Splunk Searches | A collection of useful Splunk SPL

Splunk Search for Users Running All Time Searches Copy


				index=_audit action=search info=completed search_et="N/A" search_lt="N/A" user!=splunk-system-user | stats count by user

0 comments

[1]

Splunk Search for Indexers a Univeral Forwarder is Sending Data To Copy


				index=_internal tcpouteloop "connected to idx" | stats count by idx

0 comments

[1]

Splunk Search for Fields in CIM Datamodel Copy


				| rest splunk_server=local /servicesNS/-/Splunk_SA_CIM/data/models | fields title eai:data | spath input=eai:data path=objects{}.fields{} output=fields | mvexpand fields | spath input=fields | fields - eai:data fields

0 comments

[1]

Splunk Search for Details on Active Database Connected (DBX) Connections Copy


				| rest splunk_server=local /servicesNS/-/splunk_app_db_connect/configs/conf-db_connections | search [ | rest splunk_server=local /servicesNS/-/splunk_app_db_connect/configs/conf-db_inputs | search disabled=0 | stats count by connection | fields - count | rename connection as title | format ] | table title connection_type database host identity port

0 comments

[0]

Splunk Search for Database Connect (DBX) Inputs Copy


				| rest splunk_server=local /servicesNS/-/splunk_app_db_connect/configs/conf-db_inputs

0 comments

[1]

Splunk Search for Deployment Clients Phoning Home to Deployment Server Copy


				index=_internal sourcetype=splunkd *phonehome* component=DC* | stats latest(_time) as _time, latest(_raw) as _raw by host

0 comments

[1]

Splunk Search for Detecting Log4J jndi Vulnerabilities (CVE-2021-44228) (Log4Shell) Copy


				[ | tstats count where index=* AND punct IN ("*${*","*$%*") earliest=-7d latest=now by index, sourcetype 
| fields - count
| format ] AND (((punct=*$* AND punct=*:*) OR (punct=*%*)) AND ("*${*" OR "*%24{*" OR "$%7B*" OR "*%24%7B*"") AND ("//" OR "%2F%2F" OR "/%2F" OR "%2F/") ) 
| eval decoded_raw = urldecode(_raw)
| regex decoded_raw="\$\S*?{\S*?j[A-Za-z:\-\$[]]*?n[A-Za-z:\-\$[]]*?d[A-Za-z:\-\$[]]*?i[^\s\/]*//.*"

1 comment

[2]

[3]

Splunk Search for Disk, CPU and Memory Details of SplunkCloud or On-prem Search Head Copy


				| rest splunk_server=local /services/server/info 
| table splunk_server numberOfCores numberOfVirtualCores os_build physicalMemoryMB 
| appendcols 
    [| rest splunk_server=local /services/server/status/partitions-space 
    | table splunk_server mount_point available capacity ] 
| eval freeDiskGB=available/1024, totalDiskGB=capacity/1024 
| table splunk_server numberOfCores numberOfVirtualCores os_build physicalMemoryMB mount_point freeDiskGB totalDiskGB 
| addcoltotals freeDiskGB totalDiskGB

0 comments

[1]

Splunk Search for Size of All Lookup Files on Search Head Copy


				| rest /servicesNS/-/-/data/transforms/lookups getsize=true
| fields splunk_server filename title type size eai:appName

0 comments

[1]

Splunk Search for Size of Lookup File Copy


				| rest /servicesNS/-/-/data/transforms/lookups getsize=true
| fields splunk_server filename title type size eai:appName
| search filename="<insert lookup file name>"

0 comments

[1]