Friday, July 27, 2018

Splunk - Tips & trix

Search macro

In a query you often tend do refer to indexes like this "index=main sourcetype=syslog" and then you build this into a dashboard. When your creations grow and you need to change to another index this will be many places to edit your code.

Instead go to Settings > Advanced search > Search macro - edit/create your macro, place your index code there "index=main".

Now in your querys in any code refer to this macro instead like this:
`my_macro` sourcetype=syslog
Whenever you need to change index or add more index you only have this one place to edit the macro.

Blue Coat Proxy SG shortcuts


Under 'Statistics - Advanced' you'll find more then you need, here are a short sumary.

sysinfo & sysinfo-stat

# Sysinfo

# Core Images

# Access Logs

Check Point Cli Commands

Cli commands

Some good cli commands that are useful, I always forget the syntax so it's good to have them in one place.
 
### Cluster XL Debug
# Expert
clish -c "show routed cluster-state detailed"

# clish
show routed cluster-state detailed

##### VPN
### VPN encryption domain overlap
vpn overlap_encdom > temp.txt

### list tunnels
vpn tu tlist -p peer_ip

##### FW
### proxy arp and active local.arp
fw ctl arp -n

### CCC (good script (dangerous))
curl_cli http://dannyjung.de/ccc | zcat > /usr/bin/ccc && chmod +x /usr/bin/ccc