Splunk Searches | A collection of useful Splunk SPL

Splunk Search for Splunk web users Copy


				index=_internal sourcetype=splunk_web_access
 [ rest / splunk_server=local
 | fields splunk_server
 | rename splunk_server as host ]
 | bin _time span=1d
 | stats count by date_hour _time
 | appendpipe [ fields _time
 | dedup _time
 | eval date_hour=mvrange(0,24,1)
 | eval count=0
 | mvexpand date_hour ]
 | stats sum(count) as count by date_hour _time
 | stats avg(count) as avg by date_hour | eval avg=round(avg)
 | sort date_hour | rename date_hour as "Hour of the day", avg as "Average hits on Splunk Web"

0 comments

[0]

Splunk Search for License usage for each index for each day week Copy


				index=_internal source=*license_usage.log type="Usage" splunk_server=* earliest=-1w@d | eval Date=strftime(_time, "%A") | eventstats sum(b) as volume by idx, Date | eval MB=round(volume/1024/1024,5)| timechart first(MB) AS Volume by idx

0 comments

[0]

Splunk Search for Hosts added to Splunk each month Copy


				| tstats dc(host) as Host by date_month | rename date_month as Month | eval Month=upper(substr(Month,1,1)).lower(substr(Month,2))

0 comments

[0]

Splunk Search for List of sourcetypes being sent by each Forwarder Copy


				index=_internal | where host!=splunk_server | stats values(series) as Sourcetypes by host | rename host as Host

0 comments

[0]

Splunk Search for Universal Forwarder Errors Copy


				index=_internal sourcetype="splunkd" log_level="ERROR" | stats sparkline count dc(host) as uniquehosts last(event_message) as event_message last(_time) as last first(_time) as first by punct  | eval last=strftime(last,"%b %d, %Y %H:%M:%S"), first=strftime(first,"%b %d, %Y %H:%M:%S") | table event_message count uniquehosts  first last sparkline | sort -count | rename event_message as "Error" count as Count uniquehosts as "Affected Hosts" first as "First Occurance" last as "Most Recent Occurance", sparkline as Trend

0 comments

[0]

Splunk Search for Errors associated with each host Copy


				index=_internal sourcetype="splunkd" log_level="ERROR"  host!=splunk_server | stats count by host, event_message | sort - count | rename host as Host, event_message as "Error", count as Count

0 comments

[0]

Splunk Search for Forwarders sending the most data Copy


				index="_internal" source="*metrics.log*" group=tcpin_connections NOT eventType=* | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | search sourceHost=* | timechart per_second(kb) by sourceHost WHERE max in top5 useother=f | rename sourceHost as UF

0 comments

[0]

Splunk Search for Successful Splunk logins Copy


				index=_audit action="login*" info=succeeded | dedup user | table user timestamp

0 comments

[0]

Splunk Search for User activity for DB Connect App Copy


				index=_audit sourcetype=audittrail action="db_connect*" | eval Date=strftime(_time, "%b %d, %Y") |rex field=_raw "user=(?<user>\w+)," | stats count as Count by Date, user, info, action

0 comments

[0]

Splunk Search for Checking how much of a sourcetype has been ingested Copy


				index="_internal" source="*metrics.log" group="per_sourcetype_thruput" | eval GB=kb/1024/1024 | chart sum(GB) as "GB Ingested" avg(eps) as "Events per Second" over series | eval "GB Ingested"=round('GB Ingested',4), "Events per Second"=round('Events per Second',4) | rename series as Log

0 comments

[0]