Members

Description:
Use this Splunk search to find Base64 encoded content in DNS queries. The goal is to examine the DNS query field of the dns events to find subdomain streams that contain only Base64 valid […]

This Splunk Search shows you a lot of good information about your data model acceleration and performance.
| rest /services/admin/summarization by_tstats=t splunk_server=local count=0 | eval […]

This Splunk search is an example on how to remove unwanted values from multivalue fields using mvfilter.
| gentimes start=-1 | eval field1=”pink,fluffy,unicorns” | table field1 | makemv field1 delim=”,” | eval […]

With this spl you can check what indexes exist or if you want to search for a specific index.

List all indexes:

|rest /services/data/indexes | fields title | rename title AS index

Or check if a specific index […]

See how well your DM searches are running.
Run this search using the Line Chart visualization:
index=_internal sourcetype=scheduler component=SavedSplunker ACCELERATE NOT skipped run_time=*
| rex […]

index=_internal sourcetype=dbx_server Starting dbx_task_server
Will return events that display a little dragon ascii art:

|___/|
(, /,)
/ /
(@_^_@)/ […]

Quick snippet to evaluate temperature Fahrentheit to Celsius:
| eval Temperature_Fahrenheit=Temperature_Celsius*1.8+32

Use this search to find unused dashboards:
| rest /servicesNS/-/-/data/ui/views splunk_server=*
| search isDashboard=1
| rename eai:acl.app as app
| fields title app
| join type=left title
[| search […]

A simple method on checking if your strftime (TIME_FORMAT=) in the props.conf matches your log file timestamp format.

strftime(X,Y)
This function takes a UNIX time value, X, as the first argument and renders the […]

I use this query a lot to tune and adjust scheduling, find out what searches need attention:
index=_internal sourcetype=scheduler result_count | extract pairdelim=”,”, kvdelim=”=”, auto=f | stats avg(result_count) […]

Use a linechart with this search to show you the indexing queue sizes:
index=_internal source=*metrics.log group=queue (name=parsingqueue OR name=indexqueue OR name=typingqueue OR name=aggqueue) | timechart […]

This query will give you a table with a percentage of skipped searches and an evaluation with 3 ranges
index=_internal sourcetype=scheduler | stats count as total, count(eval(status=”skipped”)) as skipped | eval […]

This query will give you a table of all indexes and their respective retention period in days:
| rest splunk_server=* /services/data/indexes | join type=outer title [
| rest splunk_server=* […]

This search displays the amount of buckets per indexer/index

To learn more about the | dbinspect command go to:

|dbinspect index=* | search index!=_* | chart dc(bucketId) over splunk_server by index

This search counts the amount of buckets per state for each index.

To learn more about | dbinspect go to:

|dbinspect index=* | eval state=case(state==”warm” OR state==”hot”,”hot/warm”,1=1, state) | chart […]

This search counts the amount of times the UF’s throughput limit is hit. I also threw in a sparkline:
index=_internal sourcetype=splunkd “current data throughput” | rex “Current data throughput ((?S+)” | eval […]

Where “host=”your_sh_host”” you could specify a host, or put a wildcard * in place.
index=”_internal” source=*access.log user!=”-” */app/* (host=”your_sh_host”)
| rex field=referer […]