REST Archives -

Reports Owned by Admin Users and Writable by Others

| rest /servicesNS/-/-/saved/searches splunk_server=local
| where [|rest /services/authentication/users splunk_server=local | search roles="admin" |fields title | rename title as author] OR author="nobody" 
| rename title AS savedsearch_name, eai:acl.app as app, eai:acl.perms.write as write_roles
| table author write_roles splunk_server app savedsearch_name splunk_server
| mvexpand write_roles
| where NOT write_roles IN("","admin")
| mvcombine write_roles
| eval search_name_for_link=savedsearch_name
| rex field=search_name_for_link mode=sed "s:%:%25:g s: :%20:g s:<:%3C:g s:>:%3E:g s:#:%23:g s:{:%7B:g s:}:%7D:g s:\|:%7C:g s:\\\:%5C:g s:\^:%5E:g s:~:%7E:g s:\[:%5B:g s:\]:%5D:g s:`:%60:g s:;:%3B:g s:/:%2F:g s:\?:%3F:g s/:/%3A/g s:@:%40:g s:=:%3D:g s:&:%26:g s:\$:%24:g s:\!:%21:g s:\*:%2A:g"
| eval link="https://".splunk_server."/en-US/manager/".app."/admin/directory?ns=".app."&pwnr=-&app_only=1&search=".search_name_for_link
| fields - search_name_for_link splunk_server

1

2

3

4

5

6

7

8

9

10

11

| rest /servicesNS/-/-/saved/searches splunk_server=local

| where [|rest /services/authentication/users splunk_server=local | search roles="admin" |fields title | rename title as author] OR author="nobody"

| rename title AS savedsearch_name, eai:acl.app as app, eai:acl.perms.write as write_roles

| table author write_roles splunk_server app savedsearch_name splunk_server

| mvexpand write_roles

| where NOT write_roles IN("","admin")

| mvcombine write_roles

| eval search_name_for_link=savedsearch_name

| rex field=search_name_for_link mode=sed "s:%:%25:g s: :%20:g s:<:%3C:g s:>:%3E:g s:#:%23:g s:{:%7B:g s:}:%7D:g s:\|:%7C:g s:\\\:%5C:g s:\^:%5E:g s:~:%7E:g s:\[:%5B:g s:\]:%5D:g s:`:%60:g s:;:%3B:g s:/:%2F:g s:\?:%3F:g s/:/%3A/g s:@:%40:g s:=:%3D:g s:&:%26:g s:\$:%24:g s:\!:%21:g s:\*:%2A:g"

| eval link="https://".splunk_server."/en-US/manager/".app."/admin/directory?ns=".app."&pwnr=-&app_only=1&search=".search_name_for_link

| fields - search_name_for_link splunk_server

I got a little fancy there with

search_name_for_link

1	search_name_for_link

. The link is for clicking from the inline table of the alert email. You can easily skip that.

Continue Reading →

List all your existing indexes or check if index exists

With this spl you can check what indexes exist or if you want to search for a specific index. List all indexes:

|rest /services/data/indexes | fields title | rename title AS index

1	\|rest /services/data/indexes \| fields title \| rename title AS index

Or check if a specific index exist use:

 |rest /services/data/indexes | fields title | rename title AS index | search index=yourindex

1	\|rest /services/data/indexes \| fields title \| rename title AS index \| search index=yourindex

Continue Reading →

Splunk Apps added to an instance

| rest /services/deployment/server/clients splunk_server=local | table hostname applications*.stateOnClient | untable hostname applications value | eval applications=replace(applications,"applications\.(\w+)\.stateOnClient","\1") | stats values(applications) as applications by hostname

1	\| rest /services/deployment/server/clients splunk_server=local \| table hostname applications*.stateOnClient \| untable hostname applications value \| eval applications=replace(applications,"applications\.(\w+)\.stateOnClient","\1") \| stats values(applications) as applications by hostname

Continue Reading →

REST API: Table all Splunk User Email Addresses

The following simple Splunk query will put all Splunk User accounts with an email address into a panel for copy and paste purposes (such as copying all email addresses to send in an email). I’ve added a semi colon delimiter in order to literally be copy and paste into an application such as Microsoft Outlook. […]

Continue Reading →

List Reports and Wrap the text

|rest /servicesNS/-/-/saved/searches |table search title description alert_type "alert.expires" "alert.suppress" "alert.suppress.fields" 
|search alert_type="always"
|fillnull value=0 triggered_alert_count
|sort "triggered_alert_count" desc
|rex max_match=100 field="search" "(?<split__regex>.{0,100}(?:\s|$)|.{100})" | rename split__regex as search

