Splunk searches relating to REST

clear
Next Page
12
Splunk Search for List all knowledge objects Copy
| rest /servicesNS/-/-/admin/directory count=0 splunk_server=local | rename eai:* as *, acl.* as * | eval updated=strptime(updated,"%Y-%m-%dT%H:%M:%S%Z"), updated=if(isnull(updated),"Never",strftime(updated,"%d %b %Y"))| sort type | stats list(title) as title, list(type) as type, list(orphaned) as orphaned, list(sharing) as sharing, list(owner) as owner, list(updated) as updated by app
0 comments
Splunk Search for Disk usage by Splunk server Copy
| rest /services/server/status/partitions-space | eval diskFree=tostring(round(free/capacity,4)*100)."%", capacityGB=round(capacity/1024,2), freeGB=round(free/2014,2) | table splunk_server, mount_point, freeGB, capacityGB, diskFree | rename splunk_server as "Splunk Server", mount_point as "Mount Point", diskFree as "Disk Free (%)", freeGB as "Disk Free (GB)", capacityGB as "Capacity (GB)"
0 comments
Splunk Search for List of Splunk users and their roles Copy
| rest /services/authentication/users | stats values(roles) as Roles by title | rename title as User
0 comments
Splunk Search for List of indexes and retention period Copy
| rest splunk_server=* /services/data/indexes | eval "Retention Period (days)"=frozenTimePeriodInSecs/60/60/24 | table title "Retention Period (days)" | rename title as Index
0 comments
Splunk Search for Users by role and default app Copy
| rest /services/authentication/users | stats values(roles) as Role first(defaultApp) as "Default App" by title | rename title as Username
0 comments
Splunk Search for Indexes by sourcetype Copy
| tstats values(sourcetype) as sourcetype WHERE index=* OR index=_* by index
0 comments
Splunk Search for Detailed information on Indexes Copy
| rest /services/data/indexes | eval indexSize=tostring(round(currentDBSizeMB/1024,2), "commas"), events=tostring(totalEventCount, "commas"), daysRetention=frozenTimePeriodInSecs/60/60/24 | foreach *Time [ | eval <<FIELD>>=strptime(<<FIELD>>,"%Y-%m-%dT%H:%M:%S%Z"), <<FIELD>>=strftime(<<FIELD>>,"%m/%d/%Y %H:%M:%S") ] | fillnull value="n/a" | table title, splunk_server, indexSize, daysRetention, events, maxTime, minTime | rename title as "Index Name", splunk_server as "Splunk Server" indexSize as "Current Size on Disk (GB)", daysRetention as "Retention Period in Days", events as "Count of events", maxTime as "Most Recent Event", minTime as "Earliest Event"
0 comments
Splunk Search for Uptime of Splunk Servers Copy
| rest /services/server/info | eval secUp=now()-startup_time, minutesUp=secUp/60 | table serverName, server_roles, secUp, minutesUp | rename serverName as "Splunk Server", server_roles as "Server Roles", secUp as "Uptime (sec)", minutesUp as "Uptime (min)"
0 comments
Splunk Search for List of triggered alerts Copy
| rest /services/alerts/fired_alerts splunk_server=local| table eai:acl.app eai:acl.owner id title triggered_alert_count | rename eai:acl.* as *, app as App, owner as Owner, id as Endpoint, title as Title, triggered_alert_count as "Count of Triggered Alerts"
0 comments
Splunk Search for Extractions using regex in transforms.conf Copy
| rest /services/data/transforms/extractions | table eai:acl.app, title, SOURCE_KEY, REGEX, FORMAT, DEST_KEY | sort eai:acl.app title | eval DEST_KEY=if(DEST_KEY="","N/A",DEST_KEY) | rename eai:acl.app as App, title as Title, SOURCE_KEY as "Source Key", REGEX as RegEx, FORMAT as Format, DEST_KEY as "Dest Key"
0 comments
Next Page
12