index=_internal sourcetype=splunkd (alert_description="'certificate expired'" component=SSLCommon) OR (component=TcpInputProc AND "certificate verify failed")
0 comments
[0]
[0]
[0]
[0]
index=_internal sourcetype=splunkd "TailReader - File descriptor cache is full" "trimming" | stats count by host
0 comments
[0]
[0]
[0]
[0]
index=_internal tcpouteloop "connected to idx" | stats count by idx
0 comments
[0]
[0]
[0]
[0]
index=_internal sourcetype=splunkd destPort!="-"| stats count by hostname, sourceHost, host, destPort, version | fields - count | rename hostname as "Forwarder Hostname", sourceHost as "Forwarder IP", host as "Indexer Hostname", destPort as "Forwarding Port", version as "Splunk Version"
0 comments
[0]
[0]
[0]
[0]
index=_internal sourcetype=splunkd "has reached maxKBps" | rex "Current data throughput \((?<kb>\S+)" | eval throughput=case(kb < 500, "256", kb > 499 AND kb < 520, "512", kb > 520 AND kb < 770 ,"768", kb>771 AND kb<1210, "1024", 1=1, ">1024") | stats count as Count sparkline as Trend by host, throughput | where Count >= 1 | rename host as "Host" throughput as "Throughput rate(kb)" count as "Hit Count"| sort -"Throughput rate(kb)",-Count
0 comments
[0]
[0]
[0]
[0]
index=_internal group=tcpin_connections
| eval host=if(isnull(hostname), sourceHost,hostname)
| search (host=*) AND (host!="(ALL)")
| eval version=if(isnull(version),"< 4.2",version)
| stats values(version) as version by host
0 comments
[0]
[0]
[0]
[0]
index="_internal" source="*metrics.log*" group=tcpin_connections NOT eventType=* | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | search sourceHost=* | timechart per_second(kb) by sourceHost WHERE max in top5 useother=f | rename sourceHost as UF
0 comments
[0]
[0]
[0]
[0]
index="_internal" source="*metrics.log*" group=tcpin_connections NOT eventType=* | eval Source=if(isnull(hostname), Source,hostname) | eval connectionType=case(fwdType=="uf","Universal Forwarder", fwdType=="lwf", "Lightweight Forwarder",fwdType=="full", "Heavy Forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk Forwarder", connectionType=="raw" or connectionType=="rawSSL","Legacy Forwarder")| eval build=if(isnull(build),"n/a",build) | eval version=if(isnull(version),"< 4.2",version) | eval os=if(isnull(os),"unkown",os)| eval arch=if(isnull(arch),"unkown",arch) | eval lastReceived = if(kb>0, _time,null) | eval seconds=30 | eval event_count= tcp_eps * seconds | bin _time span=10m | stats first(connectionType) as connectionType max(lastReceived) as lastReceived by Source | eval LastReceived=strftime(lastReceived, "%Y/%m/%d %H:%M:%S") | fields Source, connectionType, LastReceived | sort + LastReceived
0 comments
[0]
[0]
[0]
[0]
index=_internal sourcetype=splunkd group=tcpin_connections NOT eventType=* | eval Host=if(isnull(hostname), sourceHost,hostname) | eval version=if(isnull(version),"< 4.2",version) | eval architecture=if(isnull(arch),"unknown",arch) | stats count by Host version architecture | sort version
0 comments
[0]
[0]
[0]
[0]