Splunk Searches | A collection of useful Splunk SPL

Splunk Search for Indexes Created by Users Copy


				index=_internal sourcetype=splunk_python action="handleCreate"
| stats latest(_time) as _time by loginUsername indexName

0 comments

[0]

Splunk Search for Splunk User Creations, Modifications, Deletions Copy


				 index=_audit action=edit_user operation=create
 |rename object as user
 |eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N") 
 |convert timeformat="%d/%b/%Y" ctime(timestamp)
 |table user timestamp

0 comments

[0]

Splunk Search for Details on Active Database Connected (DBX) Connections Copy


				| rest splunk_server=local /servicesNS/-/splunk_app_db_connect/configs/conf-db_connections | search [ | rest splunk_server=local /servicesNS/-/splunk_app_db_connect/configs/conf-db_inputs | search disabled=0 | stats count by connection | fields - count | rename connection as title | format ] | table title connection_type database host identity port

0 comments

[0]

Splunk Search for Details on Ad-hoc Searches Run by Users Copy


				index=_audit action=search search=* user!=splunk-system-user provenance!=scheduler | table _time user search host total_run_time result_count | sort - _time

0 comments

[0]

Splunk Search for Apps Installed in the Environment Copy


				| rest /services/apps/local | search disabled IN ("false",0)| table title version description splunk_server

0 comments

[0]

Splunk Search for Buckets frozen by index Copy


				index=_internal sourcetype=splunkd earliest=-7d latest=now component=BucketMover | rex field=bkt "/opt/splunk/var/lib/splunk/cold/(?<frozen_index>[^/]+)" | stats count by frozen_index

0 comments

[0]

Splunk Search for Apps and Views that Users are Accessing Copy


				index=_internal earliest=@d latest=now | stats latest(_time) as _time, values(view) as view, values(app) as app, values(uri) as uri by user

0 comments

[1]

[0]

Splunk Search for Recently Active Users Copy


				index=_internal earliest=-5m latest=now sourcetype=splunk_web_access user!="internal_monitoring" user!="-" | stats count by user | fields - count

0 comments

[0]

Splunk Search for Creation Date of a Scheduled Search Copy


				index=_audit sourcetype=audittrail savedsearch_name=<insert search title> earliest=-365d | stats earliest(_time) as created | eval created=strftime(created,"%m/%d/%Y %H:%M:%S")

0 comments

[0]

Splunk Search for Searches Using Wildcard Index Copy


				index=_audit action="search" search="*"
| eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No")
| eval "Using Wildcard Index"=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK")
| table user search ad-hoc "Using Wildcard Index"

0 comments

[0]