1

2

3

4

5

|rest /servicesNS/-/-/saved/searches |table search title description alert_type "alert.expires" "alert.suppress" "alert.suppress.fields"

|search alert_type="always"

|fillnull value=0 triggered_alert_count

|sort "triggered_alert_count" desc

|rex max_match=100 field="search" "(?<split__regex>.{0,100}(?:\s|$)|.{100})" | rename split__regex as search

Continue Reading →

Get KV Store Metrics

This Splunk REST query will return KV Store Metrics:

| rest /services/server/introspection/kvstore/collectionstats
| mvexpand data
| spath input=data
| rex field=ns "(?<App>.*)\.(?<Collection>.*)"
| eval dbsize=round(size/1024/1024, 2)
| eval indexsize=round(totalIndexSize/1024/1024, 2)
| stats first(count) AS "Number of Objects" first(nindexes) AS Accelerations first(indexsize) AS "Acceleration Size (MB)" first(dbsize) AS "Collection Size (MB)" by App, Collection

1

2

3

4

5

6

7

| rest /services/server/introspection/kvstore/collectionstats

| mvexpand data

| spath input=data

| rex field=ns "(?<App>.*)\.(?<Collection>.*)"

| eval dbsize=round(size/1024/1024, 2)

| eval indexsize=round(totalIndexSize/1024/1024, 2)

| stats first(count) AS "Number of Objects" first(nindexes) AS Accelerations first(indexsize) AS "Acceleration Size (MB)" first(dbsize) AS "Collection Size (MB)" by App, Collection

Continue Reading →

List of installed non-core applications

This Splunk REST query will return all non-core applications:

| rest /services/apps/local | search disabled=0 core=0 | table label title version

1	\| rest /services/apps/local \| search disabled=0 core=0 \| table label title version

Continue Reading →

Number of Hosts Associated with a Serverclass

The following query will list the number of hosts associated with all serverclasses on your Splunk Deployment server. This query should be run on your Deployment Server.

| rest /services/deployment/server/clients splunk_server=local | table hostname applications.*.serverclasses | untable hostname applications | rex field=applications "applications\.(?<apps>.+)\.serverclasses" | stats dc(hostname) as hostname by apps

1	\| rest /services/deployment/server/clients splunk_server=local \| table hostname applications.*.serverclasses \| untable hostname applications \| rex field=applications "applications\.(?<apps>.+)\.serverclasses" \| stats dc(hostname) as hostname by apps

Continue Reading →

List All Splunk Users & Associated Roles

The following Splunk query will show a table of all users and their roles:

| rest /services/authentication/users | stats values(roles) as Roles by user

1	\| rest /services/authentication/users \| stats values(roles) as Roles by user

*Admin Notes* I’ve found the following query to work better in my environment:

| rest /services/authentication/users | stats values(roles) as Roles by title

1	\| rest /services/authentication/users \| stats values(roles) as Roles by title

Continue Reading →

List of all enabled correlation rules that generate a notable

| rest splunk_server=local count=0 /services/saved/searches | search action.notable="1" is_scheduled="1" disabled="0"
    `comment("PERFORM A REST COMMAND ON SAVED SEARCHES WHERE THE SEARCH GENERATES A NOTABLE, IS SCHEDULED AND IS NOT DISABLED")`
| table title action.notable.param.security_domain description search cron_schedule actions action.email.to action.notable.param.severity alert.suppress.fields alert.suppress.period action.notable.param.next_steps action.notable.param.rule_description action.risk.param._risk_score
     `comment("TABLE FIELDS”)`

1

2

3

4

| rest splunk_server=local count=0 /services/saved/searches | search action.notable="1" is_scheduled="1" disabled="0"

`comment("PERFORM A REST COMMAND ON SAVED SEARCHES WHERE THE SEARCH GENERATES A NOTABLE, IS SCHEDULED AND IS NOT DISABLED")`

| table title action.notable.param.security_domain description search cron_schedule actions action.email.to action.notable.param.severity alert.suppress.fields alert.suppress.period action.notable.param.next_steps action.notable.param.rule_description action.risk.param._risk_score

