Use this splunk search to get datails about alert actions
1 2 |
| rest /services/saved/searches splunk_server=local count=0 |table title,actions |
Use this splunk search to get datails about alert actions
1 2 |
| rest /services/saved/searches splunk_server=local count=0 |table title,actions |
Use this splunk search to show Alert’s cron_schedule details:
1 2 3 |
| rest /services/saved/searches splunk_server=local count=0 | search "cron_schedule"="*/*" |table title,cron_schedule,author |
1 2 3 4 5 6 7 8 9 |
| rest splunk_server=local /services/data/lookup-table-files/ | rename eai:acl.app as app | table app title | search NOT title IN (*.kmz) | map maxsearches=990 search="| inputlookup $title$ | eval size=0 | foreach * [ eval size=size+coalesce(len('<<FIELD>>'),0), app=\"$app$\", title=$title$ | fields app title size]" | stats sum(size) by app title | sort - sum(size) |
1 2 3 4 5 6 7 8 9 10 11 |
| rest /servicesNS/-/-/saved/searches splunk_server=local | where [|rest /services/authentication/users splunk_server=local | search roles="admin" |fields title | rename title as author] OR author="nobody" | rename title AS savedsearch_name, eai:acl.app as app, eai:acl.perms.write as write_roles | table author write_roles splunk_server app savedsearch_name splunk_server | mvexpand write_roles | where NOT write_roles IN("","admin") | mvcombine write_roles | eval search_name_for_link=savedsearch_name | rex field=search_name_for_link mode=sed "s:%:%25:g s: :%20:g s:<:%3C:g s:>:%3E:g s:#:%23:g s:{:%7B:g s:}:%7D:g s:\|:%7C:g s:\\\:%5C:g s:\^:%5E:g s:~:%7E:g s:\[:%5B:g s:\]:%5D:g s:`:%60:g s:;:%3B:g s:/:%2F:g s:\?:%3F:g s/:/%3A/g s:@:%40:g s:=:%3D:g s:&:%26:g s:\$:%24:g s:\!:%21:g s:\*:%2A:g" | eval link="https://".splunk_server."/en-US/manager/".app."/admin/directory?ns=".app."&pwnr=-&app_only=1&search=".search_name_for_link | fields - search_name_for_link splunk_server |
I got a little fancy there with
1 |
search_name_for_link |
. The link is for clicking from the inline table of the alert email. You can easily skip that.
With this spl you can check what indexes exist or if you want to search for a specific index. List all indexes:
1 |
|rest /services/data/indexes | fields title | rename title AS index |
Or check if a specific index exist use:
1 |
|rest /services/data/indexes | fields title | rename title AS index | search index=yourindex |
1 |
| rest /services/deployment/server/clients splunk_server=local | table hostname applications*.stateOnClient | untable hostname applications value | eval applications=replace(applications,"applications\.(\w+)\.stateOnClient","\1") | stats values(applications) as applications by hostname |
The following simple Splunk query will put all Splunk User accounts with an email address into a panel for copy and paste purposes (such as copying all email addresses to send in an email). I’ve added a semi colon delimiter in order to literally be copy and paste into an application such as Microsoft Outlook. […]
1 2 3 4 5 |
|rest /servicesNS/-/-/saved/searches |table search title description alert_type "alert.expires" "alert.suppress" "alert.suppress.fields" |search alert_type="always" |fillnull value=0 triggered_alert_count |sort "triggered_alert_count" desc |rex max_match=100 field="search" "(?<split__regex>.{0,100}(?:\s|$)|.{100})" | rename split__regex as search |
This Splunk REST query will return KV Store Metrics:
1 2 3 4 5 6 7 |
| rest /services/server/introspection/kvstore/collectionstats | mvexpand data | spath input=data | rex field=ns "(?<App>.*)\.(?<Collection>.*)" | eval dbsize=round(size/1024/1024, 2) | eval indexsize=round(totalIndexSize/1024/1024, 2) | stats first(count) AS "Number of Objects" first(nindexes) AS Accelerations first(indexsize) AS "Acceleration Size (MB)" first(dbsize) AS "Collection Size (MB)" by App, Collection |
This Splunk REST query will return all non-core applications:
1 |
| rest /services/apps/local | search disabled=0 core=0 | table label title version |
The following query will list the number of hosts associated with all serverclasses on your Splunk Deployment server. This query should be run on your Deployment Server.
