Skip to content

Instantly share code, notes, and snippets.

Avatar

David Shpritz automine

View GitHub Profile
View gist:6f4be303e0500838596f
EXTRACT-syslog_ng_message = \w{3}\s+\d+\s+\d+:\d+:\d+\s+(?<syslog_src>\S+)\s+(?<syslog_program>[^\s\[:]+)(?:[\d+])?(?:\s+|:)?(?<syslog_message>.*)
View gist:50f98c3771d103d785c332eed3068c1f
index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by st fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)] | fields - "stack size"
View serverclass.conf
[serverClass:IVRXML_PROD]
whitelist.0 = server1.domain.com
whitelist.1 = server2.domain.com
restartSplunkWeb = 0
restartSplunkd = 1
stateOnClient = enabled
[serverClass:IVRXML_PROD:app:IVRXML_PROD]
View props.conf
#Returns most of the space savings XML would provide SEDCMD-clean_fluff_from_winsec_events_this_event
SEDCMD-0-windows-event-formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g
@automine
automine / props.conf
Last active Jun 7, 2017
fun with CEF
View props.conf
[cef_sourcetype]
KV_MODE = none
EXTRACT-cef-message = \sCEF:\d\|(?<vendor>[^\|]+)\|(?<product>[^\|]+)\|(?<version>[^\|]+)\|(?<signature_id>[^\|]+)\|(?<signature>[^\|]+)\|(?<vendor_severity>[^\|]+)\|(?<cef_message>.*)
REPORT-cefLabelFirst = cefLabelFirst
REPORT-cefLabelSecond = cefLabelSecond
REPORT-builtInCefFields = builtInCefFields
@automine
automine / props.conf
Last active Jun 23, 2020
Windows Event Clean Up in Splunk
View props.conf
[WinEventLog:Security]
#Returns most of the space savings XML would provide
SEDCMD-clean0-null_sids = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g
SEDCMD-clean1-summary = s/This event is generated[\S\s\r\n]+$//g
SEDCMD-clean2-cert_summary = s/Certificate information is only[\S\s\r\n]+$//g
SEDCMD-clean3-blank_ipv6 = s/::ffff://g
SEDCMD-clean4-token_elevation_summary = s/Token Elevation Type indicates[\S\s\r\n]+$//g
SEDCMD-clean5-network_share_summary = s/(?ms)(A network share object was checked to see whether.*$)//g
SEDCMD-clean6-authentication_summary = s/(?ms)(The computer attempted to validate the credentials.*$)//g
SEDCMD-clean7-local_ipv6 = s/(?ms)(::1)//g
@automine
automine / inputs.conf
Last active Oct 2, 2020
Nice windows event blacklisting
View inputs.conf
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
View data model size splunk search
View props.conf
[host::10.200.12.115]
TRANSFORMS-rewrite_windows_security = rewrite_windows_security
View indexer_disk_space.xml
<dashboard>
<label>Indexer Disk Usage</label>
<row>
<panel>
<table>
<title>Disk Usage by Indexer</title>
<search>
<query>| rest /services/server/status/partitions-space splunk_server_group=dmc_group_indexer | search mount_point=/data/* | eval usage = capacity - free
| eval pct_usage = round(usage / capacity * 100, 2) | stats first(fs_type) as fs_type first(usage) as usage first(capacity) as capacity first(pct_usage) as pct_used by mount_point, splunk_server | eval splunk_server=lower(splunk_server)| table splunk_server mount_point usage capacity pct_used | sort splunk_server mount_point | addcoltotals | eval usage=round(usage/1024,2) | eval capacity=round(capacity/1024, 2) | rename usage AS "Usage (GB)" capacity AS "Capacity (GB)" splunk_server AS "Indexer" pct_used AS "Percent Used"</query>
<earliest>$earliest$</earliest>
You can’t perform that action at this time.