Skip to content

Instantly share code, notes, and snippets.

:octocat:
Being Awesome

Tim Hartmann tfhartmann

:octocat:
Being Awesome
Block or report user

Report or block tfhartmann

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View splunktalk_vpn_countries.md

In this case we are doing a lookup of all successes that are NOT rpc1918 address apce and formating the output in a table

`vpn` action="success" NOT Calling_Station_Id=10.0.0.0/8 | rename Calling_Station_Id as src_ip | stats dc(user) as Users by src_ip, user  | geoip src_ip  | search NOT src_ip_country_code=US | rename src_ip_country_name as Country | stats dc(user) as Users by Country| sort -Users
@tfhartmann
tfhartmann / splunktalk_predict.md
Created Sep 25, 2013
Searches from Splunk Talk
View splunktalk_predict.md

This is search we use to try and product future Splunk Throughput

`index_usage_macro` | bucket _time span=1d | stats sum(kb) as kb by series, _time | timechart span=1d per_day(eval(kb/1024/1024)) as GB | predict upper95=High lower95=low future_timespan=180 algorithm=LLT GB as "Predicted"
View splunktalk_sasl_logins.md

Search string used to identify a user who has logged in an excessive amount of times outside of the standard deviation

index=os ( sourcetype=syslog OR sourcetype=postfix_syslog) sasl_method="LOGIN" | stats count(sasl_username) as usercount by sasl_username, _time | sort - usercount | eventstats avg(usercount) as avg_usercount stdev(usercount) as std_usercount |convert ctime(_time) | stats sum(usercount) as usercount by sasl_username, avg_usercount, std_usercount | where usercount>(900*avg_usercount + std_usercount)| rename avg_usercount as "Avg Count of Logins for all Users", std_usercount as "Standard Deviation of Logins for all Users", usercount as "Count of Logins"
@tfhartmann
tfhartmann / splunktalk_trackamac.md
Created Sep 25, 2013
Splunk Searches from Talk
View splunktalk_trackamac.md

I love this search, it's got a subsearch, from an input file, lookup, eval.. and a field extraction, it's got it all!

index=dhcp eventtype="dhcpd_server" NOT DHCPEXPIRE [| inputlookup mac_tracking.csv | fields mac ] | rex field=_raw "DHCP(ACK on|REQUEST for) (?<clientip>(?<!\d)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?!\d)) (to|for)" | rename clientip as host | lookup huis host | eval Link="http://map.harvard.edu/?bld=".bld_root | rename  huid as HUID, mac as "MAC Address", mac_status as "Laptop Status", match_string as "Location", ip as "IP Address", src_translated_ip as "External IP Address" | transaction _time,mac| table _time, HUID, "Location", "MAC Address", "IP Address", "External IP Address","Laptop Status", Link
View splunktalk_nagios_reports.md
index=nagios (nagiosevent="SERVICE NOTIFICATION" ) OR (nagiosevent="HOST NOTIFICATION" ) ( user_id=$userid$)|lookup local=t nagios-hostgroupmembers host_name AS src_host | convert ctime(_time) as time | eval Name=coalesce(name,hostnotification) |transaction delim=
src_host, nagiosevent | table time,eventcount,src_host,hostgroup,user_id,Name,reason,nagiosevent
@tfhartmann
tfhartmann / gist:7137760
Created Oct 24, 2013
Boston Openstack Meetup notes - Whats New in Havana
View gist:7137760

Whats new in Havana

Networking Component - Neutron (Cisco) | January -> Zero to current knowledge

Cisco Nexus driver FireWall as a Service … waa?? FWaaS demo

View nepho_nosetests.md
from cement.core import handler, hook, foundation
from cement.utils import test
from nepho import cli
from nepho.cli.base import Nepho

class MyTestApp(Nepho):
    class Meta:
        # Load the base Nepho cement controller
        app = cli.base.Nepho()
@tfhartmann
tfhartmann / sns.py
Created Feb 12, 2014
Example script on how to publish a message to an AWS SNS Queue
View sns.py
#!//opt/boxen/homebrew/bin/python
import boto.sns
import json
REGION = 'us-west-2'
TOPIC = '<ARN>'
URL = '<Body of Message in this example I used a url>'
@tfhartmann
tfhartmann / sqs.py
Created Feb 12, 2014
Example script on how to poll a AWS SQS Queue and pull off messages
View sqs.py
#!//opt/boxen/homebrew/bin/python
import boto.sqs
from boto.sqs.message import RawMessage
import json
import time
import requests
REGION = 'us-west-2'
@tfhartmann
tfhartmann / package_define.pp
Created Feb 12, 2014
Puppet Definition for perl module packages
View package_define.pp
So first I create a definition in a manifest called perl_modules.pp in the root of my module like this:
define radiator::perl_modules() {
package { "perl-$name": ensure => 'installed', before => Package['Radiator'] }
}
Then call the definition in packages.pp
You can’t perform that action at this time.