Splunk searches relating to Admin
clear
index=_internal sourcetype=splunkd "truncating line"
| rex field=_raw "line length\s+>=\s+(?<length>\d+)"
| search length=*
| stats max(length) as length, count by data_sourcetype
[ | tstats count where punct=#* by index, sourcetype | fields - count | format ] _raw=#*
[ | tstats count where punct=#* by index, sourcetype | fields - count | format ] _raw=#*
| eval gb=len(_raw)/pow(1024,3)
| timechart span=1d sum(gb)
index=_internal source=*license_usage.log type="Usage"
| eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
```| search st=<insert sourcetype here>```
| timechart span=1d sum(eval(b/pow(1024,3))) by st
index=_internal sourcetype=splunkd group=search_concurrency name=search_queue_metrics | timechart avg(current_queue_size)
index=_audit action=edit_user operation=create
|rename object as user
|eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
|convert timeformat="%d/%b/%Y" ctime(timestamp)
|table user timestamp