index = _internal sourcetype=scheduler status=skipped
| stats count by app search_type reason savedsearch_name host
| sort - count | rename count as Count, app as App, search_type as "Search Type", reason as Reason, savedsearch_name as "Search Name", host as Host
0 comments
[0]
[0]
[0]
[0]
index=_audit info=succeeded | timechart span=1d dc(user) as "Unique Users" count(user) as "Total Logins"
0 comments
[0]
[0]
[0]
[0]
| tstats values(host) as host where index=* by index
0 comments
[0]
[0]
[0]
[0]
|tstats latest(_time) as latest_time by index, sourcetype, host | eval now_time=now() | eval time_since_last=now()-latest_time | where time_since_last>=3600 | foreach *_time [ | eval <<FIELD>>=strftime(<<FIELD>>,"%m/%d/%Y %H:%M:%S") ] | rename latest_time as "Time of Last Event", now_time as "Present Time", time_since_last as "Seconds Since Last Event"
0 comments
[0]
[0]
[0]
[0]
index=_audit action=search sourcetype=audittrail search_id=* search!="'typeahead*" NOT (user=splunk-system-user)
| rex field=_raw "search\=(?P<search>.*)\]\[n\/a\]$"
| rex field=search "sourcetype\s*=\s*\"*(?<thisSourcetype>[^\s\"]+)"
| rex field=search "index\s*=\s*\"*(?<thisIndex>[^\s\"]+)"
| stats latest(_time) as Latest by user search thisSourcetype thisIndex
| sort - Latest | eval Latest=strftime(Latest,"%b %d, %Y %H:%M:%S") | rename thisSourcetype as Sourcetype, thisIndex as Index
0 comments
[0]
[0]
[0]
[0]
index="_internal" sourcetype="splunkd" source="*metrics.log*" group=tcpin_connections component=Metrics | eval sourceHost=if(isnull(hostname), sourceHost,hostname)| eval connectionType=case(fwdType=="uf","Universal Forwarders", fwdType=="lwf", "Lightweight Forwarder",fwdType=="full", "Heavy Forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","Legacy Forwarder") | eval version=if(isnull(version),"< 4.2",version) | eval guid=if(isnull(guid),sourceHost,guid) | eval os=if(isnull(os),"unkown",os)| eval arch=if(isnull(arch),"unkown",arch)| fields connectionType sourceIp sourceHost splunk_server version os arch kb guid | eval lastReceived = case(kb>0, _time)| eval lastConnected=max(_time)| stats first(sourceIp) as sourceIp first(connectionType) as connectionType first(version) as version first(os) as os first(arch) as arch max(lastConnected) as lastConnected max(lastReceived) as lastReceived by sourceHost guid | addinfo | eval status=if(lastConnected<(info_max_time-900),"missing",if(mystatus="quiet","quiet","active")) | fields sourceHost sourceIp version connectionType os arch lastConnected lastReceived status | rename sourceHost as Forwarder version as "Splunk Version" connectionType as "Forwarder Type" os as "OS" status as "Current Status" lastConnected as "Last Connected" lastReceived as "Last Data Received" | eval "Last Data Received"=strftime('Last Data Received', "%D %H:%M:%S %p"), "Last Connected"=strftime('Last Connected', "%D %H:%M:%S %p")
0 comments
[0]
[0]
[0]
[0]
index="_audit" action=edit_roles operation=* | table _time user operation object*
0 comments
[0]
[0]
[0]
[0]
index=_audit user=admin action=edit_user operation=* | stats list(_time) as Time, list(operation) as operation, list(object) as object by user | eval Time=strftime(Time,"%m/%d/%Y %H:%M:%S")
0 comments
[0]
[0]
[0]
[0]
index=_audit user=* action=indexes_edit | stats count by user, info, index, action | fields - count
0 comments
[0]
[0]
[0]
[0]
index=_internal source=*license_usage.log type=Usage | eval gb=round(b/1024/1024/1024,4) | stats sum(gb) as GB by host
0 comments
[0]
[0]
[0]
[0]