REST Splunk Searches

Splunk Search for List all knowledge objects Copy


				| rest /servicesNS/-/-/admin/directory count=0 splunk_server=local | rename eai:* as *, acl.* as * | eval updated=strptime(updated,"%Y-%m-%dT%H:%M:%S%Z"), updated=if(isnull(updated),"Never",strftime(updated,"%d %b %Y"))| sort type | stats list(title) as title, list(type) as type, list(orphaned) as orphaned, list(sharing) as sharing, list(owner) as owner, list(updated) as updated by app

0 comments

[2]

Splunk Search for Disk usage by Splunk server Copy


				| rest /services/server/status/partitions-space | eval diskFree=tostring(round(free/capacity,4)*100)."%", capacityGB=round(capacity/1024,2), freeGB=round(free/2014,2) | table splunk_server, mount_point, freeGB, capacityGB, diskFree | rename splunk_server as "Splunk Server", mount_point as "Mount Point", diskFree as "Disk Free (%)", freeGB as "Disk Free (GB)", capacityGB as "Capacity (GB)"

0 comments

[2]

Splunk Search for List of Splunk users and their roles Copy


				| rest /services/authentication/users | stats values(roles) as Roles by title | rename title as User

0 comments

[2]

Splunk Search for List of indexes and retention period Copy


				| rest splunk_server=* /services/data/indexes | eval "Retention Period (days)"=frozenTimePeriodInSecs/60/60/24 | table title "Retention Period (days)" | rename title as Index

0 comments

[2]

Splunk Search for Users by role and default app Copy


				| rest /services/authentication/users 
| stats values(roles) as Role first(defaultApp) as "Default App" by title | rename title as Username

0 comments

[2]

Splunk Search for Indexes by sourcetype Copy


				| tstats values(sourcetype) as sourcetype WHERE index=* OR index=_* by index

0 comments

[2]

Splunk Search for Detailed information on Indexes Copy


				| rest /services/data/indexes 
| eval indexSize=tostring(round(currentDBSizeMB/1024,2), "commas"), events=tostring(totalEventCount, "commas"), daysRetention=frozenTimePeriodInSecs/60/60/24 | foreach *Time [ | eval <<FIELD>>=strptime(<<FIELD>>,"%Y-%m-%dT%H:%M:%S%Z"), <<FIELD>>=strftime(<<FIELD>>,"%m/%d/%Y %H:%M:%S") ] | fillnull value="n/a"
| table title, splunk_server, indexSize, daysRetention, events, maxTime, minTime | rename title as "Index Name", splunk_server as "Splunk Server" indexSize as "Current Size on Disk (GB)", daysRetention as "Retention Period in Days", events as "Count of events", maxTime as "Most Recent Event", minTime as "Earliest Event"

0 comments

[2]

Splunk Search for Uptime of Splunk Servers Copy


				| rest /services/server/info | eval secUp=now()-startup_time, minutesUp=secUp/60 | table serverName, server_roles, secUp, minutesUp | rename serverName as "Splunk Server", server_roles as "Server Roles", secUp as "Uptime (sec)", minutesUp as "Uptime (min)"

0 comments

[0]

Splunk Search for List of triggered alerts Copy


				| rest /services/alerts/fired_alerts splunk_server=local| table eai:acl.app eai:acl.owner id title triggered_alert_count | rename eai:acl.* as *, app as App, owner as Owner, id as Endpoint, title as Title, triggered_alert_count as "Count of Triggered Alerts"

0 comments

[2]

Splunk Search for Extractions using regex in transforms.conf Copy


				| rest /services/data/transforms/extractions | table eai:acl.app, title, SOURCE_KEY, REGEX, FORMAT, DEST_KEY | sort eai:acl.app title | eval DEST_KEY=if(DEST_KEY="","N/A",DEST_KEY) | rename eai:acl.app as App, title as Title, SOURCE_KEY as "Source Key", REGEX as RegEx, FORMAT as Format, DEST_KEY as "Dest Key"

0 comments

[2]

Splunk searches relating to REST