sourcetype=linux_secure | rex "\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)" | stats count by hostname
0 comments
[0]
[0]
[0]
[0]
sourcetype=linux_secure NOT "invalid user" | rex "\suser\s(?<User>[^\s]+)\s" | top User showperc=f
0 comments
[0]
[0]
[0]
[0]
sourcetype=linux_secure NOT "invalid user" | rex "\suser\s(?<User>[^\s]+)\s" | statsdc(User) as "Unique Users"
0 comments
[0]
[0]
[0]
[0]
sourcetype=linux_secure NOT "invalid user"| rex "\suser\s(?<User>[^\s]+)\s" | stats count by User
0 comments
[0]
[0]
[0]
[0]
sourcetype=Unix:Uptime OR sourcetype=WMI:Uptime | dedup host | eval days=round(SystemUpTime/(60*60*24),2), weeks=round(days/7,2), months=round(days/30,2) | table host days weeks months SystemUpTime |sort - SystemUpTime | rename days as "Days Up", weeks as "Weeks Up" months as "Months Up", SystemUpTime as "Seconds Up"
0 comments
[0]
[0]
[0]
[0]
sourcetype=top pctCPU=* | timechart sum(pctCPU) as pctCPU by host
0 comments
[0]
[0]
[0]
[0]
sourcetype=top pctMEM=* | timechart sum(pctMEM) as pctMEM by host
0 comments
[0]
[0]
[0]
[0]
sourcetype=df PercentFreeSpace=* mount="/" | timechart latest(PercentFreeSpace) as "% Free Space" by host
0 comments
[0]
[0]
[0]
[0]
sourcetype=cron | rex ".*:\d{2}\s(?<host_name>\S+)" | rex "]:\sfinished(?<info>.*)" | stats count by host_name, info
0 comments
[0]
[0]
[0]
[0]
index=_internal sourcetype=scheduler scheduled_time=* savedsearch_name=* | stats count by scheduled_time, savedsearch_name | search count>1 | table savedsearch_name count | rename savedsearch_name as "Search Name" count as "Number of Times This Search Runs Each Time it is Called"
0 comments
[0]
[0]
[0]
[0]