Skip to content

Instantly share code, notes, and snippets.

EXTRACT-syslog_ng_message = \w{3}\s+\d+\s+\d+:\d+:\d+\s+(?<syslog_src>\S+)\s+(?<syslog_program>[^\s\[:]+)(?:[\d+])?(?:\s+|:)?(?<syslog_message>.*)
index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by st fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)] | fields - "stack size"
[serverClass:IVRXML_PROD]
whitelist.0 = server1.domain.com
whitelist.1 = server2.domain.com
restartSplunkWeb = 0
restartSplunkd = 1
stateOnClient = enabled
[serverClass:IVRXML_PROD:app:IVRXML_PROD]
#Returns most of the space savings XML would provide SEDCMD-clean_fluff_from_winsec_events_this_event
SEDCMD-0-windows-event-formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g
@automine
automine / props.conf
Last active June 7, 2017 19:05
fun with CEF
[cef_sourcetype]
KV_MODE = none
EXTRACT-cef-message = \sCEF:\d\|(?<vendor>[^\|]+)\|(?<product>[^\|]+)\|(?<version>[^\|]+)\|(?<signature_id>[^\|]+)\|(?<signature>[^\|]+)\|(?<vendor_severity>[^\|]+)\|(?<cef_message>.*)
REPORT-cefLabelFirst = cefLabelFirst
REPORT-cefLabelSecond = cefLabelSecond
REPORT-builtInCefFields = builtInCefFields
[host::10.200.12.115]
TRANSFORMS-rewrite_windows_security = rewrite_windows_security

Keybase proof

I hereby claim:

  • I am automine on github.
  • I am automine (https://keybase.io/automine) on keybase.
  • I have a public key ASBsDDTfSgZw2aFLr6eiXjejbCE7rpGcUFJC1SjCYl240Qo

To claim this, I am signing this object:

### Keybase proof
I hereby claim:
* I am automine on github.
* I am automine (https://keybase.io/automine) on keybase.
* I have a public key ASAmDeG-PDoFrJlOu7uUikMRDlxvi6D4m6k0y-xTxe0R3Qo
To claim this, I am signing this object:
<dashboard>
<label>Indexer Disk Usage</label>
<row>
<panel>
<table>
<title>Disk Usage by Indexer</title>
<search>
<query>| rest /services/server/status/partitions-space splunk_server_group=dmc_group_indexer | search mount_point=/data/* | eval usage = capacity - free
| eval pct_usage = round(usage / capacity * 100, 2) | stats first(fs_type) as fs_type first(usage) as usage first(capacity) as capacity first(pct_usage) as pct_used by mount_point, splunk_server | eval splunk_server=lower(splunk_server)| table splunk_server mount_point usage capacity pct_used | sort splunk_server mount_point | addcoltotals | eval usage=round(usage/1024,2) | eval capacity=round(capacity/1024, 2) | rename usage AS "Usage (GB)" capacity AS "Capacity (GB)" splunk_server AS "Indexer" pct_used AS "Percent Used"</query>
<earliest>$earliest$</earliest>