Splunk Searches | A collection of useful Splunk SPL

Splunk Search for List of indexes and retention period Copy


				| rest splunk_server=* /services/data/indexes | eval "Retention Period (days)"=frozenTimePeriodInSecs/60/60/24 | table title "Retention Period (days)" | rename title as Index

0 comments

[0]

Splunk Search for Users by role and default app Copy


				| rest /services/authentication/users 
| stats values(roles) as Role first(defaultApp) as "Default App" by title | rename title as Username

0 comments

[0]

Splunk Search for Indexes by sourcetype Copy


				| tstats values(sourcetype) as sourcetype WHERE index=* OR index=_* by index

0 comments

[0]

Splunk Search for Detailed information on Indexes Copy


				| rest /services/data/indexes 
| eval indexSize=tostring(round(currentDBSizeMB/1024,2), "commas"), events=tostring(totalEventCount, "commas"), daysRetention=frozenTimePeriodInSecs/60/60/24 | foreach *Time [ | eval <<FIELD>>=strptime(<<FIELD>>,"%Y-%m-%dT%H:%M:%S%Z"), <<FIELD>>=strftime(<<FIELD>>,"%m/%d/%Y %H:%M:%S") ] | fillnull value="n/a"
| table title, splunk_server, indexSize, daysRetention, events, maxTime, minTime | rename title as "Index Name", splunk_server as "Splunk Server" indexSize as "Current Size on Disk (GB)", daysRetention as "Retention Period in Days", events as "Count of events", maxTime as "Most Recent Event", minTime as "Earliest Event"

0 comments

[0]

Splunk Search for Uptime of Splunk Servers Copy


				| rest /services/server/info | eval secUp=now()-startup_time, minutesUp=secUp/60 | table serverName, server_roles, secUp, minutesUp | rename serverName as "Splunk Server", server_roles as "Server Roles", secUp as "Uptime (sec)", minutesUp as "Uptime (min)"

0 comments

[0]

Splunk Search for List of triggered alerts Copy


				| rest /services/alerts/fired_alerts splunk_server=local| table eai:acl.app eai:acl.owner id title triggered_alert_count | rename eai:acl.* as *, app as App, owner as Owner, id as Endpoint, title as Title, triggered_alert_count as "Count of Triggered Alerts"

0 comments

[0]

Splunk Search for Extractions using regex in transforms.conf Copy


				| rest /services/data/transforms/extractions | table eai:acl.app, title, SOURCE_KEY, REGEX, FORMAT, DEST_KEY | sort eai:acl.app title | eval DEST_KEY=if(DEST_KEY="","N/A",DEST_KEY) | rename eai:acl.app as App, title as Title, SOURCE_KEY as "Source Key", REGEX as RegEx, FORMAT as Format, DEST_KEY as "Dest Key"

0 comments

[0]

Splunk Search for Field extractions in props.conf Copy


				| rest /services/data/props/extractions | table stanza type attribute value | sort stanza

0 comments

[0]

Splunk Search for List of inputs Copy


				| rest /services/data/inputs/all | table index source sourcetype title starttime endtime interval | eval interval=if(isnull(interval),"Not a scripted input",interval) | fillnull value="Null" | eval starttime=strftime(starttime,"%b %d, %Y %H:%M:%S"), endtime=strftime(endtime,"%b %d, %Y %H:%M:%S") | rename index as Index, source as Source, sourcetype as Sourcetype, title as Title, starttime as "First Event" endtime as "Latest Event", interval as Interval

0 comments

[0]

Splunk Search for Available CPU and Memory Copy


				| rest  /services/server/status/resource-usage/hostwide | eval cpu_count = if(isnull(cpu_count), "N/A", cpu_count), cpu_usage = (cpu_system_pct + cpu_user_pct), mem_used_pct = round((mem_used/mem)*100 , 2), mem_used = tostring(round(mem_used/1024, 3),"commas"), mem = tostring(round(mem/1024, 0),"commas") | fields splunk_server, cpu_count, cpu_usage, mem, mem_used, mem_used_pct | sort - cpu_usage, - mem_used_pct | rename splunk_server AS "Splunk Server", cpu_count AS "CPU Cores", cpu_usage AS "CPU Used (%)", mem AS "Memory Capacity (GB)", mem_used AS "Memory Used (GB)", mem_used_pct AS "Memory Used (%)"

0 comments

[0]