`comment("TABLE FIELDS”)`

Continue Reading →

List Deployment Apps and the associated serverClass

| rest /servicesNS/nobody/system/deployment/server/applications/ | search title =* | rename title as DeploymentApplication, serverclasses as serverClass | eval line=1 | accum line | fields line DeploymentApplication serverClass

Continue Reading →

Indexes in Splunk

For those who have more than a few indexes (we’ve got 27 non-administrative indexes) I wrote this search so people could figure-out what we have and what it is used for. The search requires that there be a file called indexdescriptions.csv located in $SPLUNK_HOME/etc/apps/search/lookups (or “Program Files”\splunk\etc\apps\search\lookups\indexdescriptions.csv ). That file should have “index,description” on the […]

Continue Reading →

Retention Period in days per index

This query will give you a table of all indexes and their respective retention period in days:

| rest splunk_server=* /services/data/indexes | join type=outer title [
| rest splunk_server=* /services/data/indexes-extended
] | eval retentionInDays=frozenTimePeriodInSecs/86400
| table title retentionInDays

1

2

3

4

| rest splunk_server=* /services/data/indexes | join type=outer title [

| rest splunk_server=* /services/data/indexes-extended

] | eval retentionInDays=frozenTimePeriodInSecs/86400

| table title retentionInDays

Continue Reading →

Show Splunk User to Role mapping

The following Splunk REST query shows all roles, number of capabilities, and landing app for each user.

| rest /services/authentication/users 
| eval name=coalesce(realname, title) 
| stats values(roles) as Role first(defaultApp) as "Landing App" count(capabilities) as "Number of Capabilities" by name

1

2

3

| rest /services/authentication/users

| eval name=coalesce(realname, title)

| stats values(roles) as Role first(defaultApp) as "Landing App" count(capabilities) as "Number of Capabilities" by name

Continue Reading →

Show all Indexes and Sourcetypes via REST

The following Splunk query uses REST to display non internal indexes associated with sourcetypes. It is my understanding that this is all time (such is the way of REST searches)

| rest /services/data/inputs/all
| search index!=_*
| stats values(sourcetype) by index

1

2

3

| rest /services/data/inputs/all

| search index!=_*

| stats values(sourcetype) by index

Continue Reading →

Remove Z or T string from your Timestamp

| rest /services/authentication/current-context | table username roles updated | search username!=splunk-system-user | rex field=updated (?<timestampA>\d{4}-\d{2}-\d+)T(?<timestampB>\d+:\d+:\d+.\d+) | eval timestamp= timestampA + timestampB | eval timestamp = strptime(timestamp, “%Y-%m-%d%H:%M:%S.%3N”) | eval timestamp=strftime(timestamp, “%c”) |fields – timestampA timestampB

Continue Reading →

User Info Dashboard – Using REST

I found this very useful user statistics/information splunk dashboard on www.function1.com/2016/06/rest-easy-with-the-splunk-rest-api. They have additional Splunk REST queries and examples worth checking out!

<dashboard>
      <label>REST API: access control</label>
      <row>
        <panel>
          <single>
            <title>You are</title>
            <searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields username</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="drilldown">none</option>
          </single>
        </panel>
        <panel>
          <table>
            <title>And you have these permissions</title>
            <searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields capabilities | mvexpand capabilities</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="wrap">true</option>
            <option name="rowNumbers">false</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">cell</option>
            <option name="count">5</option>
          </table>
        </panel>
      </row>
      <row>
        <panel>
          <table>
            <title>Active users (sessions)</title>
            <searchString>| rest /services/authentication/httpauth-tokens | fields userName, timeAccessed | dedup userName sortby timeAccessed</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="wrap">true</option>
            <option name="rowNumbers">false</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">cell</option>
            <option name="count">10</option>
          </table>
        </panel>
        <panel>
          <table>
            <title>All users (limited to 100)</title>
            <searchString>| rest /services/authentication/users | fields title, realname | head 100</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="wrap">true</option>
            <option name="rowNumbers">false</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">cell</option>
            </table>
        </panel>
        <panel>
          <chart>
            <title>Users by authentication system</title>
            <searchString>| rest /services/authentication/users | fields title, type | stats count by type</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
            <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
            <option name="charting.axisTitleX.visibility">visible</option>
            <option name="charting.axisTitleY.visibility">visible</option>
            <option name="charting.axisTitleY2.visibility">visible</option>
            <option name="charting.axisX.scale">linear</option>
            <option name="charting.axisY.scale">linear</option>
            <option name="charting.axisY2.enabled">false</option>
            <option name="charting.axisY2.scale">inherit</option>
            <option name="charting.chart">pie</option>
            <option name="charting.chart.nullValueMode">gaps</option>
            <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
            <option name="charting.chart.stackMode">default</option>
            <option name="charting.chart.style">shiny</option>
            <option name="charting.drilldown">all</option>
            <option name="charting.layout.splitSeries">0</option>
            <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
            <option name="charting.legend.placement">right</option>
          </chart>
        </panel>
      </row>
    </dashboard>

