| splunk [searches]
Splunk searches relating to REST
clear
| rest / servicesNS/ - / - / admin/ directory count = 0 splunk_server = local | rename eai:* as * , acl.* as * | eval updated = strptime ( updated, "%Y-%m-%dT%H:%M:%S%Z" ) , updated = if ( isnull ( updated) , "Never" , strftime ( updated, "%d %b %Y" ) ) | sort type | stats list ( title) as title, list ( type) as type, list ( orphaned) as orphaned, list ( sharing) as sharing, list ( owner) as owner, list ( updated) as updated by app
| rest / services/ server/ status/ partitions- space | eval diskFree = tostring ( round ( free/ capacity, 4 ) * 100 ) ."%" , capacityGB = round ( capacity/ 1024 , 2 ) , freeGB = round ( free/ 2014 , 2 ) | table splunk_server, mount_point, freeGB, capacityGB, diskFree | rename splunk_server as "Splunk Server" , mount_point as "Mount Point" , diskFree as "Disk Free (%)" , freeGB as "Disk Free (GB)" , capacityGB as "Capacity (GB)"
| rest / services/ authentication/ users | stats values ( roles) as Roles by title | rename title as User
| rest splunk_server = * / services/ data/ indexes | eval "Retention Period (days)" = frozenTimePeriodInSecs/ 60/60/24 | table title "Retention Period (days)" | rename title as Index
| rest / services/ authentication/ users
| stats values ( roles) as Role first ( defaultApp) as "Default App" by title | rename title as Username
| tstats values ( sourcetype) as sourcetype WHERE index = * OR index = _* by index
| rest / services/ data/ indexes
| eval indexSize = tostring ( round ( currentDBSizeMB/ 1024 , 2 ) , "commas" ) , events = tostring ( totalEventCount, "commas" ) , daysRetention = frozenTimePeriodInSecs/ 60/60/24 | foreach * Time [ | eval < < FIELD> >= strptime ( < < FIELD> > , "%Y-%m-%dT%H:%M:%S%Z" ) , < < FIELD> >= strftime ( < < FIELD> > , "%m/%d/%Y %H:%M:%S" ) ] | fillnull value = "n/a"
| table title, splunk_server, indexSize, daysRetention, events, maxTime, minTime | rename title as "Index Name" , splunk_server as "Splunk Server" indexSize as "Current Size on Disk (GB)" , daysRetention as "Retention Period in Days" , events as "Count of events" , maxTime as "Most Recent Event" , minTime as "Earliest Event"
| rest / services/ server/ info | eval secUp = now ( ) - startup_time, minutesUp = secUp/ 60 | table serverName, server_roles, secUp, minutesUp | rename serverName as "Splunk Server" , server_roles as "Server Roles" , secUp as "Uptime (sec)" , minutesUp as "Uptime (min)"
| rest / services/ alerts/ fired_alerts splunk_server = local| table eai:acl.app eai:acl.owner id title triggered_alert_count | rename eai:acl.* as * , app as App, owner as Owner, id as Endpoint, title as Title, triggered_alert_count as "Count of Triggered Alerts"
| rest / services/ data/ transforms/ extractions | table eai:acl.app, title, SOURCE_KEY, REGEX , FORMAT , DEST_KEY | sort eai:acl.app title | eval DEST_KEY = if ( DEST_KEY = "" , "N/A" , DEST_KEY) | rename eai:acl.app as App, title as Title, SOURCE_KEY as "Source Key" , REGEX as RegEx , FORMAT as Format , DEST_KEY as "Dest Key"