Difference between revisions of "Splunk"

From neil.tappsville.com
Jump to navigationJump to search
m
m
 
(23 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
 +
==Training==
 +
https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html
 +
 +
==Search==
 +
 
Match Value (.*) after "want:" and turn it into a field (field_name)
 
Match Value (.*) after "want:" and turn it into a field (field_name)
 
<pre> | rex field=_raw "some text before what we want:(?<field_name>.*)"  </pre>
 
<pre> | rex field=_raw "some text before what we want:(?<field_name>.*)"  </pre>
 +
 +
Match field is NULL
 +
NOT field=*
 +
 +
Visualizations
 +
<pre>blah | timechart count by fieldname </pre>
 +
 +
Fill nulls with zero
 +
<pre>index=main startdaysago=10 | timechart span=1d count |fillnull</pre>
 +
Note that exporting via the API, if there is no data for a day, instead of getting a zero as you would expect you will get 'None'. To work around this, before doing any last stat option, append the following
 +
<pre>
 +
|  append [search index=_telemetry  | eval myval="0" | table _time,myval]  `comment("fillnull doesnt work on single dates that dont have logs for that day")`
 +
</pre>
 +
Remember to grant the API/users access to the _telemetry table (only chosen as only has one entry per day (Splunk licence usage)).
 +
  
 
Group results into 1 hour chunks
 
Group results into 1 hour chunks
 
<pre> | timechart span=1h count(field_name) by field_name </pre>
 
<pre> | timechart span=1h count(field_name) by field_name </pre>
 +
 +
Group by hour of day
 +
<pre> | eval eventHour=strftime(_time,"%H") | stats count by  eventHour </pre>
 +
 +
Export RAW logs
 +
host=<host_name> | table _raw | outputcsv rawdump.csv
 +
Then download as csv
 +
 +
Count of matching field
 +
host=* inital_serach 
 +
| stats count(eval(_raw  like "%findx%")) as failed, count(eval(_raw  like "%findy%")) as success, by ipaddress
 +
 +
 +
 +
Comments
 +
<pre>
 +
host="*-blah"  cmd=login
 +
NOT field=192.168.0.0/24 `comment("NOT xyz")`
 +
NOT field=192.168.10.0/24 `comment("NOT abc")`
 +
| fields field_one, device_ip, field_server
 +
| dedup field_one, device_ip, field_server
 +
</pre>
 +
 +
 +
== Transactions ==
 +
eventtype=jbgp_state_change | transaction host,jbgp_state_instance,jbgp_state_peer startswith=(eventtype=jbgp_state_down) endswith=(eventtype=jbgp_state_up) keepevicted=true
 +
 +
==Transforming Commands==
 +
 +
| top [field field2] limit=0 showperc=False countfield="Renamed something"
 +
| Rate [field field2] limit=0
 +
useother=True -- use when limit!=0 so 'extras' go into a catchall bucket
 +
 +
Stats  - all stats functions must be done together (in the same pipes)
 +
* Count
 +
* Dc (Distinct Count)
 +
* Sum  -- stats sum(price) as "Gross Sales" by product_name
 +
* Avg, Min, Max
 +
* List -- stats list(Asset) as "stuff" by Employee
 +
* Value - similar to list but unique.
 +
 +
=== IP lookup===
 +
DNSlookup
 +
 +
 +
The key for dnslookup is to put the data into a table before the lookup is called
 +
host=*mgfw* DENY 192.168.0.1  | rex field=_raw "source-address=\"(?<sourceip>.*?)\" "  | dedup sourceip | table sourceip | lookup dnslookup clientip AS sourceip
 +
== RETURNS ==
 +
sourceip, clienthost
 +
 +
blah  | lookup dnslookup clientip OUTPUT clienthost
 +
 +
| lookup dnslookup clientip as source_ip_field OUTPUT clienthost as output_field
 +
 +
 +
 +
===Comments===
 +
Uses backticks
 +
`comment("why did I add this random string to the search again?")`
 +
 +
==Notify about Disabled Alerts==
 +
|REST /services/saved/searches | fields title disabled | where title like "IcareaboutX%" AND disabled=1
 +
 +
https://community.splunk.com/t5/Alerting/Is-there-a-way-to-audit-when-an-alert-is-changed-or-disabled/td-p/424780
 +
 +
==SNMP Link down==
 +
SNMP_TRAP_LINK* NOT"\.0"  process=mib2d | table  _raw

Latest revision as of 05:25, 22 March 2024

Training

https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html

Search

Match Value (.*) after "want:" and turn it into a field (field_name)

 | rex field=_raw "some text before what we want:(?<field_name>.*)"  

Match field is NULL

NOT field=*

Visualizations

blah | timechart count by fieldname 

Fill nulls with zero

index=main startdaysago=10 | timechart span=1d count |fillnull

Note that exporting via the API, if there is no data for a day, instead of getting a zero as you would expect you will get 'None'. To work around this, before doing any last stat option, append the following

|  append [search index=_telemetry  | eval myval="0" | table _time,myval]  `comment("fillnull doesnt work on single dates that dont have logs for that day")`

Remember to grant the API/users access to the _telemetry table (only chosen as only has one entry per day (Splunk licence usage)).


Group results into 1 hour chunks

 | timechart span=1h count(field_name) by field_name 

Group by hour of day

 | eval eventHour=strftime(_time,"%H") | stats count by  eventHour 

Export RAW logs

host=<host_name> | table _raw | outputcsv rawdump.csv

Then download as csv

Count of matching field

host=* inital_serach   
| stats count(eval(_raw  like "%findx%")) as failed, count(eval(_raw  like "%findy%")) as success, by ipaddress


Comments

host="*-blah"  cmd=login 
NOT field=192.168.0.0/24 `comment("NOT xyz")`
NOT field=192.168.10.0/24 `comment("NOT abc")` 
| fields field_one, device_ip, field_server
| dedup field_one, device_ip, field_server


Transactions

eventtype=jbgp_state_change | transaction host,jbgp_state_instance,jbgp_state_peer startswith=(eventtype=jbgp_state_down) endswith=(eventtype=jbgp_state_up) keepevicted=true

Transforming Commands

| top [field field2] limit=0 showperc=False countfield="Renamed something" 
| Rate [field field2] limit=0

useother=True -- use when limit!=0 so 'extras' go into a catchall bucket

Stats - all stats functions must be done together (in the same pipes)

  • Count
  • Dc (Distinct Count)
  • Sum -- stats sum(price) as "Gross Sales" by product_name
  • Avg, Min, Max
  • List -- stats list(Asset) as "stuff" by Employee
  • Value - similar to list but unique.

IP lookup

DNSlookup


The key for dnslookup is to put the data into a table before the lookup is called

host=*mgfw* DENY 192.168.0.1  | rex field=_raw "source-address=\"(?<sourceip>.*?)\" "  | dedup sourceip | table sourceip | lookup dnslookup clientip AS sourceip
== RETURNS ==
sourceip, clienthost

blah  | lookup dnslookup clientip OUTPUT clienthost
| lookup dnslookup clientip as source_ip_field OUTPUT clienthost as output_field


Comments

Uses backticks

`comment("why did I add this random string to the search again?")`

Notify about Disabled Alerts

|REST /services/saved/searches | fields title disabled | where title like "IcareaboutX%" AND disabled=1

https://community.splunk.com/t5/Alerting/Is-there-a-way-to-audit-when-an-alert-is-changed-or-disabled/td-p/424780

SNMP Link down

SNMP_TRAP_LINK* NOT"\.0"  process=mib2d | table  _raw