Admin Splunk Searches

Splunk Search for Sourcetypes that are Being Truncated Copy


				index=_internal sourcetype=splunkd "truncating line" 
| rex field=_raw "line length\s+>=\s+(?<length>\d+)" 
| search length=* 
| stats max(length) as length, count by data_sourcetype

0 comments

[0]

Splunk Search for Ingested Comments Copy


				 [ | tstats count where punct=#* by index, sourcetype | fields - count | format ] _raw=#*

0 comments

[0]

Splunk Search for Volume of Ingested Comments Copy


				[ | tstats count where punct=#* by index, sourcetype | fields - count | format ] _raw=#* 
| eval gb=len(_raw)/pow(1024,3)
| timechart span=1d sum(gb)

0 comments

[0]

Splunk Search for License Usage by Sourcetype Copy


				index=_internal source=*license_usage.log type="Usage" 
 | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
```| search st=<insert sourcetype here>```
| timechart span=1d sum(eval(b/pow(1024,3))) by st

0 comments

[0]

Splunk Search for Queued Searches Copy


				index=_internal sourcetype=splunkd group=search_concurrency name=search_queue_metrics | timechart avg(current_queue_size)

0 comments

[0]

Splunk Search for Splunk User Creations, Modifications, Deletions Copy


				 index=_audit action=edit_user operation=create
 |rename object as user
 |eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N") 
 |convert timeformat="%d/%b/%Y" ctime(timestamp)
 |table user timestamp

0 comments

[0]

Splunk searches relating to Admin