faststeak

sourcetype=WinEventLog:Security OR sourcetype="wineventlog:forwardedevents"  EventCode=4625 Failure_Reason="Unknown user name or bad password."  Logon_Process=NTLMSSP
| rex field=_raw "Account For Which Logon Failed:(?:[\r\n].*?)*?Account Name:\s+(?<Failed_Account_Name>.+)\s+"
| bucket _time span=1min
| stats count values(EventCode) AS failed_login, dc(Failed_Account_Name) AS distinct_user, values(Logon_Process) AS Logon_Process values(Caller_Process_Name) AS Caller_Process_Name  by _time,src_ip,src 
| where distinct_user > 10s

faststeak

index=<your dns index> NOT (query=_ldap* OR query=_gc* OR query=_kerberos* OR query=1B* OR query=Coordinator* ) | eval mixed_case=if(match(query, "[a-z][A-Z]|[A-Z][a-z]|[A-Z]\.[a-z]|[a-z]\.[A-Z]"),"true","false") | search mixed_case=true |eval norm_query=lower(query) | stats count values(query) as query values(host) as dns_servers by dest norm_query

faststeak

| rest splunk_server_group=dmc_group_cluster_master /services/cluster/master/indexes 
| fields title, is_searchable, replicated_copies_tracker*, searchable_copies_tracker*, num_buckets, index_size
| rename replicated_copies_tracker.*.* as rp**, searchable_copies_tracker.*.* as sb**
| eval replicated_data_copies = ""
| foreach rp*actual_copies_per_slot [eval replicated_data_copies = replicated_data_copies." ".rp<<MATCHSTR>>actual_copies_per_slot."/".rp<<MATCHSTR>>expected_total_per_slot]
| makemv replicated_data_copies
| eval searchable_data_copies = ""
| foreach sb*actual_copies_per_slot [eval searchable_data_copies = searchable_data_copies." ".sb<<MATCHSTR>>actual_copies_per_slot."/".sb<<MATCHSTR>>expected_total_per_slot]
| makemv searchable_data_copies
| eval is_searchable = if((is_searchable == 1) or (is_searchable == "1"), "Yes", "No")

faststeak

if [ -f ~/.bashrc ]; then
    . ~/.bashrc
fi

faststeak

#/etc/systemd/system/splunkd.service
# https://answers.splunk.com/answers/59662/is-there-a-systemd-unit-file-for-splunk.html
[Unit]
Description=Splunk Enterprise
After=network.target
Wants=network.target

[Service]
#Type=forking
Type=simple

faststeak

index=_internal host=<your search head(s) here>  app=* source="/opt/splunk/var/log/splunk/splunkd_ui_access.log" OR source="/opt/splunk/var/log/splunk/web_access.log"
| rex "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+-\s+(?<user>\d+)"
|search NOT (user="-" OR user=<your user, if you recently visited the apps>)
| stats max(_time) as last_used dc(user) as app_user_count values(user) as user by app host
| convert ctime(last_used)
| search NOT (app=search OR app=launcher)

# I filtered my own user because I was visiting every app just before running this search.

faststeak

| tstats summariesonly=true allow_old_summaries=true values(DNS.answer) as ip_query from datamodel=Network_Resolution.DNS where "DNS.message_type"=RESPONSE "DNS.record_type"=A* NOT DNS.answer="unknown" AND NOT DNS.answer="127.*" AND NOT DNS.answer="*:*" AND NOT DNS.query="*._msdcs.*" by "DNS.query"
    | rename DNS.query as dns 
    | lookup cim_corporate_web_domain_lookup domain as dns output domain as found 
    | search found=*
    | eval dns=lower(dns)

faststeak

# This is possibly an interesting search to find dns pre-fetching and other odd dns behavior.
# Suggestion: Use the initial DNS.query="*.someplace.net" to aim at the internal network.

| tstats `summariesonly` count from datamodel=Network_Resolution.DNS where DNS.query="*.someplace.net" NOT DNS.query="some hosts*" NOT DNS.query="*.arpa" NOT DNS.query="_ldap*" NOT DNS.query="_gc*" NOT DNS.query="_kerberos*" by DNS.query DNS.src
| rename DNS.query as query DNS.src as src
| eval query_punct=query
| rex mode=sed field=query_punct "s/\w+//g"
| search NOT query_punct="--.-.----"
|   `ut_shannon(query)`
| stats sum(ut_shannon) as ut_shannon_sum  values(query) as query by src

faststeak

## Note: This particular search has just about every character as you type it. It takes some scrolling to find the actual search you ran. When I find a better way, I'll update this.

index=_internal user=<your splunk user here> sourcetype=splunkd_ui_access search=* | eval search=urldecode(search) | stats count by user search

faststeak

| rest /services/apps/local
| search disabled=0 NOT (label="Apps Browser" OR label="splunk_httpinput" OR label="learned" OR label="framework" OR label="introspection_generator_addon" OR label="_cluster" OR label="Instrumentation" OR label="Search & Reporting" OR label="Home" OR label="Log Event Alert Action" OR label="Splunk Archiver App" OR label="Webhook Alert Action" OR label="Monitoring Console")
| stats max(version) as version values(*) as * by label
| fields label version description title details managed_by_deployment_client visible
| eval managed_by_deployment_client=case((managed_by_deployment_client==1),"Yes",(managed_by_deployment_client==0),"No")
| eval visible=case((visible==1),"Yes",(visible==0),"No")
| rename label as App version as Version title as Folder details as "Splunkbase URL" managed_by_deployment_client as "Managed by Deployment Server" visible as Visible