|tstats count WHERE index=* OR index=_ BY index Don’t forget time modifier is required
List skipped searches by name, reason
index=_internal sourcetype=scheduler savedsearch_name=* status=skipped | stats count by savedsearch_name reason Look at the reason to know how to TB.
Detect Scheduler Running Twice a Search
There is a bug that make a search being executed 2 times or more. index=_internal sourcetype=scheduler scheduled_time=* savedsearch_name=* |stats count by scheduled_time, savedsearch_name | where count > 1
Parsing Military Time Zones
Sorry but a query would not be elegant. TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%Z TZ_ALIAS = A=GMT+1:00, B=GMT+2:00, C=GMT+3:00, D=GMT+4:00, E=GMT+5:00, F=GMT+6:00, G=GMT+7:00, H=GMT+8:00, I=GMT+9:00, K=GMT+10:00, L=GMT+11:00, M=GMT+12:00
date_zone=local is bad
Impact: since there is no timezone, the logs will have the same timezone as the local user. Therefore in another timezone, the logs won’t have the same order. If no TZ is specified, perhaps we could hard code one. |tstats count where index=* date_zone=local by index, sourcetype
Basic binary conversion for IPv4 Mask
Given an IP network address and it’s netmask represented under integer format, the bellow search will create a CIDR representation from the lookup without using built-in tools. |inputlookup geoip | head 100 | eval mask_int=end_ip_int-start_ip_int | eval mask_bin=replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(tostring(mask_int, “hex”), 3), “0”, “0000”), “1”, “0001”), “2”, “0010”), “3”, “0011”), “4”, “0100”), “5”, “0101”), “6”, “0110”), […]