|
1 2 3 4 |
| rest splunk_server=local count=0 /services/saved/searches | search action.notable="1" is_scheduled="1" disabled="0" `comment("PERFORM A REST COMMAND ON SAVED SEARCHES WHERE THE SEARCH GENERATES A NOTABLE, IS SCHEDULED AND IS NOT DISABLED")` | table title action.notable.param.security_domain description search cron_schedule actions action.email.to action.notable.param.severity alert.suppress.fields alert.suppress.period action.notable.param.next_steps action.notable.param.rule_description action.risk.param._risk_score `comment("TABLE FIELDS”)` |
List Deployment Apps and the associated serverClass
| rest /servicesNS/nobody/system/deployment/server/applications/ | search title =* | rename title as DeploymentApplication, serverclasses as serverClass | eval line=1 | accum line | fields line DeploymentApplication serverClass
Indexes in Splunk
For those who have more than a few indexes (we’ve got 27 non-administrative indexes) I wrote this search so people could figure-out what we have and what it is used for. The search requires that there be a file called indexdescriptions.csv located in $SPLUNK_HOME/etc/apps/search/lookups (or “Program Files”\splunk\etc\apps\search\lookups\indexdescriptions.csv ). That file should have “index,description” on the […]
Retention Period in days per index
This query will give you a table of all indexes and their respective retention period in days:
|
1 2 3 4 |
| rest splunk_server=* /services/data/indexes | join type=outer title [ | rest splunk_server=* /services/data/indexes-extended ] | eval retentionInDays=frozenTimePeriodInSecs/86400 | table title retentionInDays |
Show Splunk User to Role mapping
The following Splunk REST query shows all roles, number of capabilities, and landing app for each user.
|
1 2 3 |
| rest /services/authentication/users | eval name=coalesce(realname, title) | stats values(roles) as Role first(defaultApp) as "Landing App" count(capabilities) as "Number of Capabilities" by name |
Show all Indexes and Sourcetypes via REST
The following Splunk query uses REST to display non internal indexes associated with sourcetypes. It is my understanding that this is all time (such is the way of REST searches)
|
1 2 3 |
| rest /services/data/inputs/all | search index!=_* | stats values(sourcetype) by index |
Remove Z or T string from your Timestamp
| rest /services/authentication/current-context | table username roles updated | search username!=splunk-system-user | rex field=updated (?<timestampA>\d{4}-\d{2}-\d+)T(?<timestampB>\d+:\d+:\d+.\d+) | eval timestamp= timestampA + timestampB | eval timestamp = strptime(timestamp, “%Y-%m-%d%H:%M:%S.%3N”) | eval timestamp=strftime(timestamp, “%c”) |fields – timestampA timestampB
User Info Dashboard – Using REST
I found this very useful user statistics/information splunk dashboard on www.function1.com/2016/06/rest-easy-with-the-splunk-rest-api. They have additional Splunk REST queries and examples worth checking out!
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
<dashboard> <label>REST API: access control</label> <row> <panel> <single> <title>You are</title> <searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields username</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name="drilldown">none</option> </single> </panel> <panel> <table> <title>And you have these permissions</title> <searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields capabilities | mvexpand capabilities</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name="wrap">true</option> <option name="rowNumbers">false</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="count">5</option> </table> </panel> </row> <row> <panel> <table> <title>Active users (sessions)</title> <searchString>| rest /services/authentication/httpauth-tokens | fields userName, timeAccessed | dedup userName sortby timeAccessed</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name="wrap">true</option> <option name="rowNumbers">false</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="count">10</option> </table> </panel> <panel> <table> <title>All users (limited to 100)</title> <searchString>| rest /services/authentication/users | fields title, realname | head 100</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name="wrap">true</option> <option name="rowNumbers">false</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> </table> </panel> <panel> <chart> <title>Users by authentication system</title> <searchString>| rest /services/authentication/users | fields title, type | stats count by type</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.enabled">false</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">pie</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.placement">right</option> </chart> </panel> </row> </dashboard> |
