| rest splunk_server=local /services/saved/searches | where match(search,"datamodel") and 'action.correlationsearch.enabled'=1 | fields title search | rex field=search "datamodel=(?<datamodel1\S+)" | rex field=search "datamodel:(?<datamodel2>\S+)" | rex field=search "datamodel\s\"(?<datamodel3>[^\"]+)" | eval datamodel=coalesce(datamodel1,coalesce(datamodel2,datamodel3)) | table title search datamodel
0 comments
[0]
[0]
[0]
[0]
| rest splunk_server=local /services/authentication/users | table title roles
0 comments
[0]
[0]
[0]
[0]
sourcetype=syslog sudo | stats count by user host | map search="search index=ad_summary username=$user$ type_logon=ad_last_logon"
0 comments
[0]
[0]
[0]
[0]
index=_audit action="search" search="*"
| eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No")
| eval "Using Wildcard Index"=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK")
| table user search ad-hoc "Using Wildcard Index"
0 comments
[0]
[0]
[0]
[0]
| rest /services/data/indexes-extended
| table title currentDBSizeMB maxTotalDataSizeMB
| eval perc_full=round(currentDBSizeMB/maxTotalDataSizeMB*100, 2) | search perc_full>=75
0 comments
[0]
[0]
[0]
[0]
| tstats count where earliest=-90d by index | fields - count | search NOT [ index=_audit earliest=-7d latest=now action="search" search="*" | rex field=search "index=(?<index_used>[^\s]+)" | stats values(index_used) as index_used ]
0 comments
[0]
[0]
[0]
[0]
index=_audit action="search" search="*" | rex field=search "index=(?<index_used>[^\s]+)" | stats values(index_used) as index_used
0 comments
[0]
[0]
[0]
[0]
| rest report_as=text splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/service | spath input=value output=services path={} | fields services | mvexpand services | spath input=services output=title path=title | spath input=services output=key path=_key | spath input=services output=kpis path=kpis{} | fields key title kpis | mvexpand kpis | spath input=kpis output=type path=type | search type!=service_health | spath input=kpis output=aggregate_thresholds path=aggregate_thresholds | mvexpand aggregate_thresholds | spath input=kpis output=kpi_title path=title | spath input=kpis output=kpi_key path=_key | spath input=kpis output=kpi_unit path=unit | fields key title kpi_key kpi_title kpi_unit *thresholds | spath input=aggregate_thresholds output=aggregate_baseSeverityValue path=baseSeverityValue | spath input=entity_thresholds output=entity_baseSeverityValue path=baseSeverityValue | spath input=aggregate_thresholds output=aggregate_thresholds path=thresholdLevels{} | mvexpand aggregate_thresholds | spath input=aggregate_thresholds output=aggregate_thresholdValue path=thresholdValue | spath input=aggregate_thresholds output=aggregate_severityLabel path=severityLabel | fields title kpi_title kpi_unit aggregate* | fields - aggregate_thresholds entity_thresholds | eval aggregate_severityLabel=if(isNull(aggregate_severityLabel),"Informational",aggregate_severityLabel), aggregate_thresholdValue=aggregate_thresholdValue." ".kpi_unit | dedup title kpi_title aggregate_thresholdValue | stats list(aggregate_thresholdValue) as "Threshold Level", list(aggregate_severityLabel) as "Threshold Severity" by title kpi_title
1 comment
[3]
[0]
[3]
[0]
| inputlookup service_kpi_lookup | fields _key title | rename _key as key | lookup itsi_entities services._key as key OUTPUT _itsi_identifier_lookups as identifiers
0 comments
[0]
[0]
[0]
[0]
| inputlookup service_telemetry_lookup | fields title services_depends_on.serviceid | rename services_depends_on.serviceid as dependencies | eval dependencies=mvjoin(dependencies,",") | where isnull(dependencies)
0 comments
[0]
[0]
[0]
[0]