REST Archives -

List Deployment Apps and the associated serverClass

Continue Reading →

Indexes in Splunk

For those who have more than a few indexes (we’ve got 27 non-administrative indexes) I wrote this search so people could figure-out what we have and what it is used for. The search requires that there be a file called indexdescriptions.csv located in $SPLUNK_HOME/etc/apps/search/lookups (or “Program Files”\splunk\etc\apps\search\lookups\indexdescriptions.csv ). That file should have “index,description” on the […]

Continue Reading →

Retention Period in days per index

This query will give you a table of all indexes and their respective retention period in days:

| rest splunk_server=* /services/data/indexes | join type=outer title [
| rest splunk_server=* /services/data/indexes-extended
] | eval retentionInDays=frozenTimePeriodInSecs/86400
| table title retentionInDays

| rest splunk_server=* /services/data/indexes | join type=outer title [

| rest splunk_server=* /services/data/indexes-extended

] | eval retentionInDays=frozenTimePeriodInSecs/86400

| table title retentionInDays

Continue Reading →

Show Splunk User to Role mapping

The following Splunk REST query shows all roles, number of capabilities, and landing app for each user.

| rest /services/authentication/users 
| eval name=coalesce(realname, title) 
| stats values(roles) as Role first(defaultApp) as "Landing App" count(capabilities) as "Number of Capabilities" by name

| rest /services/authentication/users

| eval name=coalesce(realname, title)

| stats values(roles) as Role first(defaultApp) as "Landing App" count(capabilities) as "Number of Capabilities" by name

Continue Reading →

Show all Indexes and Sourcetypes via REST

The following Splunk query uses REST to display non internal indexes associated with sourcetypes. It is my understanding that this is all time (such is the way of REST searches)

| rest /services/data/inputs/all
| search index!=_*
| stats values(sourcetype) by index

| rest /services/data/inputs/all

| search index!=_*

| stats values(sourcetype) by index

Continue Reading →

Remove Z or T string from your Timestamp

| rest /services/authentication/current-context | table username roles updated | search username!=splunk-system-user | rex field=updated (?<timestampA>\d{4}-\d{2}-\d+)T(?<timestampB>\d+:\d+:\d+.\d+) | eval timestamp= timestampA + timestampB | eval timestamp = strptime(timestamp, “%Y-%m-%d%H:%M:%S.%3N”) | eval timestamp=strftime(timestamp, “%c”) |fields – timestampA timestampB

Continue Reading →

User Info Dashboard – Using REST

I found this very useful user statistics/information splunk dashboard on www.function1.com/2016/06/rest-easy-with-the-splunk-rest-api. They have additional Splunk REST queries and examples worth checking out!

<dashboard>
      <label>REST API: access control</label>
      <row>
        <panel>
          <single>
            <title>You are</title>
            <searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields username</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="drilldown">none</option>
          </single>
        </panel>
        <panel>
          <table>
            <title>And you have these permissions</title>
            <searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields capabilities | mvexpand capabilities</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="wrap">true</option>
            <option name="rowNumbers">false</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">cell</option>
            <option name="count">5</option>
          </table>
        </panel>
      </row>
      <row>
        <panel>
          <table>
            <title>Active users (sessions)</title>
            <searchString>| rest /services/authentication/httpauth-tokens | fields userName, timeAccessed | dedup userName sortby timeAccessed</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="wrap">true</option>
            <option name="rowNumbers">false</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">cell</option>
            <option name="count">10</option>
          </table>
        </panel>
        <panel>
          <table>
            <title>All users (limited to 100)</title>
            <searchString>| rest /services/authentication/users | fields title, realname | head 100</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="wrap">true</option>
            <option name="rowNumbers">false</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">cell</option>
            </table>
        </panel>
        <panel>
          <chart>
            <title>Users by authentication system</title>
            <searchString>| rest /services/authentication/users | fields title, type | stats count by type</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
            <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
            <option name="charting.axisTitleX.visibility">visible</option>
            <option name="charting.axisTitleY.visibility">visible</option>
            <option name="charting.axisTitleY2.visibility">visible</option>
            <option name="charting.axisX.scale">linear</option>
            <option name="charting.axisY.scale">linear</option>
            <option name="charting.axisY2.enabled">false</option>
            <option name="charting.axisY2.scale">inherit</option>
            <option name="charting.chart">pie</option>
            <option name="charting.chart.nullValueMode">gaps</option>
            <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
            <option name="charting.chart.stackMode">default</option>
            <option name="charting.chart.style">shiny</option>
            <option name="charting.drilldown">all</option>
            <option name="charting.layout.splitSeries">0</option>
            <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
            <option name="charting.legend.placement">right</option>
          </chart>
        </panel>
      </row>
    </dashboard>

