Splunk Admin Tip: Monitoring License Usage by Sourcetype
As a Splunk admin, keeping track of your license usage is crucial to ensure you stay within your allocated limits and manage your data efficiently. Here’s a handy SPL (Search Processing Language) query to monitor license usage by sourcetype:

"index=_internal source=*license_usage.log* type=Usage
| bin _time span=1d
| stats sum(b) as totalVolumeBytes by _time, idx, st
| eval totalVolumeGB=totalVolumeBytes/1024/1024/1024
| rename idx as index, st as sourcetype
| fields _time index sourcetype totalVolumeGB
| sort _time, -totalVolumeGB"

Explanation:
🔍 Search Index: index=_internal source=*license_usage.log* type=Usage
This part of the query searches the _internal index for license usage logs.

🕒 Time Binning: | bin _time span=1d
Bins the events into daily intervals.

📊 Aggregation: | stats sum(b) as totalVolumeBytes by _time, idx, st
Sums the volume of data in bytes for each day, indexed by time, index (idx), and sourcetype (st).

🔄 Conversion to GB: | eval totalVolumeGB=totalVolumeBytes/1024/1024/1024
Converts the total volume from bytes to gigabytes.

✏️ Renaming Fields: | rename idx as index, st as sourcetype
Renames the fields for better readability.

🔍 Field Selection: | fields _time index sourcetype totalVolumeGB
Selects the relevant fields to display.

🔝 Sorting: | sort _time, -totalVolumeGB
Sorts the results by time and total volume in descending order.

#Splunk #AdminTip #LicenseUsage #SPL #DataManagement #SIEM #TechTips #DataAnalytics #CyberSecurity #BigData #ITSecurity #InfoSec #ITAdmin #DataMonitoring #LogManagement #TechCommunity

I'm working on a use case to detect unusual increases in interactive logins to Windows machines, indicating potential lateral movement (MITRE T1021). To achieve this, I’m using a tstats search on the authentication data model, leveraging standard deviation to calculate dynamic thresholds by user and asset. If these thresholds are breached, an alert is triggered. 🚨

Here’s a more detailed look at the SPL I’m using:

| tstats summariesonly=true dc(Authentication.dest) as device_count from datamodel=Authentication where Authentication.action=success AND source=WinEventLog:Security AND NOT Authentication.user IN ("DWM-*" "UMFD-*") by _time span=1d Authentication.user
| eventstats avg(device_count) as avg_devices stdev(device_count) as stdev_devices by Authentication.user
| eval threshold=avg_devices + 2.5*stdev_devices
| where device_count > threshold AND stdev_devices > 1

This approach helps in identifying potential security threats by dynamically adjusting thresholds based on user and asset behavior.

Interested in the SPL or need it for another SIEM system? Drop a comment or DM me! 💬

#Splunk #SIEM #InfoSec #MITRE #CyberSecurity #TechTuesday #ThreatDetection

Pro Tip for Splunk Dashboards! 💡

When passing a token with mixed values (some with spaces, some without) in multi-value drop-downs, use a suffix of |s. For example: $my_value|s$. This ensures all values are handled correctly, improving dashboard functionality. 🚀

Have any Splunk tips or questions? Drop a comment below or DM me! 💬

#Splunk #SIEM #InfoSec #TechTips #DataScience

👋 Hello Mastodon!

I'm Steven Butterworth, aka UKITGURU. I specialise in InfoSec and SIEM technologies (Splunk, Sentinel, Elastic). As a freelancer, I create and deliver SIEM content, working with gov departments and private sectors. Passionate about Data Science, Data Engineering, and data literacy. Avid triathlon enthusiast—never enough bikes! 🚴‍♂️

Looking forward to connecting!

#InfoSec
#SIEM
#Splunk
#Sentinel
#DataScience
#Triathlon
#Cycling