#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.

Splunk home use mad lib

breeves_splunk
Splunk Employee
Splunk Employee

Splunkers,

Please have fun filling out the mad lib below and vote up your favorite responses.

At home, I'm collecting _____________________ with Splunk installed on a _____________________ . This data I'm collecting is from _____________________ and it has _____________________ in it. My hope is to _____________________ . But right now I have it _____________________ . The search I use is _____________________ . A link to some screenshots is _____________________ . It's gonna be so cool when I have it do _____________________ .

Happy Splunking!

--BReeves

Tags (2)

kfeagans_splunk
Splunk Employee
Splunk Employee

At home, I'm collecting Router/FW/WAP data with Splunk installed on a Linux Guest VM (ESXi environment). This data I'm collecting is from Tomato Firmware (Shibby) and it has SNMP & Syslog data in it. My hope is to gain a better understanding of utilization trends and see when there is an abnormal amount of denied traffic. But right now I have it capturing firewall accepts and drops, bandwidth utilization, and other statistics.

One of the searches I use is (for syslog data) for FW Drops by Foreign Country:

index=syslog inbound_interface=vlan2 action=DROP
| iplocation SRC
| where Country!="United States"
| stats count AS "FW Drop Count" by Country
| table Country,"FW Drop Count"
| sort - "FW Drop Count" limit=10

Another search for data (SNMP) WAN In/Out KB:

index=snmp sourcetype=snmptable
| multikv
| search ifPhysAddress="60:a4:4c:39:8d:f1"
| streamstats current=f last(ifInOctets) as lastifInOctets, last(ifOutOctets) as lastifOutOctets
| eval time=_time
| eval In_Thruput_KB = (lastifInOctets-ifInOctets)/1024
| eval Out_Thruput_KB = (lastifOutOctets-ifOutOctets)/1024
| eval In_Thruput_KB = if(In_Thruput_KB<0,0,In_Thruput_KB)
| eval Out_Thruput_KB = if(Out_Thruput_KB<0,0,Out_Thruput_KB)
| timechart eval(sum(In_Thruput_KB)/dc(time)) as "KB In" eval(sum(Out_Thruput_KB)/dc(time)) as "KB Out"

It's gonna be so cool when I have it do DNS lookups, workflows, and some cool alerting.

Screenshots can be found here on Google Drive.

Happy Splunking!

Heff
Splunk Employee
Splunk Employee

At home, I'm collecting firewall data with Splunk installed on a ESX server. This data I'm collecting is from Sonic and it has packet captures in it. My hope is to use the free version of NetWitness and use that for packet inspection. But right now I have it just capturing firewall traffic . The search I use is looking at all the images that anyone (kids) download. A link to some screenshots is unavailable . It's gonna be so cool when I have Splunk alerting on the kids wasting time and not doing homework.

Dimitri_McKay
Splunk Employee
Splunk Employee

At home, I'm collecting frogs with Splunk installed on a raspberry pi . This data I'm collecting is from a playstation camera and it has Maverick in it. My hope is to confuse and annoy him . But right now I have it hiding under his credenza . The search I use is prompted by a frog chirping sound . A link to some screenshots is no-where to be found . It's gonna be so cool when I have it do automatic uploads to a blog of Maverick dolling around his office trying to find me .

Happy Splunking!

0 Karma

maverick
Splunk Employee
Splunk Employee

At home, I'm splunking and analyzing winning Texas lottery numbers with Splunk installed on my macbook pro. I downloaded a csv file from the Texas Lotto page which contain the winning numbers for the past ten years. My hope is to determine which numbers are most likely to be selected as the winning numbers during the next lotto game.

This is a sample of the data:


Sat, Oct 5 2013, 5, 10, 31, 32, 34, 44

Wed, Oct 2 2013, 5, 13, 21, 26, 44, 45

Sat, Sep 28 2013, 2, 9, 13, 23, 31, 46

Wed, Sep 25 2013, 15, 20, 39, 41, 44, 50

Sat, Sep 21 2013, 3, 7, 8, 21, 31, 36

Wed, Sep 18 2013, 16, 27, 34, 42, 44, 46

Sat, Sep 14 2013, 7, 8, 22, 35, 37, 52

Wed, Sep 11 2013, 7, 10, 21, 25, 38, 42
Sat, Sep 7 2013, 7, 13, 24, 36, 42, 53

Wed, Sep 4 2013, 3, 13, 15, 20, 38, 50

The search I use looks like this:

| set intersect 
  [ | set diff 
    [search sourcetype="lotto" (month=10 year=2013) 
    | rex max_match=6 ",(?((?!(.*?,){6})\d+))" 
    | eventstats values(aaa) as aaa 
    | dedup aaa| mvexpand aaa
    | table aaa
    ] 
    [ search sourcetype="lotto" 
    | eval aaa = "1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54"
    | makemv delim=" " aaa 
    | mvexpand aaa
    | table aaa] | dedup aaa
    ] 
   [search sourcetype="lotto" (NOT month=10 year=2013) 
   | rex max_match=6 ",(?((?!(.*?,){6})\d+))" 
   | stats count by aaa 
   | sort - count  
   | head 10 
   | table aaa
   ] 
| rename aaa as "numbers picked THE MOST in all months in 2013, expect for this month"

I'm basically finding all the numbers that were NEVER picked this month and yet were picked THE MOST throughout the rest of the year. Odds suggest that these are the numbers most likely to be picked this month. Of course, some say it does not matter. Oh well, it was fun trying to figure out this search anyway. good practice.

Another thing I do is actually use Splunk as a Quick Pick generator.

Here is my search that does my quick pick for me:

* | eval aaa = round((random()/random())*100) 
  | search aaa>0 aaa<55 
  | dedup aaa 
  | table aaa 
  | head 6 
  | stats list(aaa) as aaa 
  | eval aaa = mvjoin(aaa," ") 
  | rename aaa as "Quick Pick"

Anyway, it's gonna be so cool when I WIN the lottery and can say that Splunk helped me do it.

araitz
Splunk Employee
Splunk Employee

But have you mapped Splunk's "predictions" against previous winning numbers to see if it has correctly picked any in the past? 😛

0 Karma

breeves_splunk
Splunk Employee
Splunk Employee

Awesome!! I love it. Thanks for responding.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...