Splunk Searches | A collection of useful Splunk SPL

Splunk Search for Count of events by index Copy


				|tstats count WHERE index=* OR index=_*  by index

0 comments

[0]

Splunk Search for List of skipped searches Copy


				index=_internal sourcetype=scheduler savedsearch_name=* status=skipped | stats count as Count by savedsearch_name reason | rename savedsearch_name as "Search Name", reason as Reason

0 comments

[0]

Splunk Search for Indexing lag by host Copy


				| tstats count as events BY host,_time,_indextime span=1s | eval indexlag=_indextime-_time | stats avg(indexlag) as "Indexing Lag" by host

0 comments

[0]

Splunk Search for Hosts forwarding internal logs to Indexers Copy


				index=_internal sourcetype=splunkd | stats dc(hostname) as "Unique Splunk Hosts"

0 comments

[0]

Splunk Search for Detailed information on Universal Forwarders Copy


				index=_internal sourcetype=splunkd destPort!="-"| stats count by hostname, sourceHost, host, destPort, version | fields - count | rename hostname as "Forwarder Hostname", sourceHost as "Forwarder IP", host as "Indexer Hostname", destPort as "Forwarding Port", version as "Splunk Version"

0 comments

[0]

Splunk Search for Successful and unsuccesful Splunk login attempts Copy


				index=_audit action="log*" | stats count as Attempts by user, info | rename info as "Outcome"

0 comments

[0]

Splunk Search for DB Connect queries Copy


				index=_audit sourcetype=audittrail action="db_connect_execute_query" | rex field=_raw "\sREST:\s\/db_connect\/query\/.+SELECT(?<Query>.+)].\w\S\w]" | eval Query=urldecode(Query) | table timestamp user Query

0 comments

[0]

Splunk Search for Details on searches by user Copy


				index=_audit splunk_server=local action=search (id=* OR search_id=*) search_id!=scheduler* user!=splunk-system-user
| eval search_id = if(isnull(search_id), id, search_id) 
| rex "search='search\s(?<search>.*?)',\sautojoin" 
| eval user = if(user="n/a", null, user)
| stats sum(total_run_time) as "Total Time Spent Searching (sec)", count as "# of Searches", max(_time) as "Last Search Time" by user | eval "Avg Search Duration (sec)"='Total Time Spent Searching (sec)'/'# of Searches'
| fieldformat "Last Search Time" = strftime('Last Search Time', "%b %d, %Y %H:%M:%S")

0 comments

[0]

Splunk Search for Splunk user modification attempts Copy


				index=_audit sourcetype=audittrail action=edit_user | eval Date=strftime(_time, "%b %d, %Y") |where user!=object| stats count by user, info, object, Date | rename user as User | rename info as "Status" | rename object as "Target Account" | sort - count

0 comments

[0]

Splunk Search for Find old, unused dashboards Copy


				| rest /servicesNS/-/-/data/ui/views splunk_server=* 
| search isDashboard=1 
| rename eai:acl.app as app 
| fields title app 
| join type=left title 
[| search index=_internal sourcetype=splunk_web_access host=* user=* 
| rex field=uri_path ".*/(?<title>[^/]*)$" 
| stats latest(_time) as Time latest(user) as user by title
] 
| eval Now=now() 
| eval "Days Since Last Viewed"=if(isnull(Time),"Never accessed",round((Now-Time)/86400))
| sort Time
| convert ctime(Time) 
| fields - Now

0 comments

[0]