Splunk Server Restart Duration

As titled, the following Splunk search query will show the restart duration (using the transaction command) of the Splunk service itself.  

Continue Reading →

Splunk User Search Activity

This will return a table of users who conducted searches, the total time it took for searches to complete, a count of said searches, and the last time a search was conducted. *NOTE* You will need to modify “splunk_server=local” specifically the “local” section to represent your Splunk server.

Continue Reading →

Internal Splunk User Modifications

This query will search the internal audit sourcetype of splunk and report on any user modification attempts, both success and fail.

Continue Reading →