| splunk [searches]
Splunk searches relating to General Splunk
clear
index=_audit action=search info=completed search_et="N/A" search_lt="N/A" user!=splunk-system-user | stats count by user
| rest splunk_server=local /servicesNS/-/-/data/lookup-table-files
| fields title eai:acl.owner eai:acl.app
| where !match(title,"\.mlmodel")
| rename eai:acl.* as *
| map
[ | inputlookup $title$ | foreach *
[ | eval b_<<FIELD>>=len(<<FIELD>>) + 1 ]
| addtotals b_* fieldname=b
| stats sum(eval(b/1024/1024)) as mb
| eval name="$title$", owner="$owner$", app="$app$" ] maxsearches=1000
| inputlookup <insert lookup file name>
| foreach *
[ | eval b_<<FIELD>>=len(<<FIELD>>) + 1 ]
| addtotals b_* fieldname=b
| stats sum(b) as b
| eval mb=b/1024/1024, gb=mb/1024
| fields b mb gb
| tstats count where index=* by _time, _indextime, index | rename _* as * | eval diff_secs=indextime-time, diff_hours=diff_secs/60/60 | stats max(diff_secs) as diff_secs, max(diff_hours) as diff_hours by index
index=_internal sourcetype=splunk_python sendemail ERROR
index=_introspection component=Hostwide | bin _time span=1d | stats values(data.splunk_version) by _time, host
index=_audit action=search search=* user!=splunk-system-user provenance!=scheduler | table _time user search host total_run_time result_count | sort - _time
| rest /services/apps/local | search disabled IN ("false",0)| table title version description splunk_server
index=_internal sourcetype=splunkd earliest=-7d latest=now component=BucketMover | rex field=bkt "/opt/splunk/var/lib/splunk/cold/(?<frozen_index>[^/]+)" | stats count by frozen_index
index=* | stats count by _raw, index, sourcetype, source, host | where count>1