Splunk Searches | A collection of useful Splunk SPL

Splunk Search for Ingested Comments Copy


				 [ | tstats count where punct=#* by index, sourcetype | fields - count | format ] _raw=#*

0 comments

[0]

Splunk Search for Sourcetypes with High Indexing Lag Time Copy


				| tstats count where index=* by _time, _indextime, sourcetype | rename _* as * | eval diff_secs=indextime-time, diff_hours=diff_secs/60/60 | stats max(diff_secs) as diff_secs, max(diff_hours) as diff_hours by sourcetype

0 comments

[0]

Splunk Search for Indexes With High Indexing Lag Time Copy


				| tstats count where index=* by _time, _indextime, index | rename _* as * | eval diff_secs=indextime-time, diff_hours=diff_secs/60/60 | stats max(diff_secs) as diff_secs, max(diff_hours) as diff_hours by index

1 comment

[0]

Splunk Search for Indexes that are not used Copy


				| tstats count where earliest=-90d by index | fields - count | search NOT [ index=_audit earliest=-7d latest=now action="search" search="*" | rex field=search "index=(?<index_used>[^\s]+)" | stats values(index_used) as index_used ]

0 comments

[0]

Splunk Search for Count of events by index Copy


				|tstats count WHERE index=* OR index=_*  by index

0 comments

[0]

Splunk Search for Indexing lag by host Copy


				| tstats count as events BY host,_time,_indextime span=1s | eval indexlag=_indextime-_time | stats avg(indexlag) as "Indexing Lag" by host

0 comments

[0]

Splunk Search for Hosts associated with all indexes Copy


				| tstats values(host) as host where index=* by index

0 comments

[0]

Splunk Search for Latest event reported Copy


				|tstats latest(_time) as latest_time by index, sourcetype, host | eval now_time=now() | eval time_since_last=now()-latest_time | where time_since_last>=3600 | foreach *_time [ | eval <<FIELD>>=strftime(<<FIELD>>,"%m/%d/%Y %H:%M:%S") ] | rename latest_time as "Time of Last Event", now_time as "Present Time", time_since_last as "Seconds Since Last Event"

0 comments

[0]

Splunk Search for Latest time events received by index and sourcetype Copy


				| tstats latest(_time) as "Last Received" by index, sourcetype | stats list(sourcetype) as sourcetype, list("Last Received") as "Last Received" by index | eval "Last Received"=strftime('Last Received',"%m/%d/%Y %H:%M:%S")

0 comments

[0]

Splunk Search for Time since last event by index, host and sourcetype Copy


				| tstats latest(_time) as Latest where index=* by host sourcetype index 
| eval now=now() 
| eval time_since_last=round(((now-Latest)/60)/60,2) 
| stats list(host) as host, list(sourcetype) as sourcetype, list(Latest) as "Latest Event" list(time_since_last) as "Time since last event (hours)" by index
| convert ctime("Latest Event")

1 comment

[0]