<label>REST API: access control</label>

<row>

<panel>

<searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields username</searchString>

</single>

</panel>

<panel>

<table>

<title>And you have these permissions</title>

<searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields capabilities | mvexpand capabilities</searchString>

<option name="rowNumbers">false</option>

</table>

</panel>

</row>

<row>

<panel>

<table>

<title>Active users (sessions)</title>

<searchString>| rest /services/authentication/httpauth-tokens | fields userName, timeAccessed | dedup userName sortby timeAccessed</searchString>

<option name="rowNumbers">false</option>

</table>

</panel>

<panel>

<table>

<title>All users (limited to 100)</title>

<searchString>| rest /services/authentication/users | fields title, realname | head 100</searchString>

<option name="rowNumbers">false</option>

</table>

</panel>

<panel>

<chart>

<title>Users by authentication system</title>

<searchString>| rest /services/authentication/users | fields title, type | stats count by type</searchString>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.enabled">false</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.placement">right</option>

</chart>

</panel>

</row>

</dashboard>

Continue Reading →

Use REST to gather Index Info

Here is some SPL to get useful information via REST on indexes within your Splunk environment:

| REST /services/data/indexes
| eval currentDBSizeMB=tostring(currentDBSizeMB, "commas")
| eval totalEventCount=tostring(totalEventCount, "commas")
| eval frozenTimePeriodInHours=(frozenTimePeriodInSecs/60/60)
| table title splunk_server currentDBSizeMB frozenTimePeriodInHours maxTime minTime totalEventCount

| REST /services/data/indexes

| eval currentDBSizeMB=tostring(currentDBSizeMB, "commas")

| eval totalEventCount=tostring(totalEventCount, "commas")

| eval frozenTimePeriodInHours=(frozenTimePeriodInSecs/60/60)

| table title splunk_server currentDBSizeMB frozenTimePeriodInHours maxTime minTime totalEventCount

Continue Reading →

Time Offset on Splunk Servers

This Splunk Query shows if there is a time offset on your Splunk servers. I borrowed and modified this one from the splunk clock skew search posted on www.bbosearch.com (another pretty awesome site like this one!). My version strips the unnecessary and renames some fields, but feel free to do what you want with it: […]

Continue Reading →

List of Alerts via REST

The following Splunk search (query) will show a list of alerts within Splunk via the | rest call:

| rest /services/alerts/fired_alerts splunk_server=local| table eai:acl.owner eai:acl.app id title triggered_alert_count

1	\| rest /services/alerts/fired_alerts splunk_server=local\| table eai:acl.owner eai:acl.app id title triggered_alert_count

Continue Reading →

List of Extractions in Transforms.conf

Useful Splunk Query to show REGEX extractions in Transforms.conf

| rest /services/data/transforms/extractions | table title eai:appName REGEX FORMAT updated

1	\| rest /services/data/transforms/extractions \| table title eai:appName REGEX FORMAT updated

Continue Reading →

List of Props.conf Extractions

Useful Splunk Query to show extractions from Props.conf:

| rest /services/data/props/extractions | table title type value attribute

1	\| rest /services/data/props/extractions \| table title type value attribute

Continue Reading →

List Inputs using REST

As the title says. Pretty nice Splunk Search if you’ve forgotten what inputs you have configured and need a central place to list them.

| rest /services/data/inputs/all | convert ctime(starttime) AS "Start Time"  | convert ctime(endtime) AS "End Time" | table index interval source sourcetype title updated starttime endtime "Start Time" "End Time"

1	\| rest /services/data/inputs/all \| convert ctime(starttime) AS "Start Time" \| convert ctime(endtime) AS "End Time" \| table index interval source sourcetype title updated starttime endtime "Start Time" "End Time"

Continue Reading →

Show all currently logged in users

Use this Splunk rest query to list all currently logged in users (to your Splunk server). | rest /services/authentication/current-context | search NOT username=”splunk-system-user” | table username roles updated

