This query will show any clustered indexers that are currently in maintenance mode. For it to work as an alert you will need to schedule it. It will not work if you run it in real time. sourcetype=splunkd reason=”‘Maintenance mode*” | dedup host | eval maintenance_mode_enabled=if(reason=”‘Maintenance mode started'”, “true”, “false”) | where maintenance_mode_enabled=”true” | […]
List of index available to your role
|tstats count WHERE index=* OR index=_ BY index Don’t forget time modifier is required
List skipped searches by name, reason
index=_internal sourcetype=scheduler savedsearch_name=* status=skipped | stats count by savedsearch_name reason Look at the reason to know how to TB.
Detect Scheduler Running Twice a Search
There is a bug that make a search being executed 2 times or more. index=_internal sourcetype=scheduler scheduled_time=* savedsearch_name=* |stats count by scheduled_time, savedsearch_name | where count > 1
Count of Host added to Splunk by Month
Can we get a Splunk Query that list of hosts added to Splunk in a month. Like Month 1 : 200 devices added Month 2: 400 devices added You would do this: host=* | stats dc(host) as host by date_month (Edits Made and query provided by the GoSplunk Ninja)
Timestamp vs Indextime of Events (Diagnostic Query)
This query has in the past help me track down issues between forwarders and indexers, and even on occasion finding some time sync issues. Feel free to tweak, modify, and improve upon this query as I’m not 100% certain the math will work in your favor outside of highlighting (positive or negative) time differences! index=* […]
Splunk Server Restart Duration
As titled, the following Splunk search query will show the restart duration (using the transaction command) of the Splunk service itself. index=_audit (action=”splunkShuttingDown” OR action=”splunkStarting”) | eval Date=strftime(_time, “%Y/%m/%d”) | transaction splunk_server startswith=action=”splunkShuttingDown” endswith=action=”splunkStarting” | eval duration=round(duration/60, 2) |table Date splunk_server duration| rename duration as “Splunk Restart Duration” splunk_server as “Splunk Server”
Introspection – Memory used by SID (Search ID)
Chart memory used by each SID (search ID) using the Introspection logs index=”_introspection” “data.process”=splunkd | timechart max(data.mem_used) by data.search_props.sid usenull=f useother=f
Splunk Query to report on users logging on to the Splunk Web Console
index=_audit tag=authentication info=succeeded |dedup user | table user timestamp
Total Number of Hosts reporting in.
This query will list the total number of hosts reporting to the indexer for any specified time range. This only works for universal forwarders. If you have hosts reporting in over syslog (typically port 514) they will not be listed. index=_internal sourcetype=splunkd | stats dc(hostname) as “Number of Hosts”
Detailed list of Universal Forwarders Reporting to Indexer
The following query will list in detail information on the universal forwarders checking into the indexer. I’ve renamed some of the fields to be more user-friendly. index=_internal sourcetype=splunkd destPort!=”-“| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as “Destination Port” | rename host as “Indexer” | rename sourceHost as “Universal Forwarder […]
