Splunk Search for AD Logons for Users that Have Escalated Privileges Copy
sourcetype=syslog sudo | stats count by user host | map search="search index=ad_summary username=$user$ type_logon=ad_last_logon"
0 comments
Splunk Search for Extract DNS information from netscaler syslog Copy
sourcetype="citrix:netscaler:syslog" DNS | rex field=_raw "^\s+(?<date>[^:]+):(?<time>[^\s]+)(?:[^:\n]*:){3}(?<source_ip>[^#]+)(?:[^/\n]*/){8}\d+#(?<dns>(?#)[_a-zA-Z0-9.-]+)(\.\/)" | eval date=date." ".time | table date, source_ip, dns | rename date as Date, source_ip as Source, dns as DNS
0 comments
Splunk Search for Postfix messages sent over time Copy
sourcetype=postfix_syslog status=sent | timechart span=1d count
0 comments