Skip to content

Instantly share code, notes, and snippets.

:octocat:
Being Awesome

Tim Hartmann tfhartmann

View GitHub Profile
View splunktalk_vpn_countries.md

In this case we are doing a lookup of all successes that are NOT rpc1918 address apce and formating the output in a table

`vpn` action="success" NOT Calling_Station_Id=10.0.0.0/8 | rename Calling_Station_Id as src_ip | stats dc(user) as Users by src_ip, user  | geoip src_ip  | search NOT src_ip_country_code=US | rename src_ip_country_name as Country | stats dc(user) as Users by Country| sort -Users
@tfhartmann
tfhartmann / splunktalk_predict.md
Created Sep 25, 2013
Searches from Splunk Talk
View splunktalk_predict.md

This is search we use to try and product future Splunk Throughput

`index_usage_macro` | bucket _time span=1d | stats sum(kb) as kb by series, _time | timechart span=1d per_day(eval(kb/1024/1024)) as GB | predict upper95=High lower95=low future_timespan=180 algorithm=LLT GB as "Predicted"
View splunktalk_sasl_logins.md

Search string used to identify a user who has logged in an excessive amount of times outside of the standard deviation

index=os ( sourcetype=syslog OR sourcetype=postfix_syslog) sasl_method="LOGIN" | stats count(sasl_username) as usercount by sasl_username, _time | sort - usercount | eventstats avg(usercount) as avg_usercount stdev(usercount) as std_usercount |convert ctime(_time) | stats sum(usercount) as usercount by sasl_username, avg_usercount, std_usercount | where usercount>(900*avg_usercount + std_usercount)| rename avg_usercount as "Avg Count of Logins for all Users", std_usercount as "Standard Deviation of Logins for all Users", usercount as "Count of Logins"
@tfhartmann
tfhartmann / splunktalk_trackamac.md
Created Sep 25, 2013
Splunk Searches from Talk
View splunktalk_trackamac.md

I love this search, it's got a subsearch, from an input file, lookup, eval.. and a field extraction, it's got it all!

index=dhcp eventtype="dhcpd_server" NOT DHCPEXPIRE [| inputlookup mac_tracking.csv | fields mac ] | rex field=_raw "DHCP(ACK on|REQUEST for) (?<clientip>(?<!\d)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?!\d)) (to|for)" | rename clientip as host | lookup huis host | eval Link="http://map.harvard.edu/?bld=".bld_root | rename  huid as HUID, mac as "MAC Address", mac_status as "Laptop Status", match_string as "Location", ip as "IP Address", src_translated_ip as "External IP Address" | transaction _time,mac| table _time, HUID, "Location", "MAC Address", "IP Address", "External IP Address","Laptop Status", Link
View splunktalk_nagios_reports.md
index=nagios (nagiosevent="SERVICE NOTIFICATION" ) OR (nagiosevent="HOST NOTIFICATION" ) ( user_id=$userid$)|lookup local=t nagios-hostgroupmembers host_name AS src_host | convert ctime(_time) as time | eval Name=coalesce(name,hostnotification) |transaction delim=
src_host, nagiosevent | table time,eventcount,src_host,hostgroup,user_id,Name,reason,nagiosevent
@tfhartmann
tfhartmann / gist:7137760
Created Oct 24, 2013
Boston Openstack Meetup notes - Whats New in Havana
View gist:7137760

Whats new in Havana

Networking Component - Neutron (Cisco) | January -> Zero to current knowledge

Cisco Nexus driver FireWall as a Service … waa?? FWaaS demo

View nepho_nosetests.md
from cement.core import handler, hook, foundation
from cement.utils import test
from nepho import cli
from nepho.cli.base import Nepho

class MyTestApp(Nepho):
    class Meta:
        # Load the base Nepho cement controller
        app = cli.base.Nepho()
@tfhartmann
tfhartmann / sns.py
Created Feb 12, 2014
Example script on how to publish a message to an AWS SNS Queue
View sns.py
#!//opt/boxen/homebrew/bin/python
import boto.sns
import json
REGION = 'us-west-2'
TOPIC = '<ARN>'
URL = '<Body of Message in this example I used a url>'
@tfhartmann
tfhartmann / sqs.py
Created Feb 12, 2014
Example script on how to poll a AWS SQS Queue and pull off messages
View sqs.py
#!//opt/boxen/homebrew/bin/python
import boto.sqs
from boto.sqs.message import RawMessage
import json
import time
import requests
REGION = 'us-west-2'
@tfhartmann
tfhartmann / package_define.pp
Created Feb 12, 2014
Puppet Definition for perl module packages
View package_define.pp
So first I create a definition in a manifest called perl_modules.pp in the root of my module like this:
define radiator::perl_modules() {
package { "perl-$name": ensure => 'installed', before => Package['Radiator'] }
}
Then call the definition in packages.pp
You can’t perform that action at this time.