The following splunk query will show a timechart of network traffic received over a period of time for any host specified (make sure you edit the query to specify a host, this one defaults to all). The query also converts the default value of Bytes to Megabytes. sourcetype=”Perfmon:Network Interface” (host=”*”) counter=”Bytes Received/sec”| eval MB=(Value/1024/1024)| […]
Free Disk Space for each Drive Letter
The following Splunk query will return results for all hosts reporting in Perfmon data on available disk space per assigned drive letter (NOTE you must make the change to include free diskspace per partition in your inputs.conf file) Query: sourcetype=”Perfmon:Free Disk Space” counter=”Free Megabytes” (instance!=”HarddiskVolume*”) (instance!=_Total) |eval FreeSpace=(Value/1024)| eval GB=tostring(FreeSpace,”commas”) | table host instance GB […]
Apache access_logs status code reporting
index=apache sourcetype=access_combined | chart count(eval(like(status,”2%”))) AS Success, count(eval(like(status,”4%”) OR like(status,”5%”))) AS Error by status ###this query is to report on status code description##### index=apache source=”/var/log/httpd/access_log” | timechart count by status_description useother=f # Find Website Status Over time index=apache sourcetype=access_combined| timechart count by status_type limit=10 usenull=f # Reports on Webserver error 500. index=apache sourcetype=access_combined status_type=”Server Error” […]
Splunk Query to report on users logging on to the Splunk Web Console
index=_audit tag=authentication info=succeeded |dedup user | table user timestamp
Low Disk Space Alert for Windows Servers
eventtype=hostmon_windows Type=Disk host=”*” FileSystem=”*” DriveType=”*” | dedup host, Name | eval FreeSpacePct=round(FreeSpaceKB/TotalSpaceKB*100) | eval TotalSpaceGB=round(TotalSpaceKB/1024/1024) | eval FreeSpaceGB=round(FreeSpaceKB/1024/1024) | search FreeSpacePct<10 TotalSpaceGB=”*” | dedup host, Name, DriveType, TotalSpaceGB, FreeSpaceGB, FreeSpacePct | table host, Name, DriveType, TotalSpaceGB, FreeSpaceGB, FreeSpacePct | sort FreeSpacePct
License Usage by Index per Day
The following Splunk search query will output license usage for each index for each day for the week to date. It will also output an average for each index over the course of the given time period. index=_internal source=*license_usage.log type=”Usage” splunk_server=* earliest=-1w@d | eval Date=strftime(_time, “%Y/%m/%d”) | eventstats sum(b) as volume by idx, Date […]
Percentage of Daily License Usage
This Splunk search query will indicate the percentage of license used for the current day. This is already shown in the licensing tab under settings, however this query is extracted if you would want to use it within a dashboard or any other reason. NOTE – splunk_server= should be set to your license master. […]
Top 5 License Consuming Hosts
The following Splunk search query will return the top five licensing consuming hosts: index=_internal source=*license_usage.log type=”Usage” | stats sum(b) AS volume by h | eval GB=round(volume/1024/1024/1024,5) | table h GB | sort 5 – GB
License Usage by Sourcetypes
The following Splunk query will return results for license usage by sourcetype: index=_internal source=”*license_usage.lo*” type=Usage | stats sum(b) as bytes by st | eval Megabytes=bytes/1048576 |eval Megabytes=round(Megabytes,2) | fieldformat Megabytes=tostring(Megabytes,”commas”)| rename st as sourcetype | fields – bytes | sort – Megabytes
Last Time a Forwarder Checked In
The following Splunk Search Query will return results based on the last time a forwarder (universal forwarder, heavy forwarder, or otherwise) checked in. The query is a modified version of a query that was packaged with the Deployment Monitor app. index=”_internal” source=”*metrics.lo*” group=tcpin_connections NOT eventType=* | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | eval connectionType=case(fwdType==”uf”,”universal forwarder”, fwdType==”lwf”, “lightweight […]
List of Universal Forwarders with Version
The following Splunk query will return results of any host using a universal forwarder to transmit data back to a Splunk indexer. The query will return hostname, version, as well as architecture (64-bit vs 32-bit). index=”_internal” sourcetype=splunkd group=tcpin_connections NOT eventType=* | eval Hostname=if(isnull(hostname), sourceHost,hostname) | eval version=if(isnull(version),”pre 4.2″,version) | eval architecture=if(isnull(arch),”n/a”,arch) | stats count […]
Failed Versus Successful Logon Attempts
This Splunk search query example will return results indicating failed vs successful login attempts in a Windows environment: source=”WinEventLog:security” (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | eval status=case(EventCode=528, “Successful […]
List of hosts and sourcetypes not sending data in last 24 Hours
|noop |append [ |metadata type=hosts | table *] | append [|metadata type=sourcetypes | table *] | eval t = now() – lastTime | where t > 86400 | eval name = coalesce(host,sourcetype)| table name t lastTime totalCount type |rename t as “Seconds since Event” | convert ctime(lastTime) timeformat=”%m/%d/%Y %H:%M:%S %z”
Event Logs | System Logs | Warnings and Errors
This will hit all of the host and pull back the eventlogs and group them by Message. You can change the source to what ever windows eventlogs you need source=wineventlog:application source=wineventlog:security source=wineventlog:system host=”*” source=wineventlog:system NOT Type=Information | stats count by Message | sort -count | table count, Message
Get list of concurrent users on a specific server
The following Splunk query will return results for concurrent logon sessions (in a Windows Environment) on any given server (or multiple servers) with slight modification. First you must define the time span in which you consider “concurrent” this is defined in the “bucket” section below and the example uses a 30 minute range (widen […]
User Agent – Operating System Info for web traffic
The following Splunk Query will return a list of operating systems used within IIS logs traffic. It essentially uses a lookup to check the user agent against a known list. *NOTE* The app TA-browscap_express – HTTP User Agent lookup with browscap must be installed sourcetype=iis |dedup JSESSIONID | eval http_user_agent=urldecode(cs_User_Agent) | lookup browscap_lookup_express http_user_agent OUTPUT ua_platform_description […]
User Agent – Browser Details & Information for IIS
This Splunk query will reference a lookup table to return user agent (browser information) within IIS logs. Specifically the output will list browser name and version, crawler, and mobile. It will give a count based on visits not hits (hence the dedup). Depending on the length of time this query can take a very long […]
Total Unique Browsers detected in IIS logs
The following Splunk search query will show a count of unique browsers (calculation to include version) that hit a given website within IIS logs: sourcetype=iis | stats dc(cs_User_Agent)
List of Indexes
This simple Splunk query will return results for indexes that the current user (typically you) have access to: *NOTE* depending on settings this may or may not return internal indexes. host=* | dedup index |table index
Weekday Web Traffic Summary in IIS
The following Splunk query will show a summary of all weekday activity for a given website in IIS. sourcetype=”iis” (NOT date_wday=saturday) (NOT date_wday=sunday)| stats count(JSESSIONID) as Value| eval Metric=”Total Hits on Weekdays”| append[ search sourcetype=”iis” (NOT date_wday=saturday) (NOT date_wday=sunday)| stats dc(JSESSIONID) as Value| eval Metric=”Total Visits on Weekdays”]| append[ search sourcetype=”iis” (NOT date_wday=saturday) (NOT date_wday=sunday) […]