|
1 2 3 4 5 6 7 8 9 |
| rest splunk_server=local /services/data/lookup-table-files/ | rename eai:acl.app as app | table app title | search NOT title IN (*.kmz) | map maxsearches=990 search="| inputlookup $title$ | eval size=0 | foreach * [ eval size=size+coalesce(len('<<FIELD>>'),0), app=\"$app$\", title=$title$ | fields app title size]" | stats sum(size) by app title | sort - sum(size) |
Reports Owned by Admin Users and Writable by Others
|
1 2 3 4 5 6 7 8 9 10 11 |
| rest /servicesNS/-/-/saved/searches splunk_server=local | where [|rest /services/authentication/users splunk_server=local | search roles="admin" |fields title | rename title as author] OR author="nobody" | rename title AS savedsearch_name, eai:acl.app as app, eai:acl.perms.write as write_roles | table author write_roles splunk_server app savedsearch_name splunk_server | mvexpand write_roles | where NOT write_roles IN("","admin") | mvcombine write_roles | eval search_name_for_link=savedsearch_name | rex field=search_name_for_link mode=sed "s:%:%25:g s: :%20:g s:<:%3C:g s:>:%3E:g s:#:%23:g s:{:%7B:g s:}:%7D:g s:\|:%7C:g s:\\\:%5C:g s:\^:%5E:g s:~:%7E:g s:\[:%5B:g s:\]:%5D:g s:`:%60:g s:;:%3B:g s:/:%2F:g s:\?:%3F:g s/:/%3A/g s:@:%40:g s:=:%3D:g s:&:%26:g s:\$:%24:g s:\!:%21:g s:\*:%2A:g" | eval link="https://".splunk_server."/en-US/manager/".app."/admin/directory?ns=".app."&pwnr=-&app_only=1&search=".search_name_for_link | fields - search_name_for_link splunk_server |
I got a little fancy there with
|
1 |
search_name_for_link |
. The link is for clicking from the inline table of the alert email. You can easily skip that.
List all your existing indexes or check if index exists
With this spl you can check what indexes exist or if you want to search for a specific index. List all indexes:
|
1 |
|rest /services/data/indexes | fields title | rename title AS index |
Or check if a specific index exist use:
|
1 |
|rest /services/data/indexes | fields title | rename title AS index | search index=yourindex |
Splunk Apps added to an instance
|
1 |
| rest /services/deployment/server/clients splunk_server=local | table hostname applications*.stateOnClient | untable hostname applications value | eval applications=replace(applications,"applications\.(\w+)\.stateOnClient","\1") | stats values(applications) as applications by hostname |
REST API: Table all Splunk User Email Addresses
The following simple Splunk query will put all Splunk User accounts with an email address into a panel for copy and paste purposes (such as copying all email addresses to send in an email). I’ve added a semi colon delimiter in order to literally be copy and paste into an application such as Microsoft Outlook. […]
List Reports and Wrap the text
|
1 2 3 4 5 |
|rest /servicesNS/-/-/saved/searches |table search title description alert_type "alert.expires" "alert.suppress" "alert.suppress.fields" |search alert_type="always" |fillnull value=0 triggered_alert_count |sort "triggered_alert_count" desc |rex max_match=100 field="search" "(?<split__regex>.{0,100}(?:\s|$)|.{100})" | rename split__regex as search |
Get KV Store Metrics
This Splunk REST query will return KV Store Metrics:
|
1 2 3 4 5 6 7 |
| rest /services/server/introspection/kvstore/collectionstats | mvexpand data | spath input=data | rex field=ns "(?<App>.*)\.(?<Collection>.*)" | eval dbsize=round(size/1024/1024, 2) | eval indexsize=round(totalIndexSize/1024/1024, 2) | stats first(count) AS "Number of Objects" first(nindexes) AS Accelerations first(indexsize) AS "Acceleration Size (MB)" first(dbsize) AS "Collection Size (MB)" by App, Collection |
List of installed non-core applications
This Splunk REST query will return all non-core applications:
|
1 |
| rest /services/apps/local | search disabled=0 core=0 | table label title version |
Number of Hosts Associated with a Serverclass
The following query will list the number of hosts associated with all serverclasses on your Splunk Deployment server. This query should be run on your Deployment Server.
