.bashrc file for Linux with Splunk Context
(tested on RHEL 7 & Splunk 6.6)

# Use specific aliases and functions
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
alias ls='ls -abp --color=auto'
alias grep='grep --color=auto'

#Utility Servers
alias deps='ssh splunk@IPofDEPS'
alias lms='ssh splunk@IPofLMS'
alias cms='ssh splunk@IPofCMS'
alias dss='ssh splunk@IPofDS'
alias hfs='ssh splunk@IPofHF'

#Search Heads
alias sh1='ssh splunk@IPofSH1'
alias sh2='ssh splunk@IPofSH2'

alias idx1='ssh splunk@IPofIDX1'
alias idx2='ssh splunk@IPofIDX2'

#Splunk Specific
alias sapp='cd /opt/splunk/etc/apps/'
alias syslocal='cd /opt/splunk/etc/system/local/'
alias dapp='cd /opt/splunk/etc/deployment-apps/'
alias stail='tail -f /opt/splunk/var/log/splunk/splunkd.log'
alias staile='tail -f /opt/splunk/var/log/splunk/splunkd.log | grep -v INFO'
alias mapp='cd /opt/splunk/etc/master-apps/'
alias slapp='cd /opt/splunk/etc/slave-apps/'
alias shcapp='cd /opt/splunk/etc/shcluster/apps'
alias reload='/opt/splunk/bin/splunk reload deploy-server'
alias splkps='ps -fu splunk'
alias splknw='netstat -an | grep LISTEN'
source /opt/splunk/bin/setSplunkEnv 

# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc

#Visual & Editors
export PS1='\[\033[31;1m[\u@\h]\[\033[32;1m\w\[\033[34;1m\$ \[\033[0m'
export PATH=/usr/local/bin:/usr/sbin:/usr/ucb/bin:/usr/local/sbin:$PATH
export EDITOR=vi

Find the Peak of a variable over a variable period of time over a variable in Splunk

| bucket _time span=30m
| eventstats count(field1) as "field1Count" by field2, _time
| eventstats max(field1Count) as "field1Max" by field2
| where field1Max==field1Count
| dedup field2
| table field1Count field2 _time

Let's say you have a variable - User access. Let's say you have another variable - File. Let's say I want to see the max in the last week of when a User accessed a file and what timeframe this was.

The above SPL search will break down the time frame set into 30 minute buckets (you can change span=x to what ever you'd like) and first count the amount of times a user accessed a file and the timeframe(field1count). After that it will find the max user access on each file(field1Max). We than only want to keep the event's that have max value's for access on files so we look through each event and discard fields that don't have the max value associated to them(Where field1Max==field1Count). We than get rid of events with duplicate file names(dedup filed2) - as the max will be the same on all these events and the max is the only value we care about. Finally we present a table with the values.


Redirect unwanted countries or unwanted IP's when hitting your website in JavaScript

<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.0/jquery.min.js"</script>

var blackList = ["", "IP2", "IP N"],
 captureIP = $.getJSON('//ipapi.co/json', function(data) {
       cacheIP = data.ip,
       cacheCountry = data.country;
 if ((($.inArray(cacheIP, blackList) !== -1) || (cacheCountry == "COUNTRY CODE")) && (window.location.pathname != 'REDIRECT'))

I was getting unwanted visitors hitting my website. I had two use cases I wanted to fulfil:

  1. Block visitors by IP
  2. Block visitors by Country

Well Squarespace - the provider I use unfortunately does not have anything built in to do this. So I scoured the internet and also came up short. So I architected my own solution using a solution I found for just use case 1

Instead of using the ipify api - which would just tell me the ip via reverse look-up, I used the ipapi.co api which provides more details such as country and location. 

The above code is written in JQuery and is injected to every page of saanjeith.com. It looks initially to see if the IP of the user is included within the banned array(Variable Blacklist) and than it checks to see if the Country of that IP is equivalent to one or more Country Codes I've hardcoded as malicious(Variable CacheCountry).

The final change I made was instead of redirecting to an external site - I made a redirect to an internal page letting the users know that they will always be redirected(Value of Window.location.replace). As the code is injected on every page - I did not want another redirection if it hit the redirection page or it would be stuck in an infinite loop so I created a condition to mitigate this behaviour (Value of window.location.pathname).


Get the longest running Host & the Average of all hosts in Splunk

| timechart avg(duration) by host
| appendcols
 [search index=test
 | timechart avg(duration) as "Avg Duration",count(_raw) as "# of Events"]
| table _time, "Avg Duration", "# of Events", 
 [search index=test
 | chart avg(duration) by host
 | sort -avg(duration)
 | head 1
 | return $host]

To get the worst performing host and the average of all hosts in Splunk is not as straightforward as one would think. It requires 1 search, with 2 sub searches in it, so it is an expensive transaction!

So what we are doing is:

1) Get the average duration of all the hosts separately
2) Get the average duration of all the hosts as a total average
3) Find which host has the highest avg(duration) and return that name. The results from #1) will remove all the other hosts and only leave the one with the highest average duration.


Execute a command recursively within a Directory In Unix

for d in $Directory
 for f in $FILES
 echo "Processing $f file..."
 # take action on each file.

---> /a/b/file-1 ---> /a/b/file-2 ---> /a/b/file-3
---> /a/c/file-1 ---> /a/c/file-2 ---> /a/c/file-3

Executing a script in directory A - and want all the files in the directories b & c to be executed by a particular action - it will go through each directory or in this case b & c (variable $d) and take an action on each file or in this case file-1, file-2, file-3 (variable $f).