Use REST to gather Index Info
Here is some SPL to get useful information via REST on indexes within your Splunk environment:
|
1 2 3 4 5 |
| REST /services/data/indexes | eval currentDBSizeMB=tostring(currentDBSizeMB, "commas") | eval totalEventCount=tostring(totalEventCount, "commas") | eval frozenTimePeriodInHours=(frozenTimePeriodInSecs/60/60) | table title splunk_server currentDBSizeMB frozenTimePeriodInHours maxTime minTime totalEventCount |
Time Offset on Splunk Servers
This Splunk Query shows if there is a time offset on your Splunk servers. I borrowed and modified this one from the splunk clock skew search posted on www.bbosearch.com (another pretty awesome site like this one!). My version strips the unnecessary and renames some fields, but feel free to do what you want with it: […]
List of Alerts via REST
The following Splunk search (query) will show a list of alerts within Splunk via the | rest call:
|
1 |
| rest /services/alerts/fired_alerts splunk_server=local| table eai:acl.owner eai:acl.app id title triggered_alert_count |
List of Extractions in Transforms.conf
Useful Splunk Query to show REGEX extractions in Transforms.conf
|
1 |
| rest /services/data/transforms/extractions | table title eai:appName REGEX FORMAT updated |
List of Props.conf Extractions
Useful Splunk Query to show extractions from Props.conf:
|
1 |
| rest /services/data/props/extractions | table title type value attribute |
List Inputs using REST
As the title says. Pretty nice Splunk Search if you’ve forgotten what inputs you have configured and need a central place to list them.
|
1 |
| rest /services/data/inputs/all | convert ctime(starttime) AS "Start Time" | convert ctime(endtime) AS "End Time" | table index interval source sourcetype title updated starttime endtime "Start Time" "End Time" |
Show all currently logged in users
Use this Splunk rest query to list all currently logged in users (to your Splunk server). | rest /services/authentication/current-context | search NOT username=”splunk-system-user” | table username roles updated
REST Call for Memory & CPU usage on Splunk Servers
This Splunk search will show you use and available CPU and Memory statistics. Depending on your environment you may see multiple Splunk servers:
|
1 |
| rest /services/server/status/resource-usage/hostwide | eval cpu_count = if(isnull(cpu_count), "N/A", cpu_count) | eval cpu_usage = cpu_system_pct + cpu_user_pct | eval mem_used_pct = round(mem_used / mem * 100 , 2) | eval mem_used = round(mem_used, 0) | eval mem = round(mem, 0) |eval mem=tostring(mem, "commas") | eval mem_used=tostring(mem_used, "commas")| fields splunk_server, cpu_count, cpu_usage, mem, mem_used, mem_used_pct | sort - cpu_usage, -mem_used | rename splunk_server AS Instance, cpu_count AS "CPU Cores", cpu_usage AS "CPU Usage (%)", mem AS "Physical Memory Capacity (MB)", mem_used AS "Physical Memory Usage (MB)", mem_used_pct AS "Physical Memory Usage (%)" |
Slightly modified from: http://www.brainfold.net/2016/03/frequently-used-rest-api-calls-in-splunk.html
REST Call for a list of Lookup Files
Use this splunk search to get a list of all lookup files:
|
1 |
| rest /services/data/transforms/lookups | table eai:acl.app eai:appName filename title fields_list updated id |
REST Call for Splunk Server Role Status
This REST Splunk search returns the status of roles on each Splunk server in your environment.
|
1 |
| rest /services/server/introspection | table title splunk_server status updated |
Splunk Objects With Permissions Granted to Non-existent Roles
Useful search to show a bit of detail on roles and user permissions.
|
1 2 3 4 5 6 7 8 9 10 11 |
| rest /servicesNS/-/-/admin/directory count=0 splunk_server=local | fields eai:acl.app, eai:acl.owner, eai:acl.perms.*, eai:acl.sharing, eai:location, title | eval perms=mvappend('eai:acl.perms.read','eai:acl.perms.write') | fields - eai:acl.perms.* | mvexpand perms | where perms!="*" AND NOT [ | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local | fields title | rename title as perms ] |
I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376 Credit goes to acharlieh!
Every index explicitly granted to a role
Self explanatory, maps roles to indexes. Useful if you have a lot of indexes!
|
1 2 3 4 5 |
| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local | fields title,srchIndexesAllowed | rename srchIndexesAllowed as index title as role | mvexpand index | where NOT match(index,".*\*.*") |
I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376 Credit goes to acharlieh!