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

<dashboard>

<label>REST API: access control</label>

<row>

<panel>

<single>

<title>You are</title>

<searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields username</searchString>

<earliestTime>0</earliestTime>

<latestTime/>

<option name="drilldown">none</option>

</single>

</panel>

<panel>

<table>

<title>And you have these permissions</title>

<searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields capabilities | mvexpand capabilities</searchString>

<earliestTime>0</earliestTime>

<latestTime/>

<option name="wrap">true</option>

<option name="rowNumbers">false</option>

<option name="dataOverlayMode">none</option>

<option name="drilldown">cell</option>

<option name="count">5</option>

</table>

</panel>

</row>

<row>

<panel>

<table>

<title>Active users (sessions)</title>

<searchString>| rest /services/authentication/httpauth-tokens | fields userName, timeAccessed | dedup userName sortby timeAccessed</searchString>

<earliestTime>0</earliestTime>

<latestTime/>

<option name="wrap">true</option>

<option name="rowNumbers">false</option>

<option name="dataOverlayMode">none</option>

<option name="drilldown">cell</option>

<option name="count">10</option>

</table>

</panel>

<panel>

<table>

<title>All users (limited to 100)</title>

<searchString>| rest /services/authentication/users | fields title, realname | head 100</searchString>

<earliestTime>0</earliestTime>

<latestTime/>

<option name="wrap">true</option>

<option name="rowNumbers">false</option>

<option name="dataOverlayMode">none</option>

<option name="drilldown">cell</option>

</table>

</panel>

<panel>

<chart>

<title>Users by authentication system</title>

<searchString>| rest /services/authentication/users | fields title, type | stats count by type</searchString>

<earliestTime>0</earliestTime>

<latestTime/>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.enabled">false</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart">pie</option>

<option name="charting.chart.nullValueMode">gaps</option>

<option name="charting.chart.sliceCollapsingThreshold">0.01</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.drilldown">all</option>

<option name="charting.layout.splitSeries">0</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.placement">right</option>

</chart>

</panel>

</row>

</dashboard>

Continue Reading →

Use REST to gather Index Info

Here is some SPL to get useful information via REST on indexes within your Splunk environment:

| REST /services/data/indexes
| eval currentDBSizeMB=tostring(currentDBSizeMB, "commas")
| eval totalEventCount=tostring(totalEventCount, "commas")
| eval frozenTimePeriodInHours=(frozenTimePeriodInSecs/60/60)
| table title splunk_server currentDBSizeMB frozenTimePeriodInHours maxTime minTime totalEventCount

1

2

3

4

5

| REST /services/data/indexes

| eval currentDBSizeMB=tostring(currentDBSizeMB, "commas")

| eval totalEventCount=tostring(totalEventCount, "commas")

| eval frozenTimePeriodInHours=(frozenTimePeriodInSecs/60/60)

| table title splunk_server currentDBSizeMB frozenTimePeriodInHours maxTime minTime totalEventCount

Continue Reading →

Time Offset on Splunk Servers

This Splunk Query shows if there is a time offset on your Splunk servers. I borrowed and modified this one from the splunk clock skew search posted on www.bbosearch.com (another pretty awesome site like this one!). My version strips the unnecessary and renames some fields, but feel free to do what you want with it: […]

Continue Reading →

List of Alerts via REST

The following Splunk search (query) will show a list of alerts within Splunk via the | rest call:

| rest /services/alerts/fired_alerts splunk_server=local| table eai:acl.owner eai:acl.app id title triggered_alert_count

1	\| rest /services/alerts/fired_alerts splunk_server=local\| table eai:acl.owner eai:acl.app id title triggered_alert_count

Continue Reading →

Newest | Active

alasta

Active 3 days, 19 hours ago
lsjackcyber

Active 3 days, 23 hours ago
odisy

Active 1 week, 1 day ago
Oswaldo

Active 2 weeks ago
Максуд

Active 2 weeks, 2 days ago