Use this splunk search to get datails about alert actions | rest /services/saved/searches splunk_server=local count=0 |table title,actions
REST Call for a get details about Alert cron_schedules
Use this splunk search to show Alert’s cron_schedule details: | rest /services/saved/searches splunk_server=local count=0 | search “cron_schedule”=”*/*” |table title,cron_schedule,author
List the size of lookup files with an SPL search.
| rest splunk_server=local /services/data/lookup-table-files/ | rename eai:acl.app as app | table app title | search NOT title IN (*.kmz) | map maxsearches=990 search=”| inputlookup $title$ | eval size=0 | foreach * [ eval size=size+coalesce(len(‘<<FIELD>>’),0), app=\”$app$\”, title=$title$ | fields app title size]” | stats sum(size) by app title | sort – sum(size)
Reports Owned by Admin Users and Writable by Others
| rest /servicesNS/-/-/saved/searches splunk_server=local | where [|rest /services/authentication/users splunk_server=local | search roles=”admin” |fields title | rename title as author] OR author=”nobody” | rename title AS savedsearch_name, eai:acl.app as app, eai:acl.perms.write as write_roles | table author write_roles splunk_server app savedsearch_name splunk_server | mvexpand write_roles | where NOT write_roles IN(“”,”admin”) | mvcombine write_roles | eval search_name_for_link=savedsearch_name […]
List all your existing indexes or check if index exists
With this spl you can check what indexes exist or if you want to search for a specific index. List all indexes: |rest /services/data/indexes | fields title | rename title AS index Or check if a specific index exist use: |rest /services/data/indexes | fields title | rename title AS index | search index=yourindex
Splunk Apps added to an instance
| rest /services/deployment/server/clients splunk_server=local | table hostname applications*.stateOnClient | untable hostname applications value | eval applications=replace(applications,”applications\.(\w+)\.stateOnClient”,”\1″) | stats values(applications) as applications by hostname
REST API: Table all Splunk User Email Addresses
The following simple Splunk query will put all Splunk User accounts with an email address into a panel for copy and paste purposes (such as copying all email addresses to send in an email). I’ve added a semi colon delimiter in order to literally be copy and paste into an application such as Microsoft Outlook. […]
List Reports and Wrap the text
|rest /servicesNS/-/-/saved/searches |table search title description alert_type “alert.expires” “alert.suppress” “alert.suppress.fields” |search alert_type=”always” |fillnull value=0 triggered_alert_count |sort “triggered_alert_count” desc |rex max_match=100 field=”search” “(?<split__regex>.{0,100}(?:\s|$)|.{100})” | rename split__regex as search
Get KV Store Metrics
This Splunk REST query will return KV Store Metrics: | rest /services/server/introspection/kvstore/collectionstats | mvexpand data | spath input=data | rex field=ns “(?<App>.*)\.(?<Collection>.*)” | eval dbsize=round(size/1024/1024, 2) | eval indexsize=round(totalIndexSize/1024/1024, 2) | stats first(count) AS “Number of Objects” first(nindexes) AS Accelerations first(indexsize) AS “Acceleration Size (MB)” first(dbsize) AS “Collection Size (MB)” by App, Collection
List of installed non-core applications
This Splunk REST query will return all non-core applications: | rest /services/apps/local | search disabled=0 core=0 | table label title version
Number of Hosts Associated with a Serverclass
The following query will list the number of hosts associated with all serverclasses on your Splunk Deployment server. This query should be run on your Deployment Server. | rest /services/deployment/server/clients splunk_server=local | table hostname applications.*.serverclasses | untable hostname applications | rex field=applications “applications\.(?<apps>.+)\.serverclasses” | stats dc(hostname) as hostname by apps
List All Splunk Users & Associated Roles
The following Splunk query will show a table of all users and their roles: | rest /services/authentication/users | stats values(roles) as Roles by user *Admin Notes* I’ve found the following query to work better in my environment: | rest /services/authentication/users | stats values(roles) as Roles by title
List of all enabled correlation rules that generate a notable
| rest splunk_server=local count=0 /services/saved/searches | search action.notable=”1″ is_scheduled=”1″ disabled=”0″ `comment(“PERFORM A REST COMMAND ON SAVED SEARCHES WHERE THE SEARCH GENERATES A NOTABLE, IS SCHEDULED AND IS NOT DISABLED”)` | table title action.notable.param.security_domain description search cron_schedule actions action.email.to action.notable.param.severity alert.suppress.fields alert.suppress.period action.notable.param.next_steps action.notable.param.rule_description action.risk.param._risk_score `comment(“TABLE FIELDS”)`
List Deployment Apps and the associated serverClass
| rest /servicesNS/nobody/system/deployment/server/applications/ | search title =* | rename title as DeploymentApplication, serverclasses as serverClass | eval line=1 | accum line | fields line DeploymentApplication serverClass
Indexes in Splunk
For those who have more than a few indexes (we’ve got 27 non-administrative indexes) I wrote this search so people could figure-out what we have and what it is used for. The search requires that there be a file called indexdescriptions.csv located in $SPLUNK_HOME/etc/apps/search/lookups (or “Program Files”\splunk\etc\apps\search\lookups\indexdescriptions.csv ). That file should have “index,description” on the […]
Retention Period in days per index
This query will give you a table of all indexes and their respective retention period in days: | rest splunk_server=* /services/data/indexes | join type=outer title [ | rest splunk_server=* /services/data/indexes-extended ] | eval retentionInDays=frozenTimePeriodInSecs/86400 | table title retentionInDays
Show Splunk User to Role mapping
The following Splunk REST query shows all roles, number of capabilities, and landing app for each user. | rest /services/authentication/users | eval name=coalesce(realname, title) | stats values(roles) as Role first(defaultApp) as “Landing App” count(capabilities) as “Number of Capabilities” by name
Show all Indexes and Sourcetypes via REST
The following Splunk query uses REST to display non internal indexes associated with sourcetypes. It is my understanding that this is all time (such is the way of REST searches) | rest /services/data/inputs/all | search index!=_* | stats values(sourcetype) by index
Remove Z or T string from your Timestamp
| rest /services/authentication/current-context | table username roles updated | search username!=splunk-system-user | rex field=updated (?<timestampA>\d{4}-\d{2}-\d+)T(?<timestampB>\d+:\d+:\d+.\d+) | eval timestamp= timestampA + timestampB | eval timestamp = strptime(timestamp, “%Y-%m-%d%H:%M:%S.%3N”) | eval timestamp=strftime(timestamp, “%c”) |fields – timestampA timestampB
User Info Dashboard – Using REST
I found this very useful user statistics/information splunk dashboard on www.function1.com/2016/06/rest-easy-with-the-splunk-rest-api. They have additional Splunk REST queries and examples worth checking out! <dashboard> <label>REST API: access control</label> <row> <panel> <single> <title>You are</title> <searchString>| rest /services/authentication/current-context | where NOT username=”splunk-system-user” | fields username</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name=”drilldown”>none</option> […]
