Traffic Volume by Forwarder

This Splunk search query will show you the top 10 “chattiest” forwarders on your network. I’ve used this query to determine why some forwarders were sending more data than others. The results are displayed in kilobits, you could use an eval to change it to the appropriate size for your network.

Continue Reading →

User Activity in DBConnect

The following Splunk query is for the DBConnect app.  This will return all user activity using this particular app. I’ve provided the regex in the search.  

Continue Reading →

Failed Attempts to Logon to Splunk Web

The following Splunk Search Query will return all users who have failed to logon to the Splunk Web console. This query will also include an average (from eventstats).  

Continue Reading →

Network Traffic Sent in Megabytes over Time

The following splunk query will show a timechart of network traffic sent over a period of time for any host specified (make sure you edit the query to specify a host, this one defaults to all). The query also converts the default value of Bytes to Megabytes.  

 

Continue Reading →

Network Traffic Received in Megabytes over Time

The following splunk query will show a timechart of network traffic received over a period of time for any host specified (make sure you edit the query to specify a host, this one defaults to all). The query also converts the default value of Bytes to Megabytes.  

Continue Reading →

Free Disk Space for each Drive Letter

The following Splunk query will return results for all hosts reporting in Perfmon data on available disk space per assigned drive letter (NOTE you must make the change to include free diskspace per partition in your inputs.conf file) Query:

Inputs.conf Modification:

Continue Reading →

License Usage by Index per Day

The following Splunk search query will output license usage for each index for each day for the week to date. It will also output an average for each index over the course of the given time period.  

Updated / Revised – 8/12/2016

Continue Reading →

Percentage of Daily License Usage

This Splunk search query will indicate the percentage of license used for the current day. This is already shown in the licensing tab under settings, however this query is extracted if you would want to use it within a dashboard or any other reason. NOTE – splunk_server= should be set to your license master.   […]

Continue Reading →

Top 5 License Consuming Hosts

The following Splunk search query will return the top five licensing consuming hosts:

Continue Reading →

License Usage by Sourcetypes

The following Splunk query will return results for license usage by sourcetype:

Continue Reading →

Last Time a Forwarder Checked In

The following Splunk Search Query will return results based on the last time a forwarder (universal forwarder, heavy forwarder, or otherwise) checked in. The query is a modified version of a query that was packaged with the Deployment Monitor app.

Continue Reading →

List of Universal Forwarders with Version

The following Splunk query will return results of any host using a universal forwarder to transmit data back to a Splunk indexer. The query will return hostname, version, as well as architecture (64-bit vs 32-bit).  

Continue Reading →

User Agent – Operating System Info for web traffic

The following Splunk Query will return a list of operating systems used within IIS logs traffic. It essentially uses a lookup to check the user agent against a known list. *NOTE* The app TA-browscap_express – HTTP User Agent lookup with browscap must be installed

Continue Reading →

Weekday Web Traffic Summary in IIS

The following Splunk query will show a summary of all weekday activity for a given website in IIS.

Continue Reading →

Weekend Web Traffic Summary in IIS

The following Splunk query will return a summary of weekend activity for a given IIS hosted website.

Continue Reading →