License Usage by Pool per hour for last 24 hours

Have a misbehaving License Pool that the admin swears he fixed this morning?

Continue Reading →

Events Sent to Null Que – Internal Logs

This will show events that have been sent to the null que within the splunk internal logs.  

Continue Reading →

Average Splunk Web requests by hour

This query is pretty awesome! It helped enlighten us to exactly when our splunk infrastructure is being hit with users

I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376 Credit goes to acharlieh!

Continue Reading →

Detailed list of Errors Per Host

The following Splunk search will return a detailed list (by message) of errors associated with hosts running a universal forwarder:

Continue Reading →

Count of Splunk Errors Per Host

The following Splunk query will list the number of errors associated with each host over a given time range:

Continue Reading →

Traffic Volume by Forwarder

This Splunk search query will show you the top 10 “chattiest” forwarders on your network. I’ve used this query to determine why some forwarders were sending more data than others. The results are displayed in kilobits, you could use an eval to change it to the appropriate size for your network.

Continue Reading →

User Activity in DBConnect

The following Splunk query is for the DBConnect app.  This will return all user activity using this particular app. I’ve provided the regex in the search.  

Continue Reading →

rangemap command with single value string

Continue Reading →

How to Check When Splunk is finished Indexing a log file

How can I tell when Splunk is finished indexing a log file? (Credit for this one goes to learnsplunk.com author who originally posted it on his website) By watching  data from splunk’s metrics log in real-time. ************************************************************

************************************************************ or to watch everything happening split by sourcetype…. ************************************************************

************************************************************ And if you’re having trouble […]

Continue Reading →

Search to show what apps are ready to be updated

If that Splunk has internet access, it’ll have the

fields filled with the latest version if there is an update available for any app installed on that system. The

filter should be usable for querying search peers as well. Using that scheduled daily or weekly, you could alert yourself of any update. […]

Continue Reading →

Permissions for splunk users

Another view for which splunk user can do what in your splunk environment

Continue Reading →

Splunk Server Restart Duration

As titled, the following Splunk search query will show the restart duration (using the transaction command) of the Splunk service itself.  

Continue Reading →

List Ports Forwarders are Using

Use the following Splunk Search Query to list what ports your Universal Forwarders are using to communicate to the Indexer:

Continue Reading →

Failed Attempts to Logon to Splunk Web

The following Splunk Search Query will return all users who have failed to logon to the Splunk Web console. This query will also include an average (from eventstats).  

Continue Reading →