I hereby claim:
- I am automine on github.
- I am automine (https://keybase.io/automine) on keybase.
- I have a public key ASBsDDTfSgZw2aFLr6eiXjejbCE7rpGcUFJC1SjCYl240Qo
To claim this, I am signing this object:
version: '3' | |
services: | |
splunksh: | |
hostname: splunksh | |
image: splunk/splunk:7.1.2 | |
environment: | |
SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt --seed-passwd changed123 | |
SPLUNK_USER: root | |
OPTIMISTIC_ABOUT_FILE_LOCKING: '1' |
version: '3' | |
services: | |
splunksh: | |
hostname: splunksh | |
image: splunk/splunk:7.0.3 | |
environment: | |
SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt | |
OPTIMISTIC_ABOUT_FILE_LOCKING: '1' | |
ports: |
### Keybase proof | |
I hereby claim: | |
* I am automine on github. | |
* I am automine (https://keybase.io/automine) on keybase. | |
* I have a public key ASAmDeG-PDoFrJlOu7uUikMRDlxvi6D4m6k0y-xTxe0R3Qo | |
To claim this, I am signing this object: |
I hereby claim:
To claim this, I am signing this object:
version: '3' | |
services: | |
splunksh: | |
hostname: splunksh | |
image: splunk/splunk:6.6.3 | |
environment: | |
SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt | |
OPTIMISTIC_ABOUT_FILE_LOCKING: '1' | |
ports: |
version: '3' | |
services: | |
splunksh: | |
hostname: splunksh | |
image: splunk/splunk:6.6.3 | |
environment: | |
SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt | |
OPTIMISTIC_ABOUT_FILE_LOCKING: '1' | |
ports: |
<dashboard> | |
<label>Indexer Disk Usage</label> | |
<row> | |
<panel> | |
<table> | |
<title>Disk Usage by Indexer</title> | |
<search> | |
<query>| rest /services/server/status/partitions-space splunk_server_group=dmc_group_indexer | search mount_point=/data/* | eval usage = capacity - free | |
| eval pct_usage = round(usage / capacity * 100, 2) | stats first(fs_type) as fs_type first(usage) as usage first(capacity) as capacity first(pct_usage) as pct_used by mount_point, splunk_server | eval splunk_server=lower(splunk_server)| table splunk_server mount_point usage capacity pct_used | sort splunk_server mount_point | addcoltotals | eval usage=round(usage/1024,2) | eval capacity=round(capacity/1024, 2) | rename usage AS "Usage (GB)" capacity AS "Capacity (GB)" splunk_server AS "Indexer" pct_used AS "Percent Used"</query> | |
<earliest>$earliest$</earliest> |
[host::10.200.12.115] | |
TRANSFORMS-rewrite_windows_security = rewrite_windows_security |
|rest servicesNS/-/-/data/models splunk_server_group=dmc_group_search_head | |
| search acceleration="1" | |
| table title eai:appName eai:userName splunk_server | |
| rename eai:appName AS name| eval myDatamodel="DM_" . name . "_" . title | |
|map maxsearches=50 search="|rest /servicesNS/nobody/-/admin/summarization/tstats:$$myDatamodel$$ splunk_server=$$splunk_server$$"|table eai:acl.app, summary.id, summary.size, summary.time_range, splunk_server |rename summary.time_range as retention_period eai:acl.app as app summary.size as size summary.id as datamodel|eval sizeGB=round(size/1024/1024/1024,2) | eval retention_period = retention_period/86400 |fields - size | lookup dmc_assets serverName AS splunk_server OUTPUT search_group | rex field=search_group "dmc_searchheadclustergroup_(?<cluster_guid>.*)" | eval search_head_cluster=coalesce(cluster_guid, splunk_server) | stats values(splunk_server) AS splunk_servers values(sizeGB) as sizeGB values(app) AS app values(search_group) AS search_groups values(retention_period) A |
[WinEventLog://Security] | |
disabled = 0 | |
start_from = oldest | |
current_only = 0 | |
evt_resolve_ad_obj = 1 | |
checkpointInterval = 5 | |
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" | |
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" | |
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)" | |
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)" |