, 2018 22:49
This Splunk macro converts a time field into a human readable string that indicates how long ago an event happened. It will convert a time field from epoch time to a string like "2 minutes ago".If the epoch time is in the future, then it will return "0 minutes ago". Tags: #splunk #macro
# timesince
# -----------------------------
# makes a human readable description of the amount of time since a device was observed
#
[timesince(2)]
args = sourceField,destField
definition = eval now=time() | eval $destField$ = case( $sourceField$ > now, "0 minutes ago", now-$sourceField$ > (2*86400), round((now-$sourceField$) / (86400)) . " days ago", now-$sourceField$ > (2*3600), round((now-$sourceField$) / (3600)) . " hours ago", now-$sourceField$ > (2*60), round((now-$sourceField$) / (60)) . " minutes ago", now-$sourceField$ > 60, "1 minute ago", now-$sourceField$ <= 60, "just now" ) | fields - now
iseval = 0
@LukeMurphey
LukeMurphey / stylizable simple results table application.js
Last active December 16, 2015 02:09
This segment of application JS causes Simple Results Table in Splunk to include the field value as an attribute in the table cells. This allows you to style the cells based on the contents. Tags: #splunk
if( Splunk.Module.SimpleResultsTable ){
Splunk.Module.SimpleResultsTable = $.klass(Splunk.Module.SimpleResultsTable, {
renderResults: function($super, htmlFragment) {
$super(htmlFragment);
if (this.getInferredEntityName()=="events") {
this.renderedCount = $("tr", this.container).length - 1;
}
@LukeMurphey
LukeMurphey / build.xml
Last active December 16, 2015 06:19
A basic Ant build file that contains targets useful for building Splunk apps. Tags: #splunk
<!--
This Ant build script contains operations that are useful for building Splunk apps. To use it with you app, do the following:
1) Set the name of the project in the project node
2) Define a default.properties file to specify default parameters. The default.properties ought to be checked in the source-code repository.
3) Define a local.properties file to override the default parameters. This file should be install specific and thus should NOT be checked into the source-code repository.
Below are the parameters supported:
* value.build.packageoutput.directory: indicates where created packages should go (defaults to tmp/packages)
* value.build.number: indicates the build number specified in app.conf (defaults to 1)
@LukeMurphey
LukeMurphey / splunk_rest_handler.py
Last active February 1, 2023 22:56
This is basic Splunk REST handler that can be used to make custom endpoints in Splunk. Tags: #splunk
import splunk.admin as admin
import splunk.entity as entity
import splunk
import logging
import logging.handlers
import os
import re
import copy
class StandardFieldValidator(object):
@LukeMurphey
LukeMurphey / restmap.conf
Created April 15, 2013 19:28
A restmap.conf for a custom REST endpoint in Splunk. Make sure to change the "change_this" to something that makes sense for your endpoint and change the handlerfile unless your endpoint is defined in rest_handler.py. Tags: #splunk
[admin_external:change_this]
handlertype = python
handlerfile = rest_handler.py
handleractions = list,edit,_reload
@LukeMurphey
LukeMurphey / app.conf
Created April 15, 2013 19:31
An app.conf template. Tags: #splunk
[launcher]
version =
description =
author =
[package]
id =
[install]
build = ${build.number}
@LukeMurphey
LukeMurphey / supra_codes.py
Created May 13, 2013 17:15
Computes the minimal set of codes to attempt in order to open a GE Supra lockbox. This script will generate the codes necessary to perform a brute-force attack on a Supra lockbox. By default, the script outputs all 4 digit codes. Set the first argument to another value (e.g. "supra_codes.py 5") in order to generate codes with more or less digits…
"""
Computes the minimal set of codes to open a GE Supra lock box (such as http://www.amazon.com/Security-Keysafe-Cabinet-Assorted-Colors/dp/B000VL4TSW).
"""
import sys
def remove_values_from_list(the_list, val):
the_list_copy = the_list[:]
@LukeMurphey
LukeMurphey / find_non_custom_links.js
Last active December 7, 2017 19:34
This browser user script identifies parts of a page that references a resource that is not preceded with a custom root endpoint. This script will only find problems if a custom rest endpoint is used.
@LukeMurphey
LukeMurphey / modular_input.py
Last active November 2, 2017 21:19
A base class that can be used for making Python-based modular inputs for Splunk #Splunk
"""
This is a base class for making Python modular inputs for Splunk.
To make a modular input based on this class, you should follow the steps defined below.
Note that this example assumes you are making an input named "my_input_name".
________________________________________________________
1) Define the input in inputs.conf.spec
@LukeMurphey
LukeMurphey / search_command.py
Last active November 21, 2019 22:09
A base class for making Python-based search commands in Splunk#Splunk
"""
This class provides a base class for search commands that handles much of the Splunk-to-Python
interaction necessary for making a search command.
This is licensed under the Apache License Version 2.0
See https://www.apache.org/licenses/LICENSE-2.0.html
To make a search command, you will need to:
1) Sub-class the search command (see below for an example)
2) Declare your search command in commands.conf