David Shpritz automine

## gist:6f4be303e0500838596f
EXTRACT-syslog_ng_message = \w{3}\s+\d+\s+\d+:\d+:\d+\s+(?<syslog_src>\S+)\s+(?<syslog_program>[^\s\[:]+)(?:[\d+])?(?:\s+|:)?(?<syslog_message>.*)

## gist:50f98c3771d103d785c332eed3068c1f
index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx   | timechart span=1d sum(b) AS volumeB by st fixedrange=false  | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)] | fields - "stack size"

## serverclass.conf
[serverClass:IVRXML_PROD]
whitelist.0 = server1.domain.com
whitelist.1 = server2.domain.com
restartSplunkWeb = 0
restartSplunkd = 1
stateOnClient = enabled
[serverClass:IVRXML_PROD:app:IVRXML_PROD]

## props.conf
#Returns most of the space savings XML would provide SEDCMD-clean_fluff_from_winsec_events_this_event
SEDCMD-0-windows-event-formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g

## props.conf
[cef_sourcetype]
KV_MODE = none
EXTRACT-cef-message = \sCEF:\d\|(?<vendor>[^\|]+)\|(?<product>[^\|]+)\|(?<version>[^\|]+)\|(?<signature_id>[^\|]+)\|(?<signature>[^\|]+)\|(?<vendor_severity>[^\|]+)\|(?<cef_message>.*)
REPORT-cefLabelFirst = cefLabelFirst
REPORT-cefLabelSecond = cefLabelSecond
REPORT-builtInCefFields = builtInCefFields

## data model size splunk search
|rest servicesNS/-/-/data/models splunk_server_group=dmc_group_search_head
| search acceleration="1"
| table title eai:appName eai:userName splunk_server
| rename eai:appName AS name| eval myDatamodel="DM_" . name . "_" . title
|map maxsearches=50 search="|rest /servicesNS/nobody/-/admin/summarization/tstats:$$myDatamodel$$ splunk_server=$$splunk_server$$"|table eai:acl.app, summary.id, summary.size, summary.time_range, splunk_server |rename summary.time_range as retention_period eai:acl.app as app summary.size as size summary.id as datamodel|eval sizeGB=round(size/1024/1024/1024,2) | eval retention_period = retention_period/86400 |fields - size | lookup dmc_assets serverName AS splunk_server OUTPUT search_group | rex field=search_group "dmc_searchheadclustergroup_(?&lt;cluster_guid&gt;.*)" | eval search_head_cluster=coalesce(cluster_guid, splunk_server) | stats values(splunk_server) AS splunk_servers values(sizeGB) as sizeGB values(app) AS app values(search_group) AS search_groups values(retention_period) A

## props.conf
[host::10.200.12.115]
TRANSFORMS-rewrite_windows_security = rewrite_windows_security

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                automine
                / keybase.md
            
            
              Created
              October 18, 2017 18:54
            
          
    Keybase proof

I hereby claim:

I am automine on github.
I am automine (https://keybase.io/automine) on keybase.
I have a public key ASBsDDTfSgZw2aFLr6eiXjejbCE7rpGcUFJC1SjCYl240Qo

To claim this, I am signing this object:

  
## gist:7dd261b80d7c7dc9ae2b311a31a8a363
### Keybase proof

I hereby claim:

  * I am automine on github.
  * I am automine (https://keybase.io/automine) on keybase.
  * I have a public key ASAmDeG-PDoFrJlOu7uUikMRDlxvi6D4m6k0y-xTxe0R3Qo

To claim this, I am signing this object:

