Splunk Searches | A collection of useful Splunk SPL

Splunk Search for Deployment Clients Phoning Home to Deployment Server Copy


				index=_internal sourcetype=splunkd *phonehome* component=DC* | stats latest(_time) as _time, latest(_raw) as _raw by host

0 comments

[0]

Splunk Search for List of skipped searches Copy


				index=_internal sourcetype=scheduler savedsearch_name=* status=skipped | stats count as Count by savedsearch_name reason | rename savedsearch_name as "Search Name", reason as Reason

0 comments

[0]

Splunk Search for Hosts forwarding internal logs to Indexers Copy


				index=_internal sourcetype=splunkd | stats dc(hostname) as "Unique Splunk Hosts"

0 comments

[0]

Splunk Search for Detailed information on Universal Forwarders Copy


				index=_internal sourcetype=splunkd destPort!="-"| stats count by hostname, sourceHost, host, destPort, version | fields - count | rename hostname as "Forwarder Hostname", sourceHost as "Forwarder IP", host as "Indexer Hostname", destPort as "Forwarding Port", version as "Splunk Version"

0 comments

[0]

Splunk Search for Skipped searches by app Copy


				index = _internal sourcetype=scheduler status=skipped
| stats count by app search_type reason savedsearch_name host
| sort - count | rename count as Count, app as App, search_type as "Search Type", reason as Reason, savedsearch_name as "Search Name", host as Host

0 comments

[0]

Splunk Search for Details of scheduled searches Copy


				index=_internal sourcetype=scheduler result_count | stats avg(result_count) min(result_count) max(result_count), sparkline avg(run_time) min(run_time) max(run_time) sum(run_time) values(host) AS hosts count AS execution_count by savedsearch_name, app | join savedsearch_name type=outer [| rest /servicesNS/-/-/saved/searches | fields title eai:acl.owner cron_schedule dispatch.earliest_time dispatch.latest_time search | rename title AS savedsearch_name eai:acl.app AS App eai:acl.owner AS Owner cron_schedule AS "Cron Schedule" dispatch.earliest_time AS "Dispatch Earliest Time" dispatch.latest_time AS "Dispatch Latest Time"]| rename savedsearch_name AS "Saved Search Name" search AS "SPL Query" app AS App | makemv delim="," values(host) | sort - avg(run_time) | table "Saved Search Name", App, Owner, "SPL Query", "Dispatch Earliest Time" "Dispatch Latest Time" "Cron Schedule" hosts, execution_count, *(result_count), sum(run_time) *(run_time), sparkline | rename sparkline as Trend, min(run_time) as "Min Run Time", max(run_time) as "Max Run Time", avg(run_time) as "Avg Run Time", min(result_count) as "Min Results", max(result_count) as "Max Results", avg(result_count) as "Avg Results", execution_count as "Times Run", sum(run_time) as "Total Time Spent"

0 comments

[0]

Splunk Search for Indexing queue sizes Copy


				index=_internal source=*metrics.log group=queue (name=parsingqueue OR name=indexqueue OR name=typingqueue OR name=aggqueue) | timechart avg(current_size) by name | rename *queue as *

0 comments

[0]

Splunk Search for Percentage of skipped searches Copy


				index=_internal sourcetype=scheduler | stats count as total, count(eval(status="skipped")) as skipped | eval pct=round(skipped/total * 100, 0) | rangemap field=pct low=0-10, elevated=10-20 severe=20-50 critical=50-100 | eval pct = pct . "%" | fields pct, range | rename pct as "Percent Skipped Searches", range as State

0 comments

[0]

Splunk Search for Most viewed dashboards Copy


				index="_internal" source=*access.log user!="-" */app/*
| rex field=_raw "/en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)\sHTTP" | stats count by dashboard, app | rename dashboard as "Dashboard Title", app as "App", count as Visits | sort - Visits | head 10

0 comments

[0]

Splunk Search for List all Universal Forwarders Copy


				index=_internal group=tcpin_connections
| eval host=if(isnull(hostname), sourceHost,hostname) 
| search (host=*) AND (host!="(ALL)") 
| eval version=if(isnull(version),"< 4.2",version) 
| stats values(version) as version by host

0 comments

[0]