moziauddin · October 25, 2018 12:42
diff --git a/constant-mem-loop-with-ts.sh b/constant-mem-loop-with-ts.sh
 #!/bin/sh
 while (sleep 2); do free -m | grep 'Mem:' | perl -pe 'use POSIX strftime; print strftime "[%Y-%m-%d %H:%M:%S] ", localtime' >> /opt/splunkforwarder/cscripts/mylogfile ; done
diff --git a/splunk-7.2 b/splunk-7.2
 # Splunk ent Installer 
 wget -O splunk-7.2.0-8c86330ac18-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.0&product=splunk&filename=splunk-7.2.0-8c86330ac18-linux-2.6-amd64.deb&wget=true'

 # Splunk UF Download
 wget -O splunkforwarder-7.2.0-8c86330ac18-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.0&product=universalforwarder&filename=splunkforwarder-7.2.0-8c86330ac18-linux-2.6-amd64.deb&wget=true'
diff --git a/splunk7.2-searches b/splunk7.2-searches
 # Search an index plus sourcetype and text
 index="web-server1-access-log" sourcetype="access_combined_wcookie" action="purchase"
 # Search for more than one text input 'action="purchase" OR action=change'
 index="web-server1-access-log" sourcetype="access_combined_wcookie" action="purchase" OR action=change
 # Search for more than one text input 'action="purchase" AND action=change*'
 index="web-server1-access-log" sourcetype="access_combined_wcookie" action="purchase" AND action=change*
 # Include or Exclude Fields
 index="web-server1-access-log" sourcetype="access_combined_wcookie" action="purchase" OR action=change* | fields -action,categoryId
 # Deduplicate the data
 index="web-server1-access-log" sourcetype="access_combined_wcookie" action="purchase" | dedup categoryId
 # Rename Column names the data. Always rename after dedup
 index="web-server1-access-log" sourcetype="access_combined_wcookie" action="purchase" | dedup categoryId | rename categoryId AS GameType,action AS Action
 # Create a Table
 index="web-server1-access-log" sourcetype="access_combined_wcookie" action="purchase" | dedup categoryId | rename categoryId AS GameType,action AS Action | table categoryId,action
 # Search using the search keyword
 index="web-server1-access-log" sourcetype="access_combined_wcookie" | search action="purchase"
 # Sort in descending order
 index="web-server1-access-log" sourcetype="access_combined_wcookie" | search action="purchase" | dedup categoryId | rename categoryId as GameType | sort GameType desc | table GameType,action
 # Another search for purchases that are successful
 index="web-server1-access-log" sourcetype="access_combined_wcookie" | search action="purchase" status=200 file="success.do"
 # Limit results to top 5 categoryIds
 index="web-server1-access-log" sourcetype="access_combined_wcookie" | search action="purchase" status=200 file="success.do" | top limit=5 categoryId
 # Limit results to top 5 categoryIds without percentage
 index="web-server1-access-log" sourcetype="access_combined_wcookie" | search action="purchase" status=200 file="success.do" | top limit=5 categoryId showperc=false
 # Limit results to top 5 categoryIds without percentage and sort by count descending
 index="web-server1-access-log" sourcetype="access_combined_wcookie" | search action="purchase" status=200 file="success.do" | top limit=5 categoryId showperc=false | sort count desc
 # Limit results to top 5 categoryIds without percentage and sort by count ascending
 index="web-server1-access-log" sourcetype="access_combined_wcookie" | search action="purchase" status=200 file="success.do" | top limit=5 categoryId showperc=false | sort +count
 # # Limit results to least/rare 2 categoryIds without percentage and sort by count ascending
 index="web-server1-access-log" sourcetype="access_combined_wcookie" | search action="purchase" status=200 file="success.do" | rare limit=2 categoryId showperc=false | sort +count
 # Provide statistics of games sold by categoryId
 index="web-server1-access-log" sourcetype="access_combined_wcookie" | search action="purchase" status=200 file="success.do" | stats count by categoryId
 # Provide statistics of games sold by categoryId and sort in descsending order 
 index="web-server1-access-log" sourcetype="access_combined_wcookie" | search action="purchase" status=200 file="success.do" | stats count by categoryId | sort -categoryId
 # status error is > 200 sorted by count
 index="web-server1-access-log" sourcetype="access_combined_wcookie" | search status > 200 | fields categoryId,status | stats count by status | sort -count
 # Return distinct count unique entries 
 index="web-server1-access-log" sourcetype="access_combined_wcookie" JSESSIONID="*"  | stats dc(JSESSIONID) as uniqueSessions
 # Search SessionId and client ip count in a table
 index="web-server1-access-log" sourcetype="access_combined_wcookie" JSESSIONID="*"  | stats count by JSESSIONID,clientip

