Splunk Searches | A collection of useful Splunk SPL

Splunk Search for List of inputs Copy


				| rest /services/data/inputs/all | table index source sourcetype title starttime endtime interval | eval interval=if(isnull(interval),"Not a scripted input",interval) | fillnull value="Null" | eval starttime=strftime(starttime,"%b %d, %Y %H:%M:%S"), endtime=strftime(endtime,"%b %d, %Y %H:%M:%S") | rename index as Index, source as Source, sourcetype as Sourcetype, title as Title, starttime as "First Event" endtime as "Latest Event", interval as Interval

0 comments

[0]

Splunk Search for Events per linux host Copy


				sourcetype=linux_secure | rex "\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)" | stats count by hostname

0 comments

[0]

Splunk Search for Checking how much of a sourcetype has been ingested Copy


				index="_internal" source="*metrics.log" group="per_sourcetype_thruput" | eval GB=kb/1024/1024 | chart sum(GB) as "GB Ingested" avg(eps) as "Events per Second" over series | eval "GB Ingested"=round('GB Ingested',4), "Events per Second"=round('Events per Second',4) | rename series as Log

0 comments

[0]