index=* | stats count by _raw, index, sourcetype | where count>1 | stats values(sourcetype) as sourcetype by index
0 comments
index=_internal earliest=@d latest=now | stats latest(_time) as _time, values(view) as view, values(app) as app, values(uri) as uri by user
0 comments
index=_internal earliest=-5m latest=now sourcetype=splunk_web_access user!="internal_monitoring" user!="-" | stats count by user | fields - count
0 comments
index=_audit sourcetype=audittrail savedsearch_name=<insert search title> earliest=-365d | stats earliest(_time) as created | eval created=strftime(created,"%m/%d/%Y %H:%M:%S")
0 comments
| rest splunk_server=local /servicesNS/-/-/saved/searches | where match('action.correlationsearch.enabled',"1|(?i)true") | table title search updated
0 comments
| rest splunk_server=local /services/saved/searches | where match(search,"datamodel") and 'action.correlationsearch.enabled'=1 | fields title search | rex field=search "datamodel=(?<datamodel1\S+)" | rex field=search "datamodel:(?<datamodel2>\S+)" | rex field=search "datamodel\s\"(?<datamodel3>[^\"]+)" | eval datamodel=coalesce(datamodel1,coalesce(datamodel2,datamodel3)) | table title search datamodel
0 comments
| rest splunk_server=local /services/authentication/users | table title roles
0 comments
sourcetype=syslog sudo | stats count by user host | map search="search index=ad_summary username=$user$ type_logon=ad_last_logon"
0 comments
index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval "Using Wildcard Index"=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc "Using Wildcard Index"
0 comments
| rest /services/data/indexes-extended | table title currentDBSizeMB maxTotalDataSizeMB | eval perc_full=round(currentDBSizeMB/maxTotalDataSizeMB*100, 2) | search perc_full>=75
0 comments