1 |
| rest /services/deployment/server/clients splunk_server=local | table hostname applications.*.serverclasses | untable hostname applications | rex field=applications "applications\.(?<apps>.+)\.serverclasses" | stats dc(hostname) as hostname by apps |
The following Splunk query will show a table of all users and their roles:
1 |
| rest /services/authentication/users | stats values(roles) as Roles by user |
*Admin Notes* I’ve found the following query to work better in my environment:
1 |
| rest /services/authentication/users | stats values(roles) as Roles by title |
1 2 3 4 |
| rest splunk_server=local count=0 /services/saved/searches | search action.notable="1" is_scheduled="1" disabled="0" `comment("PERFORM A REST COMMAND ON SAVED SEARCHES WHERE THE SEARCH GENERATES A NOTABLE, IS SCHEDULED AND IS NOT DISABLED")` | table title action.notable.param.security_domain description search cron_schedule actions action.email.to action.notable.param.severity alert.suppress.fields alert.suppress.period action.notable.param.next_steps action.notable.param.rule_description action.risk.param._risk_score `comment("TABLE FIELDS”)` |
| rest /servicesNS/nobody/system/deployment/server/applications/ | search title =* | rename title as DeploymentApplication, serverclasses as serverClass | eval line=1 | accum line | fields line DeploymentApplication serverClass
For those who have more than a few indexes (we’ve got 27 non-administrative indexes) I wrote this search so people could figure-out what we have and what it is used for. The search requires that there be a file called indexdescriptions.csv located in $SPLUNK_HOME/etc/apps/search/lookups (or “Program Files”\splunk\etc\apps\search\lookups\indexdescriptions.csv ). That file should have “index,description” on the […]
This query will give you a table of all indexes and their respective retention period in days:
1 2 3 4 |
| rest splunk_server=* /services/data/indexes | join type=outer title [ | rest splunk_server=* /services/data/indexes-extended ] | eval retentionInDays=frozenTimePeriodInSecs/86400 | table title retentionInDays |
The following Splunk REST query shows all roles, number of capabilities, and landing app for each user.
1 2 3 |
| rest /services/authentication/users | eval name=coalesce(realname, title) | stats values(roles) as Role first(defaultApp) as "Landing App" count(capabilities) as "Number of Capabilities" by name |
The following Splunk query uses REST to display non internal indexes associated with sourcetypes. It is my understanding that this is all time (such is the way of REST searches)
1 2 3 |
| rest /services/data/inputs/all | search index!=_* | stats values(sourcetype) by index |
| rest /services/authentication/current-context | table username roles updated | search username!=splunk-system-user | rex field=updated (?<timestampA>\d{4}-\d{2}-\d+)T(?<timestampB>\d+:\d+:\d+.\d+) | eval timestamp= timestampA + timestampB | eval timestamp = strptime(timestamp, “%Y-%m-%d%H:%M:%S.%3N”) | eval timestamp=strftime(timestamp, “%c”) |fields – timestampA timestampB
I found this very useful user statistics/information splunk dashboard on www.function1.com/2016/06/rest-easy-with-the-splunk-rest-api. They have additional Splunk REST queries and examples worth checking out!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
<dashboard> <label>REST API: access control</label> <row> <panel> <single> <title>You are</title> <searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields username</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name="drilldown">none</option> </single> </panel> <panel> <table> <title>And you have these permissions</title> <searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields capabilities | mvexpand capabilities</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name="wrap">true</option> <option name="rowNumbers">false</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="count">5</option> </table> </panel> </row> <row> <panel> <table> <title>Active users (sessions)</title> <searchString>| rest /services/authentication/httpauth-tokens | fields userName, timeAccessed | dedup userName sortby timeAccessed</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name="wrap">true</option> <option name="rowNumbers">false</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="count">10</option> </table> </panel> <panel> <table> <title>All users (limited to 100)</title> <searchString>| rest /services/authentication/users | fields title, realname | head 100</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name="wrap">true</option> <option name="rowNumbers">false</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> </table> </panel> <panel> <chart> <title>Users by authentication system</title> <searchString>| rest /services/authentication/users | fields title, type | stats count by type</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.enabled">false</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">pie</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.placement">right</option> </chart> </panel> </row> </dashboard> |