 # Chart example: Shows count only
 index="web-server1-access-log" | chart count by categoryId
 # Output:
 # categoryId	count
 # ACCESSORIES	1376
 # ARCADE	1887

 # Timechart example: Trend over time
 index="web-server1-access-log" | timechart count by categoryId
 # Output:
 # _time	ACCESSORIES	ARCADE	SHOOTER	SIMULATION	SPORTS	STRATEGY	TEE	NULL
 # 2018-10-07	119	150	75	81	40	248	131	1314
 # 2018-10-08	262	348	154	150	94	546	249	2659

 # Regex Example: 
 index="ssh-host1-log"   port "failed password" | rex field=_raw "\s+(?<ports>port \d+)" | top limit=5 ports
 # Regex for IP address
 index="ssh-host1-log"   port "failed password" | rex field=_raw "\s+(?<ports>port \d+)" | rex field=_raw "^(\w+\s+)+(\d+\s+)+\d+:\d+:(\d+\s+)+\w+(\d+\s+)+\w+\[\d+\]:\s+(\w+\s+)+(?P<src_ip>[^ ]+)" | top limit=5 ports
 # Splunk field names are case sensitive while values are not. Example below
 # Wrong:
 index="web-server1-access-log" Action=purchase
 # Correct
 index="web-server1-access-log" action=purchase

 # Transactions: Get actions by a customer on a website with eval to convert time to string
 index="web-server1-access-log" | transaction clientip maxspan=30m maxpause=5s | eval duration=tostring(duration,"duration") | sort -duration | table clientip,duration,action

 # Simple example of Transaction by clientip
 index="web-server1-access-log" | transaction clientip maxspan=30m maxpause=5s

 # Failed Logins by source ip
 index="ssh-host1-log"  | transaction source_ip maxspan=30m maxpause=5s| table source_ip,duration | sort -duration
 # Use eval to write a function
 index="web-server1-access-log" | eval error = if(status == 200, "ok", "issue") | stats count by error

 # Lookups
 index="web-server1-access-log" | lookup web-server-products ID AS productId OUTPUT Name as gamename,Developer AS dev | stats count by gamename,dev

 # Audit Log - Failed Login attempts :: Also save search as ALERT for >10 failed results
 index=_audit user=splunk action="login attempt" result="failed"

 # Timechart
 index="web-server1-access-log" action="purchase" status!=200 | timechart count by action
 # Chart (PIE)
 index="web-server1-access-log" action="*" status!=200 | chart count by action

 # Download Splunk Dashboard Examples from https://splunkbase.splunk.com/app/1603/
	#!/bin/sh
	while (sleep 2); do free -m \| grep 'Mem:' \| perl -pe 'use POSIX strftime; print strftime "[%Y-%m-%d %H:%M:%S] ", localtime' >> /opt/splunkforwarder/cscripts/mylogfile ; done
	# Splunk ent Installer
	wget -O splunk-7.2.0-8c86330ac18-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.0&product=splunk&filename=splunk-7.2.0-8c86330ac18-linux-2.6-amd64.deb&wget=true'