## indexer_disk_space.xml
<dashboard>
  <label>Indexer Disk Usage</label>
  <row>
    <panel>
      <table>
        <title>Disk Usage by Indexer</title>
        <search>
          <query>| rest  /services/server/status/partitions-space splunk_server_group=dmc_group_indexer | search mount_point=/data/* | eval usage = capacity - free
| eval pct_usage = round(usage / capacity * 100, 2) | stats first(fs_type) as fs_type first(usage) as usage first(capacity) as capacity first(pct_usage) as pct_used by mount_point, splunk_server | eval splunk_server=lower(splunk_server)| table splunk_server mount_point usage capacity pct_used | sort splunk_server mount_point | addcoltotals | eval usage=round(usage/1024,2) | eval capacity=round(capacity/1024, 2) | rename usage AS "Usage (GB)" capacity AS "Capacity (GB)" splunk_server AS "Indexer" pct_used AS "Percent Used"</query>
          <earliest>$earliest$</earliest>
	[serverClass:IVRXML_PROD]
	whitelist.0 = server1.domain.com
	whitelist.1 = server2.domain.com
	restartSplunkWeb = 0
	restartSplunkd = 1
	stateOnClient = enabled
	[serverClass:IVRXML_PROD:app:IVRXML_PROD]
	#Returns most of the space savings XML would provide SEDCMD-clean_fluff_from_winsec_events_this_event
	SEDCMD-0-windows-event-formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g
	[cef_sourcetype]
	KV_MODE = none
	EXTRACT-cef-message = \sCEF:\d\\|(?<vendor>[^\\|]+)\\|(?<product>[^\\|]+)\\|(?<version>[^\\|]+)\\|(?<signature_id>[^\\|]+)\\|(?<signature>[^\\|]+)\\|(?<vendor_severity>[^\\|]+)\\|(?<cef_message>.*)
	REPORT-cefLabelFirst = cefLabelFirst
	REPORT-cefLabelSecond = cefLabelSecond
	REPORT-builtInCefFields = builtInCefFields
	\|rest servicesNS/-/-/data/models splunk_server_group=dmc_group_search_head
	\| search acceleration="1"
	\| table title eai:appName eai:userName splunk_server
	\| rename eai:appName AS name\| eval myDatamodel="DM_" . name . "_" . title
	\|map maxsearches=50 search="\|rest /servicesNS/nobody/-/admin/summarization/tstats:$$myDatamodel$$ splunk_server=$$splunk_server$$"\|table eai:acl.app, summary.id, summary.size, summary.time_range, splunk_server \|rename summary.time_range as retention_period eai:acl.app as app summary.size as size summary.id as datamodel\|eval sizeGB=round(size/1024/1024/1024,2) \| eval retention_period = retention_period/86400 \|fields - size \| lookup dmc_assets serverName AS splunk_server OUTPUT search_group \| rex field=search_group "dmc_searchheadclustergroup_(?<cluster_guid>.*)" \| eval search_head_cluster=coalesce(cluster_guid, splunk_server) \| stats values(splunk_server) AS splunk_servers values(sizeGB) as sizeGB values(app) AS app values(search_group) AS search_groups values(retention_period) A
	[host::10.200.12.115]
	TRANSFORMS-rewrite_windows_security = rewrite_windows_security
	### Keybase proof

	I hereby claim:

	* I am automine on github.
	* I am automine (https://keybase.io/automine) on keybase.
	* I have a public key ASAmDeG-PDoFrJlOu7uUikMRDlxvi6D4m6k0y-xTxe0R3Qo

	To claim this, I am signing this object:
	<dashboard>
	<label>Indexer Disk Usage</label>
	<row>
	<panel>
	<table>
	<title>Disk Usage by Indexer</title>
	<search>
	<query>\| rest /services/server/status/partitions-space splunk_server_group=dmc_group_indexer \| search mount_point=/data/* \| eval usage = capacity - free
	\| eval pct_usage = round(usage / capacity * 100, 2) \| stats first(fs_type) as fs_type first(usage) as usage first(capacity) as capacity first(pct_usage) as pct_used by mount_point, splunk_server \| eval splunk_server=lower(splunk_server)\| table splunk_server mount_point usage capacity pct_used \| sort splunk_server mount_point \| addcoltotals \| eval usage=round(usage/1024,2) \| eval capacity=round(capacity/1024, 2) \| rename usage AS "Usage (GB)" capacity AS "Capacity (GB)" splunk_server AS "Indexer" pct_used AS "Percent Used"</query>
	<earliest>$earliest$</earliest>