Searching in Splunk

When you are building the search criteria, click the field and value in the search result to add it to the search.

 

Wildcard character

  • * (asterisk) one or multiple characters

Exact phrases

  • Use ” (double quotes)

Search for quotes

  • \” (use backslash to escape quotes if you want to search for quotes)

Keywords in the search bar are case sensitive!

Boolean keywords are

  • AND (if omitted, it is implied)
  • OR
  • NOT

Order of boolean evaluation

  1. Inside parentheses ()
  2. NOT
  3. OR
  4. AND

Operators

  • =
  • !=
  • >
  • >=
  • <
  • <=

Examples

  • soourcetype=access_combined

Best search practices

Search in a time range

  • s  Seconds
  • m   Minutes
  • h  Hours
  • d  Days
  • w  Weeks
  • mon  Month
  • y  Year
  • @  Round down to the nearest unit

Examples

  • -30s  In the last 30 seconds
  • -30m@h  Round to the last hour. If the event was run at 5:42, events from 5:00 are returned
  • earliest=-2 latest=-1h  From two hours ago to one hour ago
  • earliest=05/12/2017:12:00:00  From an absolute date and time

Indexes

If the data is organized by multiple indexers, specify the index where the data is stored

Examples

  • index=main

Splunk installation

Install Splunk

  1. Navigate to the Splunk website at splunk.com,
  2. In the upper right corner select the Free Splunk button,
  3. If you don’t yet have a Splunk account, register to create one, otherwise log in,
  4. Select the Free Download in the Splunk Enterprise frame,
  5. Select the tab with the operating system of your machine.

Linux

  1. The simplest way to install Splunk on Linux is with wget in the command line. Click the Download via Command Line (wget) in the upper right corner in the Useful Tools box.
  2. Copy the command to your clipboard from the popup window,
  3. Execute the wget command in a terminal window to download the tar archive,
  4. It is recommended to install Splunk in the opt directory, untar the archive there. 
    sudo tar xvzf splunk.tgz –C /opt

Windows

  1. Download the .msi installer for your operating system (32 bit or 64 bit),
  2. Run the installer, follow the prompts, and accept the license agreement,
  3. Use Local System to run Splunk under.

Macintosh OSX

  1. Select the .dmg installer for simpler installation,
  2. Follow the prompts to install the application,
  3. At the end of the installation select Start and Show Splunk to start the application and view the user interface in a browser.

 

To start, stop, and administer Splunk

Linux

  1. In a terminal window navigate to the Splunk bin directory 
    cd /opt/splunk/bin
  2. To Start Splunk and accept the license agreement during the first start 
    ./splunk start --accept-license
  3. The terminal window displays the Splunk web interface address in the The Splunk web interface is at … line. Open a browser to navigate to the address.
  4. To start, stop, and restart the instance, and get help execute 
    ./splunk start
./splunk stop
./splunk restart
./splunk help

Macintosh OSX

  1. In a terminal window navigate to the Splunk bin directory 
    cd /Applications/Splunk/bin
  2. To start, stop, and restart the instance, and get help execute 
    ./splunk start
./splunk stop
./splunk restart
./splunk help

Logging into Splunk the first time

The initial credentials after installation is
Username: admin
Password; changeme

 

Send CTRL-ALT-DELETE to a Windows Virtual Box computer from a Macintosh

When you start a Windows 7 or equivalent server machine, to log in, you need to press CTRL-ALT-DELETE on the keyboard to get the login page. To send Control-Alt-Delete to a Windows virtual machine in Virtual Box from a Macintosh

on a Macintosh laptop press the fn – Command  – Delete back  keys

on a Macintosh desktop press the Command  – Delete forward  keys.

Get AWS SSL Certificate resource ids from existing Load Balancers

To launch an Elastic Load Balancer ( ELB ) with an existing SSL certificate using Terraform, you need to specify the AWS certificate resource id. If you have already uploaded the certificate and attached it to an existing load balancer, the following AWS CLI command will display it in the command window. MY_PROFILE is the name of the profile in the square brackets [] in the ~/.aws/credentials file.

aws elb describe-load-balancers --region MY_AWS_REGION --profile MY_PROFILE |grep SSL

To get all information on the load balancers, just omit the grep command:

aws elb describe-load-balancers --region MY_AWS_REGION --profile MY_PROFILE

Create a server image with Packer

Packer is a free, open-source application from Hashicorp. It can generate a server image based on an existing one, and configure it for your special needs. You can use the generated image when you launch a server instance in the cloud or on your local workstation.

Install Packer

Packer script

Packer reads a .json file to generate the new server image.

AMI ID

To find the latest AMI IDs log into the Amazon AWS Console, select EC2 and click the Launch button. On the left side click Quick Start to see the images for

  • Amazon Linux
  • SUSE Linux
  • Red Hat Enterprise Linux
  • Ubuntu Server
  • Microsoft Windows Server

For CentOS images, see the “Official CentOS Linux : Public Images” section at  https://wiki.centos.org/Cloud/AWS The AMI IDs are organized by region.

Username

It is important to use the correct ssh_username for each operating system:

Linux

RHEL: ec2-user
Amazon Linux: ec2-user
CentOS: centos
Ubuntu: ubuntu

Windows

any “winrm_username” and “winrm_password”

The PowerShell script in the user data file, specified in the “user_data_file” attribute, sets the initial username and password with the

cmd.exe /c net user /add ...

command.

