David Shpritz automine

## docker-compose.yml
version: '3'

services:
  splunksh:
    hostname: splunksh
    image: splunk/splunk:7.1.2
    environment:
      SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt --seed-passwd changed123
      SPLUNK_USER: root
      OPTIMISTIC_ABOUT_FILE_LOCKING: '1'

## docker-compose.yml
version: '3'

services:
  splunksh:
    hostname: splunksh
    image: splunk/splunk:7.0.3
    environment:
      SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt
      OPTIMISTIC_ABOUT_FILE_LOCKING: '1'
    ports:

## gist:7dd261b80d7c7dc9ae2b311a31a8a363
### Keybase proof

I hereby claim:

  * I am automine on github.
  * I am automine (https://keybase.io/automine) on keybase.
  * I have a public key ASAmDeG-PDoFrJlOu7uUikMRDlxvi6D4m6k0y-xTxe0R3Qo

To claim this, I am signing this object:

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                automine
                / keybase.md
            
            
              Created
              October 18, 2017 18:54
            
          
    Keybase proof

I hereby claim:

I am automine on github.
I am automine (https://keybase.io/automine) on keybase.
I have a public key ASBsDDTfSgZw2aFLr6eiXjejbCE7rpGcUFJC1SjCYl240Qo

To claim this, I am signing this object:

  
## docker-compose.yml
version: '3'

services:
  splunksh:
    hostname: splunksh
    image: splunk/splunk:6.6.3
    environment:
      SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt
      OPTIMISTIC_ABOUT_FILE_LOCKING: '1'
    ports:

## docker-compose.yml
version: '3'

services:
  splunksh:
    hostname: splunksh
    image: splunk/splunk:6.6.3
    environment:
      SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt
      OPTIMISTIC_ABOUT_FILE_LOCKING: '1'
    ports:

## indexer_disk_space.xml
<dashboard>
  <label>Indexer Disk Usage</label>
  <row>
    <panel>
      <table>
        <title>Disk Usage by Indexer</title>
        <search>
          <query>| rest  /services/server/status/partitions-space splunk_server_group=dmc_group_indexer | search mount_point=/data/* | eval usage = capacity - free
| eval pct_usage = round(usage / capacity * 100, 2) | stats first(fs_type) as fs_type first(usage) as usage first(capacity) as capacity first(pct_usage) as pct_used by mount_point, splunk_server | eval splunk_server=lower(splunk_server)| table splunk_server mount_point usage capacity pct_used | sort splunk_server mount_point | addcoltotals | eval usage=round(usage/1024,2) | eval capacity=round(capacity/1024, 2) | rename usage AS "Usage (GB)" capacity AS "Capacity (GB)" splunk_server AS "Indexer" pct_used AS "Percent Used"</query>
          <earliest>$earliest$</earliest>

## props.conf
[host::10.200.12.115]
TRANSFORMS-rewrite_windows_security = rewrite_windows_security

## data model size splunk search
|rest servicesNS/-/-/data/models splunk_server_group=dmc_group_search_head
| search acceleration="1"
| table title eai:appName eai:userName splunk_server
| rename eai:appName AS name| eval myDatamodel="DM_" . name . "_" . title
|map maxsearches=50 search="|rest /servicesNS/nobody/-/admin/summarization/tstats:$$myDatamodel$$ splunk_server=$$splunk_server$$"|table eai:acl.app, summary.id, summary.size, summary.time_range, splunk_server |rename summary.time_range as retention_period eai:acl.app as app summary.size as size summary.id as datamodel|eval sizeGB=round(size/1024/1024/1024,2) | eval retention_period = retention_period/86400 |fields - size | lookup dmc_assets serverName AS splunk_server OUTPUT search_group | rex field=search_group "dmc_searchheadclustergroup_(?&lt;cluster_guid&gt;.*)" | eval search_head_cluster=coalesce(cluster_guid, splunk_server) | stats values(splunk_server) AS splunk_servers values(sizeGB) as sizeGB values(app) AS app values(search_group) AS search_groups values(retention_period) A

## inputs.conf
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
	version: '3'

	services:
	splunksh:
	hostname: splunksh
	image: splunk/splunk:7.1.2
	environment:
	SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt --seed-passwd changed123
	SPLUNK_USER: root
	OPTIMISTIC_ABOUT_FILE_LOCKING: '1'
	### Keybase proof

	I hereby claim:

	* I am automine on github.
	* I am automine (https://keybase.io/automine) on keybase.
	* I have a public key ASAmDeG-PDoFrJlOu7uUikMRDlxvi6D4m6k0y-xTxe0R3Qo

	To claim this, I am signing this object:
	<dashboard>
	<label>Indexer Disk Usage</label>
	<row>
	<panel>
	<table>
	<title>Disk Usage by Indexer</title>
	<search>
	<query>\| rest /services/server/status/partitions-space splunk_server_group=dmc_group_indexer \| search mount_point=/data/* \| eval usage = capacity - free
	\| eval pct_usage = round(usage / capacity * 100, 2) \| stats first(fs_type) as fs_type first(usage) as usage first(capacity) as capacity first(pct_usage) as pct_used by mount_point, splunk_server \| eval splunk_server=lower(splunk_server)\| table splunk_server mount_point usage capacity pct_used \| sort splunk_server mount_point \| addcoltotals \| eval usage=round(usage/1024,2) \| eval capacity=round(capacity/1024, 2) \| rename usage AS "Usage (GB)" capacity AS "Capacity (GB)" splunk_server AS "Indexer" pct_used AS "Percent Used"</query>
	<earliest>$earliest$</earliest>
	[host::10.200.12.115]
	TRANSFORMS-rewrite_windows_security = rewrite_windows_security
	\|rest servicesNS/-/-/data/models splunk_server_group=dmc_group_search_head
	\| search acceleration="1"
	\| table title eai:appName eai:userName splunk_server
	\| rename eai:appName AS name\| eval myDatamodel="DM_" . name . "_" . title
	\|map maxsearches=50 search="\|rest /servicesNS/nobody/-/admin/summarization/tstats:$$myDatamodel$$ splunk_server=$$splunk_server$$"\|table eai:acl.app, summary.id, summary.size, summary.time_range, splunk_server \|rename summary.time_range as retention_period eai:acl.app as app summary.size as size summary.id as datamodel\|eval sizeGB=round(size/1024/1024/1024,2) \| eval retention_period = retention_period/86400 \|fields - size \| lookup dmc_assets serverName AS splunk_server OUTPUT search_group \| rex field=search_group "dmc_searchheadclustergroup_(?<cluster_guid>.*)" \| eval search_head_cluster=coalesce(cluster_guid, splunk_server) \| stats values(splunk_server) AS splunk_servers values(sizeGB) as sizeGB values(app) AS app values(search_group) AS search_groups values(retention_period) A
	[WinEventLog://Security]
	disabled = 0
	start_from = oldest
	current_only = 0
	evt_resolve_ad_obj = 1
	checkpointInterval = 5
	blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
	blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
	blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool\|splunkd\|splunk\|splunk\-(?:MonitorNoHandle\|admon\|netmon\|perfmon\|powershell\|regmon\|winevtlog\|winhostinfo\|winprintmon\|wmi\|optimize))\.exe)"
	blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool\|splunkd\|splunk\|splunk\-(?:MonitorNoHandle\|admon\|netmon\|perfmon\|powershell\|regmon\|winevtlog\|winhostinfo\|winprintmon\|wmi\|optimize))\.exe)"