index=_audit action=search search=* user!=splunk-system-user provenance!=scheduler | table _time user search host total_run_time result_count | sort - _time
0 comments
| rest /services/apps/local | search disabled IN ("false",0)| table title version description splunk_server
0 comments
index=_internal sourcetype=splunkd earliest=-7d latest=now component=BucketMover | rex field=bkt "/opt/splunk/var/lib/splunk/cold(?<frozen_index>[^/]+)" | stats count by frozen_index
0 comments
index=_internal earliest=@d latest=now | stats latest(_time) as _time, values(view) as view, values(app) as app, values(uri) as uri by user
0 comments
index=_internal earliest=-5m latest=now sourcetype=splunk_web_access user!="internal_monitoring" user!="-" | stats count by user | fields - count
0 comments
index=_audit sourcetype=audittrail savedsearch_name=<insert search title> earliest=-365d | stats earliest(_time) as created | eval created=strftime(created,"%m/%d/%Y %H:%M:%S")
0 comments
index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval "Using Wildcard Index"=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc "Using Wildcard Index"
0 comments
| rest /services/data/indexes-extended | table title currentDBSizeMB maxTotalDataSizeMB | eval perc_full=round(currentDBSizeMB/maxTotalDataSizeMB*100, 2) | search perc_full>=75
0 comments
| tstats count where earliest=-90d by index | fields - count | search NOT [ index=_audit earliest=-7d latest=now action="search" search="*" | rex field=search "index=(?<index_used>[^\s]+)" | stats values(index_used) as index_used ]
0 comments
index=_audit action="search" search="*" | rex field=search "index=(?<index_used>[^\s]+)" | stats values(index_used) as index_used
0 comments