	# Splunk UF Download
	wget -O splunkforwarder-7.2.0-8c86330ac18-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.0&product=universalforwarder&filename=splunkforwarder-7.2.0-8c86330ac18-linux-2.6-amd64.deb&wget=true'
	# Search an index plus sourcetype and text
	index="web-server1-access-log" sourcetype="access_combined_wcookie" action="purchase"
	# Search for more than one text input 'action="purchase" OR action=change'
	index="web-server1-access-log" sourcetype="access_combined_wcookie" action="purchase" OR action=change
	# Search for more than one text input 'action="purchase" AND action=change*'
	index="web-server1-access-log" sourcetype="access_combined_wcookie" action="purchase" AND action=change*
	# Include or Exclude Fields
	index="web-server1-access-log" sourcetype="access_combined_wcookie" action="purchase" OR action=change* \| fields -action,categoryId
	# Deduplicate the data
	index="web-server1-access-log" sourcetype="access_combined_wcookie" action="purchase" \| dedup categoryId
	# Rename Column names the data. Always rename after dedup
	index="web-server1-access-log" sourcetype="access_combined_wcookie" action="purchase" \| dedup categoryId \| rename categoryId AS GameType,action AS Action
	# Create a Table
	index="web-server1-access-log" sourcetype="access_combined_wcookie" action="purchase" \| dedup categoryId \| rename categoryId AS GameType,action AS Action \| table categoryId,action
	# Search using the search keyword
	index="web-server1-access-log" sourcetype="access_combined_wcookie" \| search action="purchase"
	# Sort in descending order
	index="web-server1-access-log" sourcetype="access_combined_wcookie" \| search action="purchase" \| dedup categoryId \| rename categoryId as GameType \| sort GameType desc \| table GameType,action
	# Another search for purchases that are successful
	index="web-server1-access-log" sourcetype="access_combined_wcookie" \| search action="purchase" status=200 file="success.do"
	# Limit results to top 5 categoryIds
	index="web-server1-access-log" sourcetype="access_combined_wcookie" \| search action="purchase" status=200 file="success.do" \| top limit=5 categoryId
	# Limit results to top 5 categoryIds without percentage
	index="web-server1-access-log" sourcetype="access_combined_wcookie" \| search action="purchase" status=200 file="success.do" \| top limit=5 categoryId showperc=false
	# Limit results to top 5 categoryIds without percentage and sort by count descending
	index="web-server1-access-log" sourcetype="access_combined_wcookie" \| search action="purchase" status=200 file="success.do" \| top limit=5 categoryId showperc=false \| sort count desc
	# Limit results to top 5 categoryIds without percentage and sort by count ascending
	index="web-server1-access-log" sourcetype="access_combined_wcookie" \| search action="purchase" status=200 file="success.do" \| top limit=5 categoryId showperc=false \| sort +count
	# # Limit results to least/rare 2 categoryIds without percentage and sort by count ascending
	index="web-server1-access-log" sourcetype="access_combined_wcookie" \| search action="purchase" status=200 file="success.do" \| rare limit=2 categoryId showperc=false \| sort +count
	# Provide statistics of games sold by categoryId
	index="web-server1-access-log" sourcetype="access_combined_wcookie" \| search action="purchase" status=200 file="success.do" \| stats count by categoryId
	# Provide statistics of games sold by categoryId and sort in descsending order
	index="web-server1-access-log" sourcetype="access_combined_wcookie" \| search action="purchase" status=200 file="success.do" \| stats count by categoryId \| sort -categoryId
	# status error is > 200 sorted by count
	index="web-server1-access-log" sourcetype="access_combined_wcookie" \| search status > 200 \| fields categoryId,status \| stats count by status \| sort -count
	# Return distinct count unique entries
	index="web-server1-access-log" sourcetype="access_combined_wcookie" JSESSIONID="*" \| stats dc(JSESSIONID) as uniqueSessions
	# Search SessionId and client ip count in a table
	index="web-server1-access-log" sourcetype="access_combined_wcookie" JSESSIONID="*" \| stats count by JSESSIONID,clientip

	# Chart example: Shows count only
	index="web-server1-access-log" \| chart count by categoryId
	# Output:
	# categoryId count
	# ACCESSORIES 1376
	# ARCADE 1887

	# Timechart example: Trend over time
	index="web-server1-access-log" \| timechart count by categoryId
	# Output:
	# _time ACCESSORIES ARCADE SHOOTER SIMULATION SPORTS STRATEGY TEE NULL
	# 2018-10-07 119 150 75 81 40 248 131 1314
	# 2018-10-08 262 348 154 150 94 546 249 2659

	# Regex Example:
	index="ssh-host1-log" port "failed password" \| rex field=_raw "\s+(?<ports>port \d+)" \| top limit=5 ports
	# Regex for IP address
	index="ssh-host1-log" port "failed password" \| rex field=_raw "\s+(?<ports>port \d+)" \| rex field=_raw "^(\w+\s+)+(\d+\s+)+\d+:\d+:(\d+\s+)+\w+(\d+\s+)+\w+\[\d+\]:\s+(\w+\s+)+(?P<src_ip>[^ ]+)" \| top limit=5 ports
	# Splunk field names are case sensitive while values are not. Example below
	# Wrong:
	index="web-server1-access-log" Action=purchase
	# Correct
	index="web-server1-access-log" action=purchase

	# Transactions: Get actions by a customer on a website with eval to convert time to string
	index="web-server1-access-log" \| transaction clientip maxspan=30m maxpause=5s \| eval duration=tostring(duration,"duration") \| sort -duration \| table clientip,duration,action

	# Simple example of Transaction by clientip
	index="web-server1-access-log" \| transaction clientip maxspan=30m maxpause=5s

	# Failed Logins by source ip
	index="ssh-host1-log" \| transaction source_ip maxspan=30m maxpause=5s\| table source_ip,duration \| sort -duration
	# Use eval to write a function
	index="web-server1-access-log" \| eval error = if(status == 200, "ok", "issue") \| stats count by error

	# Lookups
	index="web-server1-access-log" \| lookup web-server-products ID AS productId OUTPUT Name as gamename,Developer AS dev \| stats count by gamename,dev

	# Audit Log - Failed Login attempts :: Also save search as ALERT for >10 failed results
	index=_audit user=splunk action="login attempt" result="failed"

	# Timechart
	index="web-server1-access-log" action="purchase" status!=200 \| timechart count by action
	# Chart (PIE)
	index="web-server1-access-log" action="*" status!=200 \| chart count by action

	# Download Splunk Dashboard Examples from https://splunkbase.splunk.com/app/1603/