meznak

# Check indexer cluster bundle status without all the mess.
# Requires $SPLUNK_HOME/bin to be in your path

# one-shot status
alias bundlestatus="splunk show cluster-bundle-status > .cbs.tmp && sed -n '/cluster_status/,/^ *$/p' .cbs.tmp && grep -A5 site1 .cbs.tmp | paste -d ' ' - - - - - - - | sed -r -e 's/\t/ /g' -e 's/(.uto)?.asu.edu//g' -e 's/[[:alnum:]]\{8\}(-[[:alnum:]]\{4\}){3}-[[:alnum:]]\{12\}//g' -e 's/[[:blank:]]*site1[[:blank:]]*/ /g' -e 's/_bundle=(.{8}|.)\S*/=\1/g' -e 's/_validat(ed|ion_)//g' -e 's/_required_apply//g' -e 's/last_bundle//g' -e 's/--//g' | sort -V | column -t && rm .cbs.tmp"

# watch status
alias bundlestatusw="watch -n10 \"splunk show cluster-bundle-status > .cbs.tmp && sed -n '/cluster_status/,/^ *$/p' .cbs.tmp && grep -A5 site1 .cbs.tmp | paste -d ' ' - - - - - - - | sed -r -e 's/\t/ /g' -e 's/(.uto)?.asu.edu//g' -e 's/[[:alnum:]]\{8\}(-[[:alnum:]]\{4\}){3}-[[:alnum:]]\{12\}//g' -e 's/[[:blank:]]*site1[[:blank:]]*/ /g' -e 's/_bundle=(.{8}|.)\S*/=\1/g' -e 's/_validat(ed|ion_)//g'

faststeak

| tstats `summariesonly` count from datamodel=Network_Resolution.DNS where  DNS.record_type="A*" NOT DNS.query="SomeHostNames*" NOT DNS.query="*.arpa" NOT DNS.query="_ldap*" NOT DNS.query="_gc*" NOT DNS.query="_kerberos*" by DNS.query DNS.src
| rename DNS.query as query DNS.src as src 
| eval query_punct=query 
| rex mode=sed field=query_punct "s/\w+//g"
| search NOT query_punct="--.-.----" 
|   `ut_shannon(query)` 
| stats sum(ut_shannon) as ut_shannon_sum  values(query) as query by src 
| where ut_shannon_sum<1000 
| sort - ut_shannon_sum

automine

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"

automine

[WinEventLog:Security]
#Returns most of the space savings XML would provide
SEDCMD-clean0-null_sids = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g
SEDCMD-clean1-summary = s/This event is generated[\S\s\r\n]+$//g
SEDCMD-clean2-cert_summary = s/Certificate information is only[\S\s\r\n]+$//g
SEDCMD-clean3-blank_ipv6 = s/::ffff://g
SEDCMD-clean4-token_elevation_summary = s/Token Elevation Type indicates[\S\s\r\n]+$//g
SEDCMD-clean5-network_share_summary = s/(?ms)(A network share object was checked to see whether.*$)//g
SEDCMD-clean6-authentication_summary = s/(?ms)(The computer attempted to validate the credentials.*$)//g
SEDCMD-clean7-local_ipv6 = s/(?ms)(::1)//g