Splunk Searches | A collection of useful Splunk SPL

Splunk Search for List of installed apps and their version Copy


				| rest splunk_server=local /services/apps/local | table title version | rename title as Title, version as Version

0 comments

[0]

Splunk Search for List of hosts forwarding internal logs to Indexers Copy


				| tstats count as Count where index=_internal by host

0 comments

[0]

Splunk Search for Roles and Allowed Indexes Copy


				| rest /services/authentication/users | mvexpand roles | table realname, title, roles, email | join roles [ rest /services/authorization/roles | rename title as roles | search srchIndexesAllowed=* | table roles srchIndexesAllowed] | rename realname as Name, title as Title, roles as Roles, email as Email, srchIndexesAllowed as "Indexes this user an access"

0 comments

[0]

Splunk Search for Time taken to restart Splunk Copy


				index=_audit (action="splunkShuttingDown" OR action="splunkStarting") | eval Date=strftime(_time, "%b %d, %Y") | transaction splunk_server startswith=action="splunkShuttingDown" endswith=action="splunkStarting" | eval duration=round(duration/60, 2) |table Date splunk_server duration| rename duration as "Time taken to restart (sec)" splunk_server as "Splunk Server"

0 comments

[0]

Splunk Search for Ports used by Universal Forwarders to send data to Indexers Copy


				index="_internal" source="*metrics.log*" group=tcpin_connections NOT eventType=*  | dedup sourceHost |stats count as Count by destPort

0 comments

[0]

Splunk Search for Memory used by search ID Copy


				index="_introspection"  "data.process"=splunkd | timechart max(data.mem_used) as "Memory Used" by data.search_props.sid usenull=f useother=f

0 comments

[0]

Splunk Search for Searches by user Copy


				index=_audit search=* NOT (search_id='scheduler* OR search_id='Summary*) | timechart span=1d count by user usenull=f

0 comments

[0]

Splunk Search for Percentage of license usage for current day Copy


				| rest splunk_server=* /services/licenser/pools | rename title AS Pool | search [rest splunk_server=* /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "% of Quota Used"=round(used_bytes/quota*100,2) | fields "% of Quota Used"

0 comments

[0]

Splunk Search for Top 5 license usage by host Copy


				index=_internal source=*license_usage.log type="Usage" | stats sum(b) AS Volume by h  | eval  GB=round(Volume/1024/1024/1024,5) | table h GB  | rename h as Host, GB as "GB Used" | sort - GB | head 5

0 comments

[0]

Splunk Search for License usage by sourcetype Copy


				index=_internal source="*license_usage.log*" type=Usage | stats sum(b) as bytes by st | eval MB=tostring(round(bytes/1024/1024,2),"commas")| rename st as Sourcetype | fields - bytes | sort - Megabytes

0 comments

[0]