David Shpritz automine
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [WinEventLog:Security] | |
| #Returns most of the space savings XML would provide | |
| SEDCMD-clean0-null_sids = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g | |
| SEDCMD-clean1-summary = s/This event is generated[\S\s\r\n]+$//g | |
| SEDCMD-clean2-cert_summary = s/Certificate information is only[\S\s\r\n]+$//g | |
| SEDCMD-clean3-blank_ipv6 = s/::ffff://g | |
| SEDCMD-clean4-token_elevation_summary = s/Token Elevation Type indicates[\S\s\r\n]+$//g | |
| SEDCMD-clean5-network_share_summary = s/(?ms)(A network share object was checked to see whether.*$)//g | |
| SEDCMD-clean6-authentication_summary = s/(?ms)(The computer attempted to validate the credentials.*$)//g | |
| SEDCMD-clean7-local_ipv6 = s/(?ms)(::1)//g |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [cef_sourcetype] | |
| KV_MODE = none | |
| EXTRACT-cef-message = \sCEF:\d\|(?<vendor>[^\|]+)\|(?<product>[^\|]+)\|(?<version>[^\|]+)\|(?<signature_id>[^\|]+)\|(?<signature>[^\|]+)\|(?<vendor_severity>[^\|]+)\|(?<cef_message>.*) | |
| REPORT-cefLabelFirst = cefLabelFirst | |
| REPORT-cefLabelSecond = cefLabelSecond | |
| REPORT-builtInCefFields = builtInCefFields |
automine
/ props.conf
Created
October 20, 2016 16:44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Returns most of the space savings XML would provide SEDCMD-clean_fluff_from_winsec_events_this_event | |
| SEDCMD-0-windows-event-formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g |
automine
/ serverclass.conf
Created
October 20, 2016 15:28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [serverClass:IVRXML_PROD] | |
| whitelist.0 = server1.domain.com | |
| whitelist.1 = server2.domain.com | |
| restartSplunkWeb = 0 | |
| restartSplunkd = 1 | |
| stateOnClient = enabled | |
| [serverClass:IVRXML_PROD:app:IVRXML_PROD] |
automine
/ gist:50f98c3771d103d785c332eed3068c1f
Created
October 20, 2016 15:20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by st fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)] | fields - "stack size" |
automine
/ gist:6f4be303e0500838596f
Created
January 14, 2015 17:54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| EXTRACT-syslog_ng_message = \w{3}\s+\d+\s+\d+:\d+:\d+\s+(?<syslog_src>\S+)\s+(?<syslog_program>[^\s\[:]+)(?:[\d+])?(?:\s+|:)?(?<syslog_message>.*) |
NewerOlder