| tstats latest(_time) as Latest where index=* by host sourcetype index
| eval now=now()
| eval time_since_last=round(((now-Latest)/60)/60,2)
| stats list(host) as host, list(sourcetype) as sourcetype, list(Latest) as "Latest Event" list(time_since_last) as "Time since last event (hours)" by index
| convert ctime("Latest Event")
1 comment
[0]
[0]
[0]
[0]
index=_internal sourcetype=splunkd "has reached maxKBps" | rex "Current data throughput \((?<kb>\S+)" | eval throughput=case(kb < 500, "256", kb > 499 AND kb < 520, "512", kb > 520 AND kb < 770 ,"768", kb>771 AND kb<1210, "1024", 1=1, ">1024") | stats count as Count sparkline as Trend by host, throughput | where Count >= 1 | rename host as "Host" throughput as "Throughput rate(kb)" count as "Hit Count"| sort -"Throughput rate(kb)",-Count
0 comments
[0]
[0]
[0]
[0]
index="_internal" source=*access.log user!="-" */app/*
| rex field=_raw "/en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)\sHTTP" | stats count by dashboard, app | rename dashboard as "Dashboard Title", app as "App", count as Visits | sort - Visits | head 10
0 comments
[0]
[0]
[0]
[0]
index=_internal group=tcpin_connections
| eval host=if(isnull(hostname), sourceHost,hostname)
| search (host=*) AND (host!="(ALL)")
| eval version=if(isnull(version),"< 4.2",version)
| stats values(version) as version by host
0 comments
[0]
[0]
[0]
[0]
index=_audit sourcetype=audittrail action=search total_run_time=* host=* | dedup search_id | eval runtime=if(isnum(total_run_time), total_run_time, "null") | where runtime!="null" | timechart span=15m eval(round(avg(runtime),2)) as avg_runtime by host limit=0
0 comments
[0]
[0]
[0]
[0]
index=_internal sourcetype=splunkd log_level="ERROR"
| stats sparkline count dc(host) as hosts latest(event_message) as last_raw_msg values(sourcetype) as sourcetype last(_time) as last_msg_time first(_time) as first_msg_time values(index) as index by punct
| convert ctime(last_msg_time) ctime(first_msg_time)
| table last_raw_msg count hosts sourcetype index first_msg_time last_msg_time sparkline | rename last_raw_msg as "Error", count as Count, hosts as "Affected Hosts", sourcetype as Sourcetype, index as Index, first_msg_time as "First Occurence", last_msg_time as "Most Recent Occurence", sparkline as Trend
| sort - Count
0 comments
[0]
[0]
[0]
[0]
index=_audit action="login attempt" info=failed | stats count as "Failed Attempts" by user | rename user as User
0 comments
[0]
[0]
[0]
[0]
index=_internal group=queue | eval percent_full=((current_size_kb/max_size_kb)*100) | search percent_full>80 | dedup host, name | table _time host name current_size_kb max_size_kb | rename host as Host, name as Queue, current_size_kb as "Current Queue Size", max_size_kb as "Max Queue Size"
0 comments
[0]
[0]
[0]
[0]
index=_internal source=*license_usage.log* type=Usage earliest=-24h| timechart span=1h sum(b) as Volume by pool | eval Volume = round(bytes/1024/1024/1024,4) | rename Volume as "Volume (GB)"
0 comments
[0]
[0]
[0]
[0]
index=_internal component=metrics processor=nullqueue group=pipeline sourcetype=splunkd | table _time log_level name processor cpu_seconds executes cumulative_hits | rename log_level as "Log Level", name as "Name", processor as Processor, cpu_seconds as "CPU seconds" executes as Executes cumulative_hits as "Cumulative Hits"
0 comments
[0]
[0]
[0]
[0]