Show how much disk space is used by _internal

The following Splunk query will return disk space used by the _internal index.

Continue Reading →

License Usage Prediction

There is an older Splunk query here that had previously predicted license usage. I’m not sure why (perhaps the predict command has changed since the original post in 2015?), but the query is no longer working. I’ve updated the query to predict Splunk license usage using the Splunk predict command as shown below:

 

Continue Reading →

Show all Indexes and Sourcetypes via REST

The following Splunk query uses REST to display non internal indexes associated with sourcetypes. It is my understanding that this is all time (such is the way of REST searches)

Continue Reading →

Average Search Duration

Ever wonder how your search performance is across search heads? Try this query. Depending on your environment you’ll want to specify the host=* section to better represent your environment. Say if you have a naming convention that includes “shc” and a number representing searchheads in a cluster (distributed environment) you can use (host=shc1.fq.dn OR host=shc2.fq.dn […]

Continue Reading →

User Info Dashboard – Using REST

I found this very useful user statistics/information splunk dashboard on www.function1.com/2016/06/rest-easy-with-the-splunk-rest-api. They have additional Splunk REST queries and examples worth checking out!

Continue Reading →

Use REST to gather Index Info

Here is some SPL to get useful information via REST on indexes within your Splunk environment:

Continue Reading →

List of Alerts via REST

The following Splunk search (query) will show a list of alerts within Splunk via the | rest call:

Continue Reading →

List Inputs using REST

As the title says. Pretty nice Splunk Search if you’ve forgotten what inputs you have configured and need a central place to list them.

Continue Reading →

REST Call for Memory & CPU usage on Splunk Servers

This Splunk search will show you use and available CPU and Memory statistics. Depending on your environment you may see multiple Splunk servers:

Slightly modified from: http://www.brainfold.net/2016/03/frequently-used-rest-api-calls-in-splunk.html

Continue Reading →

Splunk Objects With Permissions Granted to Non-existent Roles

Useful search to show a bit of detail on roles and user permissions.

I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376 Credit goes to acharlieh!

Continue Reading →

Every index explicitly granted to a role

Self explanatory, maps roles to indexes. Useful if you have a lot of indexes!

I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376 Credit goes to acharlieh!

Continue Reading →

Average Splunk Web requests by hour

This query is pretty awesome! It helped enlighten us to exactly when our splunk infrastructure is being hit with users

I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376 Credit goes to acharlieh!

Continue Reading →

All indexes not explicitly granted to a role

  I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376 Credit goes to acharlieh!

Continue Reading →

Malware Detection

I’m reposting this query I stumbled upon in a blog here. The description states that it can be used to detect malware reporting out to the web. Check out the article it’s a decent read.

Continue Reading →

Detailed list of Errors Per Host

The following Splunk search will return a detailed list (by message) of errors associated with hosts running a universal forwarder:

Continue Reading →