Batch file to send Splunk Alerts

The free version of Splunk lacks the capability to do scheduled reports and alerting. However, it has a very capable API that can be simply accessed using curl. I wrote some batch files to access these APIs and scheduled them to run periodically. One grabs the last alerts off of the IDS and the other alerts on Hard Drive Errors.

@echo off
set tdate=%date:/=-%
set tdate=%tdate: =%
set ttime=%time::=_%
set ttime=%ttime: =T%
set ttime=%ttime:.=-%

call :doit IDSmalware5m
call :doit DiskErrors5m

goto :EOF

curl -s -k https://splunkserver:8089/services/search/jobs -d"search=| savedsearch %1"|grep sid |sed "s///g"| sed "s///g" > %temp%\splunk-alert-%1-%tdate%%ttime%.txt
for /f %%i in (%temp%\splunk-alert-%1-%tdate%%ttime%.txt) do call :loop %%i
goto :EOF

::echo "%1"
curl -s -k https://splunkserver:8089/services/search/jobs/%1|grep "1" > nul
if errorlevel 1 sleep 2 && goto :loop
curl -s -k h"ttps://splunkserver:8089/services/search/jobs/%1/results?output_mode=csv"
goto :EOF
Posted in Uncategorized | Leave a comment

Script to list all members of Office 365 Admin Roles

Here is a short script to enumerate the Office 365 Admin Roles and list out each of their memberships. Please note, for this to work you need to install the Azure AD Powershell module.

$roles = Get-MsolRole

foreach ($role in $roles) { 
	write-host $,",",$role.description; 
	write-host "==========";
	Get-MsolRoleMember -RoleObjectId $role.ObjectId;
	write-host " "; 
Posted in Powershell | Leave a comment

Free Space percentage wmic script

Command Line script using wmic and built-in NT Shell scripting commands to retrieve free space, total disk size and calculate percent free for local hard disks.

@echo off

for /f "skip=1 usebackq delims==" %%i in (`wmic logicaldisk where "mediatype='12'" get caption`) do (
call :doit %%i )
goto :eof

set driveletter=%1
if {%driveletter%}=={} goto :EOF
for /f "usebackq delims== tokens=2" %%x in (`wmic logicaldisk where "DeviceID='%driveletter%'" get FreeSpace /format:value`) do set FreeSpace=%%x
for /f "usebackq delims== tokens=2" %%x in (`wmic logicaldisk where "DeviceID='%driveletter%'" get Size /format:value`) do set Size=%%x
set FreeMB=%FreeSpace:~0,-10%
set SizeMB=%Size:~0,-10%
set /a Percentage=100 * FreeMB / SizeMB
echo %driveletter% %FreeMB% GB out of  %SizeMB% GB Total - %Percentage% percent free)

I may extend this in a future update to include removeable and/or network drives.

Posted in NT Shell Script | Leave a comment

Powershell top processes script v2

I made some modifications to my top processes script that make it both better performing and more useful by providing more information. There is a noticeable delay when get-counter is called so rather than staring at a black screen waiting for the results from this call, I modified the script such that the previous results are displayed on screen while get-count is called and sends it output to a variable. At the same time I added counters for total CPU usage and idle cpu percentage. It is still a one-liner, but rather cumbersome as such, I may break it up for a future post:

while (1)  { $tot = get-counter "\Processor(_total)\% processor time"; $idl = get-counter "\Process(idle)\% processor time"; $Proc = Get-counter "\Process(*)\% processor time"; $p2 = $Proc.CounterSamples | where {$_.instanceName -ne "idle"} | where {$_.instanceName -ne "_total"}; cls; $tot.countersamples; $idl.countersamples;  $p2| sort -desc CookedValue |select -first 17; sleep -seconds 3;}
Posted in Uncategorized | Leave a comment

Regular Expression to select mulicast and broadcast ip addresses

This is a powershell code snippet I used to find security log event entries that had a multicast or broadcast source ip address:

Get-EventLog -LogName Security -instanceid 5156 | where {$_.message -match 'Source Add.*\.255\s|Source Add.*\s22[4-9]|Source Add.*\s23[0-9]'}
Posted in Uncategorized | Leave a comment

Powershell script to show duplicate tv episodes

This powershell script will look in my recorded tv folder for my media center pc and count the number of episodes displaying any duplicates:

$sh = new-object -com shell.application
$hash = $null
$hash = @{}

$folder = $sh.namespace("F:\Recorded TV")
if ($folder) {
    $folderitems = $folder.Items()
	foreach ($folderitem in $folderitems) {
		if ($folderitem) {
			$episode = $folder.getdetailsof($folderitem,196) 
			$episode | foreach-object {$hash[$_]++}

foreach ( $key in @($hash.keys) ) { if ( $hash[$key] -ge 2 ) { $key, $hash[$key] }}
Posted in Powershell | Leave a comment

Powershell script to display Top CPU processes

This is a quick little script that you can use to view CPU usage by process from a CLI interface:

while (1)  { $Proc = Get-counter "\Process(*)\% processor time"; $Proc.CounterSamples | where {$_.instanceName -ne "idle"} | where {$_.instanceName -ne "_total"} | sort -desc CookedValue |select -first 20; sleep -seconds 2; cls }
Aside | Posted on by | Leave a comment