Adjustments for Large Deployments / Best Practices

mhn-splunk/.gitignore

@@ -0,0 +1,3 @@
+local
+metadata/local.meta
+

mhn-splunk/default/data/ui/views/conpot_analytics.xml

@@ -14,7 +14,7 @@
       <chart>
         <title>Conpot Events per Hour</title>
         <search>
-          <query>source="*mhn-splunk.log*" app=conpot | timechart span=1h count</query>
+          <query>`mhn-base` app=conpot | timechart span=1h count</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -47,7 +47,7 @@
       <chart>
         <title>Top Types</title>
         <search>
-          <query>source="*mhn-splunk.log*" app=conpot  | top type</query>
+          <query>`mhn-base` app=conpot  | top type</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -83,7 +83,7 @@
       <chart>
         <title>Top Attacker Countries</title>
         <search>
-          <query>source="*mhn-splunk.log*" app=conpot | iplocation src | top Country</query>
+          <query>`mhn-base` app=conpot | iplocation src | top Country</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -114,7 +114,7 @@
       <table>
         <title>Top Conpot Attackers</title>
         <search>
-          <query>source="*mhn-splunk.log*" app=conpot | top src | iplocation src | fields src, Country, count | fillnull value=unknown Country | eval DShield="DShield"</query>
+          <query>`mhn-base` app=conpot | top src | iplocation src | fields src, Country, count | fillnull value=unknown Country | eval DShield="DShield"</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -159,7 +159,7 @@
       <table>
         <title>Top Conpot Sensors</title>
         <search>
-          <query>source="*mhn-splunk.log*" app=conpot | top sensor | fields sensor, count</query>
+          <query>`mhn-base` app=conpot | top sensor | fields sensor, count</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -176,7 +176,7 @@
       <event>
         <title>Copot Events</title>
         <search>
-          <query>source="*mhn-splunk.log*" app=conpot</query>
+          <query>`mhn-base` app=conpot</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>

mhn-splunk/default/data/ui/views/dionaea_analytics.xml

@@ -14,7 +14,7 @@
       <chart>
         <title>Dionaea Events per Hour</title>
         <search>
-          <query>source="*mhn-splunk.log*" type=dionaea.connections | timechart span=1h count</query>
+          <query>`mhn-base` type=dionaea.connections | timechart span=1h count</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -47,7 +47,7 @@
       <table>
         <title>Top MD5s Captured</title>
         <search>
-          <query>source="*mhn-splunk.log*" type=dionaea.capture md5=* | top md5 | fields md5, count | eval VirusTotal="VirusTotal" | eval TotalHash="TotalHash"</query>
+          <query>`mhn-base` type=dionaea.capture md5=* | top md5 | fields md5, count | eval VirusTotal="VirusTotal" | eval TotalHash="TotalHash"</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -78,7 +78,7 @@
       <table>
         <title>Top URLs Captured</title>
         <search>
-          <query>source="*mhn-splunk.log*" type=dionaea.capture url=* | top url | fields url, count</query>
+          <query>`mhn-base` type=dionaea.capture url=* | top url | fields url, count</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -95,7 +95,7 @@
       <table>
         <title>Top Dionaea Attackers</title>
         <search>
-          <query>source="*mhn-splunk.log*" type=dionaea.connections | top src |  iplocation src | fields src, Country, count | fillnull value=Unknown Country | eval DShield="DShield"</query>
+          <query>`mhn-base` type=dionaea.connections | top src |  iplocation src | fields src, Country, count | fillnull value=Unknown Country | eval DShield="DShield"</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -140,7 +140,7 @@
       <table>
         <title>Top Ports</title>
         <search>
-          <query>source="*mhn-splunk.log*" type=dionaea.connections | top dest_port | fields dest_port, count</query>
+          <query>`mhn-base` type=dionaea.connections | top dest_port | fields dest_port, count</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -155,7 +155,7 @@
       <table>
         <title>Top Sensors</title>
         <search>
-          <query>source="*mhn-splunk.log*" type=dionaea.connections | top sensor | fields sensor, count</query>
+          <query>`mhn-base` type=dionaea.connections | top sensor | fields sensor, count</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -172,7 +172,7 @@
       <event>
         <title>Dionaea Events</title>
         <search>
-          <query>source="*mhn-splunk.log*" type=dionaea.connections</query>
+          <query>`mhn-base` type=dionaea.connections</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>

