| tstats count WHERE index=* NOT index IN(sum_*, *summary, cim_*, es_*,splunkd* splunk_*) by sourcetype | fields – count | append [| datamodel | rex field=_raw “\”modelName\”\s*\:\s*\”(?<modelName>[^\”]+)\”” | fields modelName | table modelName | map maxsearches=40 search=”tstats summariesonly=true count from datamodel=$modelName$ by sourcetype |eval modelName=\”$modelName$\”” ] | fillnull value=”placeholder” modelName | table modelName sourcetype count | […]
Data model Acceleration Details
This Splunk Search shows you a lot of good information about your data model acceleration and performance. | rest /services/admin/summarization by_tstats=t splunk_server=local count=0 | eval key=replace(title,((“tstats:DM_” . ‘eai:acl.app’) . “_”),””), datamodel=replace(‘summary.id’,((“DM_” . ‘eai:acl.app’) . “_”),””) | join type=left key [| rest /services/data/models splunk_server=local count=0 | table title, “acceleration.cron_schedule”, “eai:digest” | rename title as key | […]
Splunk CIM Assist
Got tired of having to go through each data source to determine what indexes should go into the Splunk_SA_CIM search macros, this does the leg work. index=* | fields index, tag, user, action, object_category | eval datamodel = if(tag=”alert”, index.”.”.”alert”, datamodel) | eval datamodel = if(tag=”listening” AND tag=”port”, index.”.”.”application_state_deprecated”.”.”.”endpoint”, datamodel) | eval datamodel = if(tag=”process” […]
Listing Data models
|datamodel |rex field=_raw “\”description\”:\”(?<Description>\w+|\w+\s+\w+|\w+\s+\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+)\”\,” |rex field=_raw “\”modelName\”:\”(?<DataSetName>\w+|\w+\s+\w+|\w+\s+\w+\s+\w+)\”\,” |rex field=_raw “\”parentName\”:\”(?<ParentName>\w+|\w+\s+\w+|\w+\s+\w+\s+\w+)\”\,” |rex field=_raw “\”autoextractSearch\”:(?<SearchDetails>.*\”)\,\”previewSearch.*” |table Description DataSetName SearchDetails |eval SearchDetails=replace(SearchDetails,”,\”previewSearch.*”,””) |fillnull Description value=”Description not available”
Find success login after 10 failures with streamstats
If you have the Authentication data model configured you can use the following search to quickly find successful logins after 10 failed attempts! | from datamodel:”Authentication”.”Authentication” | search action=failure or action=success | reverse | streamstats window=0 current=true reset_after=”(action=\”success\”)” count as failure_count by src | where action=”success” and failure_count > 10
Search Traffic by Source IP
GoSplunk Admin Notes: If you have a data model enabled that matches the search below, this might work for you! | datamodel Network_Traffic All_Traffic search | search All_Traffic.src_ip=10.x.x.x | stats count by All_Traffic.src_ip, All_Traffic.dest,All_Traffic.action, dstcountry | dedup All_Traffic.dest
