| rest splunk_server=* /services/server/status/resource-usage/hostwide | eval "% Memory Used"=round(mem_used/mem,4)*100 | table splunk_server "% Memory Used" | rename splunk_server as "Splunk Server"
0 comments
sourcetype="citrix:netscaler:syslog" DNS | rex field=_raw "^\s+(?<date>[^:]+):(?<time>[^\s]+)(?:[^:\n]*:){3}(?<source_ip>[^#]+)(?:[^/\n]*/){8}\d+#(?<dns>(?#)[_a-zA-Z0-9.-]+)(\.\/)" | eval date=date." ".time | table date, source_ip, dns | rename date as Date, source_ip as Source, dns as DNS
0 comments
index=_internal sourcetype=splunk_web_access host=* user=* | rex field=uri_path ".*/(?<title>[^/]*)$" | join title [| rest /servicesNS/-/-/data/ui/views splunk_server=* | search isDashboard=1 isVisible=1 | rename eai:acl.app as app | fields title app ] | rename title as dashboard | stats count by _time user dashboard app host | rename user as User, dashboard as Dashboard, app as App, host as Host, count as Count
0 comments
sourcetype=osx_secure | rex field=_raw "authinternal\sfaile\sto\sauthenticate\suser\s(?<user>\S+)" | stats count by user, host | sort - count
0 comments
sourcetype=osx_secure | rex field=_raw "authinternal\sauthenticated\suser\s(?<user>\S+)" | stats count by user, host | sort - count
0 comments
sourcetype=postfix_syslog status=sent | timechart span=1d count
0 comments
sourcetype=linux_secure tag=authentication action=failure | stats count by user | sort - count
0 comments
sourcetype=linux_secure tag=authentication action=success | timechart count by src
0 comments
sourcetype=linux_secure tag=authentication action=success | stats values(user) as user, count by src
0 comments