mhn-splunk/default/data/ui/views/elastichoney_analytics.xml

@@ -14,7 +14,7 @@
       <chart>
         <title>Events Per Hour</title>
         <search>
-          <query>source="*mhn-splunk.log*" type="elastichoney.events" | timechart span=1h count</query>
+          <query>`mhn-base` type="elastichoney.events" | timechart span=1h count</query>
           <earliest>$field1.earliest$</earliest>
           <latest>$field1.latest$</latest>
         </search>
@@ -47,7 +47,7 @@
       <map>
         <title>Global Attacks</title>
         <search>
-          <query>source="*mhn-splunk.log*" type="elastichoney.events" | iplocation src | geostats count by src globallimit=20</query>
+          <query>`mhn-base` type="elastichoney.events" | iplocation src | geostats count by src globallimit=20</query>
           <earliest>$field1.earliest$</earliest>
           <latest>$field1.latest$</latest>
         </search>
@@ -69,7 +69,7 @@
       <chart>
         <title>Top Attacker Countries</title>
         <search>
-          <query>source="*mhn-splunk.log*" type="elastichoney.events" | iplocation src | top Country</query>
+          <query>`mhn-base` type="elastichoney.events" | iplocation src | top Country</query>
           <earliest>$field1.earliest$</earliest>
           <latest>$field1.latest$</latest>
         </search>
@@ -103,7 +103,7 @@
       <chart>
         <title>Top Signatures</title>
         <search>
-          <query>source="*mhn-splunk.log*" type="elastichoney.events" |  top signature | fields signature, count</query>
+          <query>`mhn-base` type="elastichoney.events" |  top signature | fields signature, count</query>
           <earliest>$field1.earliest$</earliest>
           <latest>$field1.latest$</latest>
         </search>
@@ -138,7 +138,7 @@
       <chart>
         <title>Top Attacker Cities</title>
         <search>
-          <query>source="*mhn-splunk.log*" type="elastichoney.events" | iplocation src | where City!="" | top City</query>
+          <query>`mhn-base` type="elastichoney.events" | iplocation src | where City!="" | top City</query>
           <earliest>$field1.earliest$</earliest>
           <latest>$field1.latest$</latest>
         </search>
@@ -176,7 +176,7 @@
       <table>
         <title>Top Attackers</title>
         <search>
-          <query>source="*mhn-splunk.log*" type="elastichoney.events" | rename event.* as * | rex field=src mode=sed s/::ffff:// | chart sparkline as Sparkline, count by src | rename src as Source | sort 10 -count</query>
+          <query>`mhn-base` type="elastichoney.events" | rename event.* as * | rex field=src mode=sed s/::ffff:// | chart sparkline as Sparkline, count by src | rename src as Source | sort 10 -count</query>
           <earliest>$field1.earliest$</earliest>
           <latest>$field1.latest$</latest>
         </search>
@@ -200,7 +200,7 @@
       <table>
         <title>Top Attack Payloads</title>
         <search>
-          <query>source="*mhn-splunk.log*" type="elastichoney.events" | rex field=_raw "getRuntime\(\)\.exec\((?&lt;command&gt;.[^\)]+)" | eval decoded=urldecode(command) | top decoded | fields decoded,count</query>
+          <query>`mhn-base` type="elastichoney.events" | rex field=_raw "getRuntime\(\)\.exec\((?&lt;command&gt;.[^\)]+)" | eval decoded=urldecode(command) | top decoded | fields decoded,count</query>
           <earliest>$field1.earliest$</earliest>
           <latest>$field1.latest$</latest>
         </search>
@@ -215,7 +215,7 @@
       <table>
         <title>Top Sensors</title>
         <search>
-          <query>source="*mhn-splunk.log*" type="elastichoney.events" | top sensor, app | fields sensor, app, count</query>
+          <query>`mhn-base` type="elastichoney.events" | top sensor, app | fields sensor, app, count</query>
           <earliest>$field1.earliest$</earliest>
           <latest>$field1.latest$</latest>
         </search>

