Skip to content

Instantly share code, notes, and snippets.

Avatar

David Shpritz automine

View GitHub Profile
@meznak
meznak / bundlestatus.alias
Last active Jul 26, 2019 — forked from xoff00/gist:fc8e074985e48287e31742730d8a3e8b
Splunk cluster bundle status on a single line
View bundlestatus.alias
# Check indexer cluster bundle status without all the mess.
# Requires $SPLUNK_HOME/bin to be in your path
# one-shot status
alias bundlestatus="splunk show cluster-bundle-status > .cbs.tmp && sed -n '/cluster_status/,/^ *$/p' .cbs.tmp && grep -A5 site1 .cbs.tmp | paste -d ' ' - - - - - - - | sed -r -e 's/\t/ /g' -e 's/(.uto)?.asu.edu//g' -e 's/[[:alnum:]]\{8\}(-[[:alnum:]]\{4\}){3}-[[:alnum:]]\{12\}//g' -e 's/[[:blank:]]*site1[[:blank:]]*/ /g' -e 's/_bundle=(.{8}|.)\S*/=\1/g' -e 's/_validat(ed|ion_)//g' -e 's/_required_apply//g' -e 's/last_bundle//g' -e 's/--//g' | sort -V | column -t && rm .cbs.tmp"
# watch status
alias bundlestatusw="watch -n10 \"splunk show cluster-bundle-status > .cbs.tmp && sed -n '/cluster_status/,/^ *$/p' .cbs.tmp && grep -A5 site1 .cbs.tmp | paste -d ' ' - - - - - - - | sed -r -e 's/\t/ /g' -e 's/(.uto)?.asu.edu//g' -e 's/[[:alnum:]]\{8\}(-[[:alnum:]]\{4\}){3}-[[:alnum:]]\{12\}//g' -e 's/[[:blank:]]*site1[[:blank:]]*/ /g' -e 's/_bundle=(.{8}|.)\S*/=\1/g' -e 's/_validat(ed|ion_)//g'
View gist:5cf00f17cc1aeeb2c86fdc8392d44b4f
| tstats `summariesonly` count from datamodel=Network_Resolution.DNS where DNS.record_type="A*" NOT DNS.query="SomeHostNames*" NOT DNS.query="*.arpa" NOT DNS.query="_ldap*" NOT DNS.query="_gc*" NOT DNS.query="_kerberos*" by DNS.query DNS.src
| rename DNS.query as query DNS.src as src
| eval query_punct=query
| rex mode=sed field=query_punct "s/\w+//g"
| search NOT query_punct="--.-.----"
| `ut_shannon(query)`
| stats sum(ut_shannon) as ut_shannon_sum values(query) as query by src
| where ut_shannon_sum<1000
| sort - ut_shannon_sum
@automine
automine / inputs.conf
Last active Jun 24, 2020
Nice windows event blacklisting
View inputs.conf
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
@automine
automine / props.conf
Last active Jun 23, 2020
Windows Event Clean Up in Splunk
View props.conf
[WinEventLog:Security]
#Returns most of the space savings XML would provide
SEDCMD-clean0-null_sids = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g
SEDCMD-clean1-summary = s/This event is generated[\S\s\r\n]+$//g
SEDCMD-clean2-cert_summary = s/Certificate information is only[\S\s\r\n]+$//g
SEDCMD-clean3-blank_ipv6 = s/::ffff://g
SEDCMD-clean4-token_elevation_summary = s/Token Elevation Type indicates[\S\s\r\n]+$//g
SEDCMD-clean5-network_share_summary = s/(?ms)(A network share object was checked to see whether.*$)//g
SEDCMD-clean6-authentication_summary = s/(?ms)(The computer attempted to validate the credentials.*$)//g
SEDCMD-clean7-local_ipv6 = s/(?ms)(::1)//g
You can’t perform that action at this time.