|
1 |
| rest /services/deployment/server/clients splunk_server=local | table hostname applications.*.serverclasses | untable hostname applications | rex field=applications "applications\.(?<apps>.+)\.serverclasses" | stats dc(hostname) as hostname by apps |
List All Splunk Users & Associated Roles
The following Splunk query will show a table of all users and their roles:
|
1 |
| rest /services/authentication/users | stats values(roles) as Roles by user |
*Admin Notes* I’ve found the following query to work better in my environment:
|
1 |
| rest /services/authentication/users | stats values(roles) as Roles by title |
List of all enabled correlation rules that generate a notable
|
1 2 3 4 |
| rest splunk_server=local count=0 /services/saved/searches | search action.notable="1" is_scheduled="1" disabled="0" `comment("PERFORM A REST COMMAND ON SAVED SEARCHES WHERE THE SEARCH GENERATES A NOTABLE, IS SCHEDULED AND IS NOT DISABLED")` | table title action.notable.param.security_domain description search cron_schedule actions action.email.to action.notable.param.severity alert.suppress.fields alert.suppress.period action.notable.param.next_steps action.notable.param.rule_description action.risk.param._risk_score `comment("TABLE FIELDS”)` |
List Deployment Apps and the associated serverClass
| rest /servicesNS/nobody/system/deployment/server/applications/ | search title =* | rename title as DeploymentApplication, serverclasses as serverClass | eval line=1 | accum line | fields line DeploymentApplication serverClass
Indexes in Splunk
For those who have more than a few indexes (we’ve got 27 non-administrative indexes) I wrote this search so people could figure-out what we have and what it is used for. The search requires that there be a file called indexdescriptions.csv located in $SPLUNK_HOME/etc/apps/search/lookups (or “Program Files”\splunk\etc\apps\search\lookups\indexdescriptions.csv ). That file should have “index,description” on the […]
Retention Period in days per index
This query will give you a table of all indexes and their respective retention period in days:
|
1 2 3 4 |
| rest splunk_server=* /services/data/indexes | join type=outer title [ | rest splunk_server=* /services/data/indexes-extended ] | eval retentionInDays=frozenTimePeriodInSecs/86400 | table title retentionInDays |
Show Splunk User to Role mapping
The following Splunk REST query shows all roles, number of capabilities, and landing app for each user.
|
1 2 3 |
| rest /services/authentication/users | eval name=coalesce(realname, title) | stats values(roles) as Role first(defaultApp) as "Landing App" count(capabilities) as "Number of Capabilities" by name |
Show all Indexes and Sourcetypes via REST
The following Splunk query uses REST to display non internal indexes associated with sourcetypes. It is my understanding that this is all time (such is the way of REST searches)
|
1 2 3 |
| rest /services/data/inputs/all | search index!=_* | stats values(sourcetype) by index |
Remove Z or T string from your Timestamp
| rest /services/authentication/current-context | table username roles updated | search username!=splunk-system-user | rex field=updated (?<timestampA>\d{4}-\d{2}-\d+)T(?<timestampB>\d+:\d+:\d+.\d+) | eval timestamp= timestampA + timestampB | eval timestamp = strptime(timestamp, “%Y-%m-%d%H:%M:%S.%3N”) | eval timestamp=strftime(timestamp, “%c”) |fields – timestampA timestampB
User Info Dashboard – Using REST
I found this very useful user statistics/information splunk dashboard on www.function1.com/2016/06/rest-easy-with-the-splunk-rest-api. They have additional Splunk REST queries and examples worth checking out!
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
<dashboard> <label>REST API: access control</label> <row> <panel> <single> <title>You are</title> <searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields username</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name="drilldown">none</option> </single> </panel> <panel> <table> <title>And you have these permissions</title> <searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields capabilities | mvexpand capabilities</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name="wrap">true</option> <option name="rowNumbers">false</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="count">5</option> </table> </panel> </row> <row> <panel> <table> <title>Active users (sessions)</title> <searchString>| rest /services/authentication/httpauth-tokens | fields userName, timeAccessed | dedup userName sortby timeAccessed</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name="wrap">true</option> <option name="rowNumbers">false</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="count">10</option> </table> </panel> <panel> <table> <title>All users (limited to 100)</title> <searchString>| rest /services/authentication/users | fields title, realname | head 100</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name="wrap">true</option> <option name="rowNumbers">false</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> </table> </panel> <panel> <chart> <title>Users by authentication system</title> <searchString>| rest /services/authentication/users | fields title, type | stats count by type</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.enabled">false</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">pie</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.placement">right</option> </chart> </panel> </row> </dashboard> |
Use REST to gather Index Info
Here is some SPL to get useful information via REST on indexes within your Splunk environment:
|
1 2 3 4 5 |
| REST /services/data/indexes | eval currentDBSizeMB=tostring(currentDBSizeMB, "commas") | eval totalEventCount=tostring(totalEventCount, "commas") | eval frozenTimePeriodInHours=(frozenTimePeriodInSecs/60/60) | table title splunk_server currentDBSizeMB frozenTimePeriodInHours maxTime minTime totalEventCount |
Time Offset on Splunk Servers
This Splunk Query shows if there is a time offset on your Splunk servers. I borrowed and modified this one from the splunk clock skew search posted on www.bbosearch.com (another pretty awesome site like this one!). My version strips the unnecessary and renames some fields, but feel free to do what you want with it: […]