mhn-splunk/default/data/ui/views/indicators.xml

@@ -14,7 +14,7 @@
       <table>
         <title>Top MD5s Captured</title>
         <search>
-          <query>source="*mhn-splunk.log*" md5=* | top md5 limit=50 | fields md5, count | eval VirusTotal="VirusTotal" | eval TotalHash="TotalHash"</query>
+          <query>`mhn-base` md5=* | top md5 limit=50 | fields md5, count | eval VirusTotal="VirusTotal" | eval TotalHash="TotalHash"</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -45,7 +45,7 @@
       <table>
         <title>Top URLs Captured</title>
         <search>
-          <query>source="*mhn-splunk.log*" (type=dionaea.capture OR type=kippo.sessions) url=* | top url limit=50 | fields url, count</query>
+          <query>`mhn-base` (type=dionaea.capture OR type=kippo.sessions) url=* | top url limit=50 | fields url, count</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -60,7 +60,7 @@
       <table>
         <title>Top Attackers</title>
         <search>
-          <query>source="*mhn-splunk.log*"  | top src limit=50 |  iplocation src | fields src, Country, count | fillnull value=Unknown Country | eval DShield="DShield"</query>
+          <query>`mhn-base`  | top src limit=50 |  iplocation src | fields src, Country, count | fillnull value=Unknown Country | eval DShield="DShield"</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>

mhn-splunk/default/data/ui/views/kippo_analytics.xml

@@ -14,7 +14,7 @@
       <chart>
         <title>Kippo Events per Hour</title>
         <search>
-          <query>source="*mhn-splunk.log*" type=kippo.sessions | timechart span=1h count</query>
+          <query>`mhn-base` type=kippo.sessions | timechart span=1h count</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -47,7 +47,7 @@
       <table>
         <title>Top Usernames</title>
         <search>
-          <query>source="*mhn-splunk.log*" type=kippo.sessions ssh_username=* | top ssh_username | fields ssh_username, count</query>
+          <query>`mhn-base` type=kippo.sessions ssh_username=* | top ssh_username | fields ssh_username, count</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -62,7 +62,7 @@
       <table>
         <title>Top Passwords</title>
         <search>
-          <query>source="*mhn-splunk.log*" ssh_password=* |  top ssh_password | fields ssh_password, count</query>
+          <query>`mhn-base` ssh_password=* |  top ssh_password | fields ssh_password, count</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -77,7 +77,7 @@
       <table>
         <title>Top Username/Password Combinations</title>
         <search>
-          <query>source="*mhn-splunk.log*" ssh_username=* ssh_password=* | top ssh_username, ssh_password | fields ssh_username, ssh_password, count</query>
+          <query>`mhn-base` ssh_username=* ssh_password=* | top ssh_username, ssh_password | fields ssh_username, ssh_password, count</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -94,7 +94,7 @@
       <table>
         <title>Top URLs Downloaded</title>
         <search>
-          <query>source="*mhn-splunk.log*" type=kippo.sessions url=* | top url | fields url, count</query>
+          <query>`mhn-base` type=kippo.sessions url=* | top url | fields url, count</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -109,7 +109,7 @@
       <table>
         <title>Top Commands Executed</title>
         <search>
-          <query>source="*mhn-splunk.log*" type=kippo.sessions command=* | top command | fields command, count</query>
+          <query>`mhn-base` type=kippo.sessions command=* | top command | fields command, count</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -126,7 +126,7 @@
       <table>
         <title>Top Kippo Attackers</title>
         <search>
-          <query>source="*mhn-splunk.log*" type=kippo.sessions | top src | iplocation src | fields src, Country, count | fillnull value=unknown Country | eval DShield="DShield"</query>
+          <query>`mhn-base` type=kippo.sessions | top src | iplocation src | fields src, Country, count | fillnull value=unknown Country | eval DShield="DShield"</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -171,7 +171,7 @@
       <table>
         <title>Top SSH Versions</title>
         <search>
-          <query>source="*mhn-splunk.log*" type=kippo.sessions | top ssh_version | fields ssh_version, count</query>
+          <query>`mhn-base` type=kippo.sessions | top ssh_version | fields ssh_version, count</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -186,7 +186,7 @@
       <table>
         <title>Top Sensors</title>
         <search>
-          <query>source="*mhn-splunk.log*" type=kippo.sessions | top sensor | fields sensor, count</query>
+          <query>`mhn-base` type=kippo.sessions | top sensor | fields sensor, count</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -203,7 +203,7 @@
       <event>
         <title>Kippo Events</title>
         <search>
-          <query>source="*mhn-splunk.log*" type=kippo.sessions</query>
+          <query>`mhn-base` type=kippo.sessions</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>