Skip to content

Instantly share code, notes, and snippets.

Masa Diagram in Mermaid

flowchart TB
    

    subgraph tail
        TailReader("TailReader (tailing)")
    end
    
@automine
automine / Master and Indexer distsearch.conf
Last active December 15, 2023 18:46
Recommended tunings for SHC
[replicationSettings]
sendRcvTimeout = 120
@automine
automine / inputs.conf
Last active September 7, 2023 11:18
Nice windows event blacklisting
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
@automine
automine / iaMasa.md
Last active April 19, 2023 11:05
Ingest Actions Flow
flowchart TD
subgraph IDX

        TCP("TCP/UDP") -- Uncooked --> pQ
        TCP -- Cooked --> rulesetQ
        TailReader("TailReader") --> pQ
        
        
        fifo("FifoInput") --> pQ
@automine
automine / splunk_http_timeouts.md
Created December 22, 2022 18:03
Explanation of various HTTP(s) timeouts in Splunk

Original version is here, I just wanted something easier to read.

Config Default Max Recommended Purpose When to use
@automine
automine / props.conf
Last active January 12, 2023 15:02
Windows Event Clean Up in Splunk
[WinEventLog:Security]
#Returns most of the space savings XML would provide
SEDCMD-clean0-null_sids = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g
SEDCMD-clean1-summary = s/This event is generated[\S\s\r\n]+$//g
SEDCMD-clean2-cert_summary = s/Certificate information is only[\S\s\r\n]+$//g
SEDCMD-clean3-blank_ipv6 = s/::ffff://g
SEDCMD-clean4-token_elevation_summary = s/Token Elevation Type indicates[\S\s\r\n]+$//g
SEDCMD-clean5-network_share_summary = s/(?ms)(A network share object was checked to see whether.*$)//g
SEDCMD-clean6-authentication_summary = s/(?ms)(The computer attempted to validate the credentials.*$)//g
SEDCMD-clean7-local_ipv6 = s/(?ms)(::1)//g
@automine
automine / docker-compose.yml
Last active July 3, 2022 00:30
Splunk DS+MN, SH, 2xIDX, UF
version: '3'
services:
splunksh:
hostname: splunksh
image: splunk/splunk:6.6.3
environment:
SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt
OPTIMISTIC_ABOUT_FILE_LOCKING: '1'
ports:
@automine
automine / syslog-ng.conf
Created March 19, 2019 16:20
Template to test syslog-ng headers
template("$(format-welf ISODATE DATE SOURCEIP HOST ORIG_HOST PROGRAM PID MSGID SDATA MSGHDR MESSAGE FACILITY PRIORITY)\n");
template t_splunk_kv { template("ISODATE=\"${ISODATE}\", DATE=\"${DATE}\", SOURCEIP=\"${SOURCEIP}\", HOST=\"${HOST}\", ORIG_HOST=\"${ORIG_HOST}\", PROGRAM=\"${PROGRAM}\", PID=\"${PID}\", MSGID=\"${MSGID}\", SDATA=\"${SDATA}\", MSGHDR=\"${MSGHDR}\", MESSAGE=\"${MESSAGE}\", FACILITY=\"${FACILITY}\", PRIORITY=\"${PRIORITY}\"\n"); template_escape(no); };
@automine
automine / docker-compose.yml
Created September 24, 2018 15:00
Splunk 7.1 docker-compose, single instance
version: '3'
services:
splunksh:
hostname: splunksh
image: splunk/splunk:7.1.2
environment:
SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt --seed-passwd changed123
SPLUNK_USER: root
OPTIMISTIC_ABOUT_FILE_LOCKING: '1'
@automine
automine / extended_search_reporting.xml
Last active September 11, 2020 13:32
Extended Search Reporting, v1.4 thanks to cerby on the Splunk Community Slack (dpaper@splunk.com)!
You should use this: https://github.com/dpaper-splunk/public/blob/master/dashboards/extended_search_reporting.xml