index=_introspection component=Hostwide | bin _time span=1d | stats values(data.splunk_version) by _time, host
0 comments
| rest splunk_server=local /services/deployment/server/clients | table hostname ip instanceName utsname package splunkVersion
0 comments
| rest splunk_server=local /services/deployment/server/applications | search serverclass=* | table title serverclasses stateOnClient
0 comments
index=_internal sourcetype=splunkd earliest=-7d latest=now component=BucketMover | rex field=bkt "/opt/splunk/var/lib/splunk/cold(?<frozen_index>[^/]+)" | stats count by frozen_index
0 comments
| rest splunk_server=local /services/authentication/users | table title roles
0 comments
index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval "Using Wildcard Index"=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc "Using Wildcard Index"
0 comments
| tstats count where earliest=-90d by index | fields - count | search NOT [ index=_audit earliest=-7d latest=now action="search" search="*" | rex field=search "index=(?<index_used>[^\s]+)" | stats values(index_used) as index_used ]
0 comments
index=_audit action="search" search="*" | rex field=search "index=(?<index_used>[^\s]+)" | stats values(index_used) as index_used
0 comments
| inputlookup service_telemetry_lookup | fields title services_depends_on.serviceid | rename services_depends_on.serviceid as dependencies | eval dependencies=mvjoin(dependencies,",") | where isnull(dependencies)
0 comments
| inputlookup service_kpi_lookup | fields _key title | rename _key as itsi_service_id | search [ search earliest=-7d latest=now index=itsi_summary itsi_kpi_id!=SHKPI* | stats values(alert_value) as alert_value by itsi_service_id | eval alert_value=mvjoin(alert_value,",") | search alert_value=N/A | fields itsi_service_id ]
0 comments