The Administrator password is set with the

cmd.exe /c net user Administrator ...

command.

IMPORTANT!!!

For Packer to be able to connect to the server, set the same username and password in the  “winrm_username” and “winrm_password”, “elevated_user”, and “elevated_password” attributes of the .json file.

AMI Name

To allow the Chef Kitchen EC2 driver to read the OS version of the image, include the version in the “Name” as follows.

The Test Kitchen Git repository has the following at https://github.com/test-kitchen/kitchen-ec2

Note that the image_search method requires that the AMI image names be in a specific format. Some examples are:

  • Windows-2012
  • Windows-2012r2
  • Windows-2012r2sp1
  • RHEL-7.2

It is safest to use the same naming convention as used by the public images published by the OS vendors on the AWS marketplace.

Sample acceptable names are

  • my_windows-2012r2_base-01
  • my_amzn-ami-hvm_base-01

To find the name of the AMI

  1. In the AWS Console select EC2, and click the Launch Instance button
  2. On the left side select Quick Start, and find the AMI ID of the image you want to start with.
  3. Navigate back to the EC2 console, select AMIs, in the drop-down select Public images
  4. Search for the AMI by ID
  5. Make sure you copy the name of the AMI with the same ID.

 

Generate the server image with Packer

  1. Open a Bash window,
  2. Navigate to the folder of the Packer JSON script,
  3. Execute the following command. Packer will read the default AWS credentials from  ~/.aws/credentials file on your Macintosh or Linux workstation. On Windows, the file is at C:\Users\YOUR_USER_NAME\.aws\credentials. 
    packer build MY_PACKER_SCRIPT.json
    1. To specify the AWS keys in the command line 
      packer build -var 'aws_access_key=<access key>' -var 'aws_secret_key=<secret key>' MY_PACKER_SCRIPT.json
  4. The command window will display the ID of the generated image, or you can find it by name in the EC2 section of the AWS console under AMIs.

Share the generated server image with other cloud accounts

If you work in multiple cloud accounts you need to share the generated server image with other accounts

AWS

  1. Log into the AWS account you have used to generate the server image,
  2. On the left side of the EC2 section select AMI and find the new image by name of ID,
  3. On the Permissions tab click the Edit button,
  4. Make sure the Private radio button is selected if you don’t want to share the image publicly,
  5. Enter the account number of the account you want to share the image with (see Find the AWS account number),
  6. Check the Add “create volume” permissions… checkbox,
  7. Click the Add Permission button,
  8. When you have added all accounts to share with, click the Save button.

 

Convert PEM files to PPK to use them in PuTTY

When you create a key in AWS you can download it one time in PEM format. To use it in PuTTY, the free SSH and Telnet client, you have to convert it to PPK format.

To install PuTTY, see the Terminal Emulator section in Recommended utilities for your workstation

To convert a PEM file to PPK

  1. Open a terminal window in the folder of the PEM file
  2. Execute the following 
    puttygen MYKEY.pem -o MYKEY.ppk

 

Modify STL 3D printing files with FreeCAD

There are many free STL files are available on the internet to 3D print useful objects at home. There are times when we want to make some adjustments to them to better fit our need or 3D printing equipment. If the STL file describes an object that is larger than the maximum dimensions your printer can produce, you can print the object in two or more pieces and glue them together. There are glues on the market that can make as strong bonds as the materials themselves they are attaching together.

There are free applications that can open and edit STL files, one of them is the open source FreeCAD.

Download FreeCAD from https://www.freecadweb.org/wiki/Download

Open and edit STL files in FreeCAD

Import an STL file into FreeCAD

  1. Start FreeCAD and create a new document with File > New,
  2. In the menu select File > Import and navigate to the mesh file you want to modify. FreeCAD can open STL, OBJ, and AST mesh files.
  3. In the dropdown select the Part workbench,
  4. In the Model window select the imported mesh,
  5. In the menu select Part > Create shape from mesh
  6. The default 0.10 tolerance is usually fine for most of the objects we 3D print, click OK,
  7. Delete the imported mesh in the Model window. Right-click the name of the imported mesh and select Delete,
  8. Convert the shapes to solid. In the toolbar click the Advanced Utilities icon,
  9. In the Tasks window select Solid from shell
  10. Click one triangle on the object,
  11. Click the Create button. You will not notice any change because the solid overlaps the shape.
  12. Click the Close button in the Tasks window,
  13. Delete the shape. In the Model window right-click the name of the shape and select Delete. We have converted the mesh to solid, ready to be edited.

Edit the solid model in FreeCAD

  1. To add or remove parts, open the Part Design workbench,
  2. Select the Solid in the Model window, so the object turns green,
  3. In the Part Design menu select Create Sketch
  4. Select the plane you want to draw and click OK,
  5. Draw lines, circles, rectangles that we will extrude to add or subtract them from the object. Don’t worry if the sketch is not at the correct elevation, we will move the sketch to the correct elevation later.
  6. To print a portion of a too large object, draw lines and trim them at the location where you want to separate the object into multiple parts.
  7. To close and save the sketch click the Close Sketch icon in the tool bar.
  8. To continue to edit the sketch, double click it in the Model window.

To change the elevation of a sketch

  1. Select a face on the solid the move the sketch to,
  2. In the Part Design menu select Map sketch to face
  3. Select the sketch in the drop-down list and click OK,
  4. The sketch opens. You can continue the editing of it, or just close it.