Continue Reading →

REST Call for Memory & CPU usage on Splunk Servers

This Splunk search will show you use and available CPU and Memory statistics. Depending on your environment you may see multiple Splunk servers:

| rest  /services/server/status/resource-usage/hostwide | eval cpu_count = if(isnull(cpu_count), "N/A", cpu_count) | eval cpu_usage = cpu_system_pct + cpu_user_pct | eval mem_used_pct = round(mem_used / mem * 100 , 2) | eval mem_used = round(mem_used, 0) | eval mem = round(mem, 0) |eval mem=tostring(mem, "commas") | eval mem_used=tostring(mem_used, "commas")| fields splunk_server, cpu_count, cpu_usage, mem, mem_used, mem_used_pct | sort - cpu_usage, -mem_used | rename splunk_server AS Instance, cpu_count AS "CPU Cores", cpu_usage AS "CPU Usage (%)", mem AS "Physical Memory Capacity (MB)", mem_used AS "Physical Memory Usage (MB)", mem_used_pct AS "Physical Memory Usage (%)"

| rest /services/server/status/resource-usage/hostwide | eval cpu_count = if(isnull(cpu_count), "N/A", cpu_count) | eval cpu_usage = cpu_system_pct + cpu_user_pct | eval mem_used_pct = round(mem_used / mem * 100 , 2) | eval mem_used = round(mem_used, 0) | eval mem = round(mem, 0) |eval mem=tostring(mem, "commas") | eval mem_used=tostring(mem_used, "commas")| fields splunk_server, cpu_count, cpu_usage, mem, mem_used, mem_used_pct | sort - cpu_usage, -mem_used | rename splunk_server AS Instance, cpu_count AS "CPU Cores", cpu_usage AS "CPU Usage (%)", mem AS "Physical Memory Capacity (MB)", mem_used AS "Physical Memory Usage (MB)", mem_used_pct AS "Physical Memory Usage (%)"

Slightly modified from: http://www.brainfold.net/2016/03/frequently-used-rest-api-calls-in-splunk.html

Continue Reading →

REST Call for a list of Lookup Files

Use this splunk search to get a list of all lookup files:

| rest /services/data/transforms/lookups | table eai:acl.app eai:appName filename title fields_list updated id

1	\| rest /services/data/transforms/lookups \| table eai:acl.app eai:appName filename title fields_list updated id

Continue Reading →

REST Call for Splunk Server Role Status

This REST Splunk search returns the status of roles on each Splunk server in your environment.

| rest /services/server/introspection | table title splunk_server status updated

1	\| rest /services/server/introspection \| table title splunk_server status updated

Continue Reading →

Splunk Objects With Permissions Granted to Non-existent Roles

Useful search to show a bit of detail on roles and user permissions.

| rest /servicesNS/-/-/admin/directory count=0 splunk_server=local
 | fields eai:acl.app, eai:acl.owner, eai:acl.perms.*, eai:acl.sharing, eai:location, title
 | eval perms=mvappend('eai:acl.perms.read','eai:acl.perms.write')
 | fields - eai:acl.perms.*
 | mvexpand perms
 | where perms!="*" AND NOT
 [
 | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
 | fields title
 | rename title as perms
 ]

| rest /servicesNS/-/-/admin/directory count=0 splunk_server=local

| fields eai:acl.app, eai:acl.owner, eai:acl.perms.*, eai:acl.sharing, eai:location, title

| eval perms=mvappend('eai:acl.perms.read','eai:acl.perms.write')

| fields - eai:acl.perms.*

| mvexpand perms

| where perms!="*" AND NOT

[

| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local

| fields title

| rename title as perms

]

I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376 Credit goes to acharlieh!

Continue Reading →

Every index explicitly granted to a role

Self explanatory, maps roles to indexes. Useful if you have a lot of indexes!

| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
 | fields title,srchIndexesAllowed
 | rename srchIndexesAllowed as index title as role
 | mvexpand index
 | where NOT match(index,".*\*.*")

| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local

| fields title,srchIndexesAllowed

| rename srchIndexesAllowed as index title as role

| mvexpand index

| where NOT match(index,".*\*.*")

I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376 Credit goes to acharlieh!

Continue Reading →

All indexes not explicitly granted to a role

| rest /servicesNS/-/-/data/indexes count=0
 | stats max(isInternal) as internal, max(disabled) as disabled, max(isReadOnly) as readonly by title
 | fillnull
 | where internal=0 AND disabled=0 AND readonly=0
 | fields title
 | rename title as index
 | join index type=left
 [ rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
 | fields title,srchIndexesAllowed
 | rename srchIndexesAllowed as index title as role
 | mvexpand index
 | where NOT match(index,".*\*.*") ]
 | search NOT role=*
 | fields index

| rest /servicesNS/-/-/data/indexes count=0

| stats max(isInternal) as internal, max(disabled) as disabled, max(isReadOnly) as readonly by title

| fillnull

| where internal=0 AND disabled=0 AND readonly=0

| fields title

| rename title as index

| join index type=left

[ rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local

| fields title,srchIndexesAllowed

| rename srchIndexesAllowed as index title as role

| mvexpand index

| where NOT match(index,".*\*.*") ]

| search NOT role=*

| fields index

I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376 Credit goes to acharlieh!

Continue Reading →

Sourcetype: REST