Splunk Searches | A collection of useful Splunk SPL

Splunk Search for Disk Free on Windows Machine Using Metrics Copy


				| mstats avg(_value) as avgValue WHERE metric_name="LogicalDisk.*" AND index=em_metrics span=auto by metric_name, host, instance | eval metric_name=metric_name."_".instance, avgValue=avgValue."host".host | xyseries _time metric_name avgValue | rename LogicalDisk.* as *, %_* as perc_*, *: as * | foreach * [ | rex field=<<FIELD>> "(?P<<FIELD>>.+)host(?P<host>.+)$" ]

0 comments

[0]

Splunk Search for CPU Utilization on Windows Servers Copy


				| mstats avg(_value) as avgValue WHERE metric_name="Processor.%_Processor_Time" OR metric_name="Processor.%_Idle_Time" AND "index"="em_metrics" span=auto by metric_name, host | eval avgValue=avgValue."host".host | xyseries _time metric_name avgValue | rename Processor.%_* as perc_* | foreach perc_* [ | rex field=<<FIELD>> "(?P<<<FIELD>>>.+)host(?P<host>.+)$" ]

0 comments

[0]

Splunk Search for Windows Free Disk Space by Drive Copy


				(index=windows OR index=perfmon OR index=os) sourcetype=perfmonMK:LogicalDisk instance!=_Total instance!=Harddisk* | eval FreePct-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(),true(),storage_free_percent), FreeMB-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(), true(),Free_Megabytes), FreePct-{instance}=storage_free_percent,FreeMB-{instance}=Free_Megabytes

0 comments

[0]

Splunk Search for Memory usage by Splunk server Copy


				| rest splunk_server=* /services/server/status/resource-usage/hostwide  | eval "% Memory Used"=round(mem_used/mem,4)*100 | table  splunk_server "% Memory Used" | rename splunk_server as "Splunk Server"

0 comments

[0]

Splunk Search for Most active linux hosts Copy


				sourcetype=linux_secure | rex "\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)" | top limit=10 hostname

0 comments

[0]

Splunk Search for Linux and Windows machine uptime Copy


				sourcetype=Unix:Uptime OR sourcetype=WMI:Uptime | dedup host | eval days=round(SystemUpTime/(60*60*24),2), weeks=round(days/7,2), months=round(days/30,2) | table host days weeks months SystemUpTime |sort - SystemUpTime | rename days as "Days Up", weeks as "Weeks Up" months as "Months Up", SystemUpTime as "Seconds Up"

0 comments

[0]

Splunk Search for CPU usage over time on Linux machine Copy


				sourcetype=top pctCPU=* | timechart sum(pctCPU) as pctCPU by host

0 comments

[0]

Splunk Search for Memory usage over time on Linux machine Copy


				sourcetype=top pctMEM=* | timechart sum(pctMEM) as pctMEM by host

0 comments

[0]

Splunk Search for Disk free space over time on Linux machine Copy


				sourcetype=df PercentFreeSpace=* mount="/" | timechart latest(PercentFreeSpace) as "% Free Space" by host

0 comments

[0]

Splunk Search for Memory used by search ID Copy


				index="_introspection"  "data.process"=splunkd | timechart max(data.mem_used) as "Memory Used" by data.search_props.sid usenull=f useother=f

0 comments

[0]