Members

See how well your DM searches are running.
Run this search using the Line Chart visualization:
index=_internal sourcetype=scheduler component=SavedSplunker ACCELERATE NOT skipped run_time=*
| rex […]

index=_internal sourcetype=dbx_server Starting dbx_task_server
Will return events that display a little dragon ascii art:

|___/|
(, /,)
/ /
(@_^_@)/ […]

Quick snippet to evaluate temperature Fahrentheit to Celsius:
| eval Temperature_Fahrenheit=Temperature_Celsius*1.8+32

Use this search to find unused dashboards:
| rest /servicesNS/-/-/data/ui/views splunk_server=*
| search isDashboard=1
| rename eai:acl.app as app
| fields title app
| join type=left title
[| search […]

A simple method on checking if your strftime (TIME_FORMAT=) in the props.conf matches your log file timestamp format.

strftime(X,Y)
This function takes a UNIX time value, X, as the first argument and renders the […]

I use this query a lot to tune and adjust scheduling, find out what searches need attention:
index=_internal sourcetype=scheduler result_count | extract pairdelim=”,”, kvdelim=”=”, auto=f | stats avg(result_count) […]

Use a linechart with this search to show you the indexing queue sizes:
index=_internal source=*metrics.log group=queue (name=parsingqueue OR name=indexqueue OR name=typingqueue OR name=aggqueue) | timechart […]

This query will give you a table with a percentage of skipped searches and an evaluation with 3 ranges
index=_internal sourcetype=scheduler | stats count as total, count(eval(status=”skipped”)) as skipped | eval […]

This query will give you a table of all indexes and their respective retention period in days:
| rest splunk_server=* /services/data/indexes | join type=outer title [
| rest splunk_server=* […]

This search displays the amount of buckets per indexer/index

To learn more about the | dbinspect command go to:

|dbinspect index=* | search index!=_* | chart dc(bucketId) over splunk_server by index

This search counts the amount of buckets per state for each index.

To learn more about | dbinspect go to:

|dbinspect index=* | eval state=case(state==”warm” OR state==”hot”,”hot/warm”,1=1, state) | chart […]

This search counts the amount of times the UF’s throughput limit is hit. I also threw in a sparkline:
index=_internal sourcetype=splunkd “current data throughput” | rex “Current data throughput ((?S+)” | eval […]

Where “host=”your_sh_host”” you could specify a host, or put a wildcard * in place.
index=”_internal” source=*access.log user!=”-” */app/* (host=”your_sh_host”)
| rex field=referer […]

This search creates a table to list all  Universal Forwarders. There is also an eval in there that classifies hosts based on their average Kbps. You can modify this as needed.
index=_internal source=*metrics.log […]

This query will show a timechart of the status of an Locked Out Account
sourcetype=”WinEventLog:Security” EventCode=4625 AND Status=0xC0000234 | timechart count by user | sort -count

Use the following search to create a stacked barchart of AD Password change attempts:
source=”WinEventLog:Security” “EventCode=4723″ src_user!=”*$” src_user!=”_svc_*” | eval daynumber=strftime(_time,”%Y-%m-%d”) | […]

The streamstats count command creates a field called eventCount that displays
the amount of events from the fieldname you specify:
| streamstats count as eventCount by fieldname

A few different queries / methods to list all fields for indexes.
index=yourindex| fieldsummary | table field
or
index=yourindex | stats values(*) AS * | transpose | table column | rename column AS Fiel […]