Skip to content

Instantly share code, notes, and snippets.

View gist:6f4be303e0500838596f
EXTRACT-syslog_ng_message = \w{3}\s+\d+\s+\d+:\d+:\d+\s+(?<syslog_src>\S+)\s+(?<syslog_program>[^\s\[:]+)(?:[\d+])?(?:\s+|:)?(?<syslog_message>.*)
View gist:50f98c3771d103d785c332eed3068c1f
index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by st fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)] | fields - "stack size"
View serverclass.conf
whitelist.0 =
whitelist.1 =
restartSplunkWeb = 0
restartSplunkd = 1
stateOnClient = enabled
View props.conf
#Returns most of the space savings XML would provide SEDCMD-clean_fluff_from_winsec_events_this_event
SEDCMD-0-windows-event-formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g
automine / props.conf
Last active June 7, 2017 19:05
fun with CEF
View props.conf
KV_MODE = none
EXTRACT-cef-message = \sCEF:\d\|(?<vendor>[^\|]+)\|(?<product>[^\|]+)\|(?<version>[^\|]+)\|(?<signature_id>[^\|]+)\|(?<signature>[^\|]+)\|(?<vendor_severity>[^\|]+)\|(?<cef_message>.*)
REPORT-cefLabelFirst = cefLabelFirst
REPORT-cefLabelSecond = cefLabelSecond
REPORT-builtInCefFields = builtInCefFields
View data model size splunk search
View props.conf
TRANSFORMS-rewrite_windows_security = rewrite_windows_security

Keybase proof

I hereby claim:

  • I am automine on github.
  • I am automine ( on keybase.
  • I have a public key ASBsDDTfSgZw2aFLr6eiXjejbCE7rpGcUFJC1SjCYl240Qo

To claim this, I am signing this object:

View gist:7dd261b80d7c7dc9ae2b311a31a8a363
### Keybase proof
I hereby claim:
* I am automine on github.
* I am automine ( on keybase.
* I have a public key ASAmDeG-PDoFrJlOu7uUikMRDlxvi6D4m6k0y-xTxe0R3Qo
To claim this, I am signing this object:
View indexer_disk_space.xml
<label>Indexer Disk Usage</label>
<title>Disk Usage by Indexer</title>
<query>| rest /services/server/status/partitions-space splunk_server_group=dmc_group_indexer | search mount_point=/data/* | eval usage = capacity - free
| eval pct_usage = round(usage / capacity * 100, 2) | stats first(fs_type) as fs_type first(usage) as usage first(capacity) as capacity first(pct_usage) as pct_used by mount_point, splunk_server | eval splunk_server=lower(splunk_server)| table splunk_server mount_point usage capacity pct_used | sort splunk_server mount_point | addcoltotals | eval usage=round(usage/1024,2) | eval capacity=round(capacity/1024, 2) | rename usage AS "Usage (GB)" capacity AS "Capacity (GB)" splunk_server AS "Indexer" pct_used AS "Percent Used"</query>