-
6 years, 5 months ago
ItsJohnLocke wrote a new post
Show how much disk space is used by _internalThe following Splunk query will return disk space used by the _internal index. index=_internal […]
-
6 years, 9 months ago
ItsJohnLocke wrote a new post
There is an older Splunk query here that had previously predicted license usage. I’m not sure why (perhaps the predict command has changed since the original post in 2015?), but the query is no longer working. […]
-
6 years, 9 months ago
ItsJohnLocke commented on the post, Memory Usage (MB) per Splunk Process Class
In reply to: Azeemering wrote a new post Use the following search with a column chart visualisation. It will give you a good overview of what Splunk processes use the most memory: index=_introspection […] ViewI modified this to fit my environment by specifying a host specifically (where you have host=*).
Thanks for sharing, I’ve added it to an internal admin dashboard!
-
6 years, 9 months ago
ItsJohnLocke wrote a new post
The following Splunk query uses REST to display non internal indexes associated with sourcetypes. It is my understanding that this is all time (such is the way of REST searches)
| rest /services/data/inputs/all
| […] -
6 years, 10 months ago
ItsJohnLocke wrote a new post
Ever wonder how your search performance is across search heads? Try this query.
Depending on your environment you’ll want to specify the host=* section to better represent your environment. Say if you have a […]
-
7 years, 10 months ago
ItsJohnLocke commented on the post, Malware Detection
In reply to: ItsJohnLocke wrote a new post I’m reposting this query I stumbled upon in a blog here. The description states that it can be used to detect malware reporting out to the web. Check out the article it’s a decent […] ViewWhen I posted this I got it here:
Detecting malware beacons using Splunk
Never tested it, but thought it was a pretty interesting idea!
-
8 years, 1 month ago
ItsJohnLocke wrote a new post
I found this very useful user statistics/information splunk dashboard on http://www.function1.com/2016/06/rest-easy-with-the-splunk-rest-api. They have additional Splunk REST queries and examples worth checking […]
-
8 years, 1 month ago
ItsJohnLocke wrote a new post
Here is some SPL to get useful information via REST on indexes within your Splunk environment:
| REST /services/data/indexes
| eval currentDBSizeMB=tostring(currentDBSizeMB, “commas”)
| eval […] -
8 years, 5 months ago
ItsJohnLocke wrote a new post
The following Splunk search (query) will show a list of alerts within Splunk via the | rest call:
| rest /services/alerts/fired_alerts splunk_server=local| table eai:acl.owner eai:acl.app id title triggered_alert_count -
8 years, 6 months ago
ItsJohnLocke wrote a new post
List of Extractions in Transforms.confUseful Splunk Query to show REGEX extractions in Transforms.conf | rest /services/data/transforms/extractions | table title eai:appName REGEX FORMAT updated
-
8 years, 6 months ago
ItsJohnLocke wrote a new post
Useful Splunk Query to show extractions from Props.conf:
| rest /services/data/props/extractions | table title type value attribute
-
8 years, 6 months ago
ItsJohnLocke wrote a new post
As the title says. Pretty nice Splunk Search if you’ve forgotten what inputs you have configured and need a central place to list them.
| rest /services/data/inputs/all | convert ctime(starttime) AS “Start […]
-
8 years, 6 months ago
ItsJohnLocke wrote a new post
Use this Splunk rest query to list all currently logged in users (to your Splunk server).
| rest /services/authentication/current-context | search NOT username=”splunk-system-user” | table username roles updated
-
I am not sure what updated is supposed to do… but, it looked like something close to epoc time? Anyway, I cut it off and the query looked cleaner?
-
-
8 years, 6 months ago
ItsJohnLocke wrote a new post
Use this splunk search to get a list of all lookup files:
| rest /services/data/transforms/lookups | table eai:acl.app eai:appName filename title fields_list updated id -
8 years, 6 months ago
ItsJohnLocke wrote a new post
This REST Splunk search returns the status of roles on each Splunk server in your environment.
| rest /services/server/introspection | table title splunk_server status updated
-
8 years, 6 months ago
ItsJohnLocke wrote a new post
Useful search to show a bit of detail on roles and user permissions.
| rest /servicesNS/-/-/admin/directory count=0 splunk_server=local
| fields eai:acl.app, eai:acl.owner, eai:acl.perms.*, eai:acl.sharing, […] -
8 years, 6 months ago
ItsJohnLocke wrote a new post
Self explanatory, maps roles to indexes. Useful if you have a lot of indexes!
| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
| fields title,srchIndexesAllowed
| rename srchIndexesAllowed […]-
Add
| stats values(role) by index
at the end to get a by-index summery of roles.
-
-
8 years, 6 months ago
ItsJohnLocke wrote a new post
This query is pretty awesome! It helped enlighten us to exactly when our splunk infrastructure is being hit with users
index=_internal sourcetype=splunk_web_access
[ rest / splunk_server=local
| fields […] -
8 years, 6 months ago
ItsJohnLocke wrote a new post
| rest /servicesNS/-/-/data/indexes count=0
| stats max(isInternal) as internal, max(disabled) as disabled, max(isReadOnly) as readonly by title
| fillnull
| where internal=0 AND disabled=0 AND readonly=0
| […] -
8 years, 10 months ago
ItsJohnLocke wrote a new post
I’m reposting this query I stumbled upon in a blog here. The description states that it can be used to detect malware reporting out to the web. Check out the article it’s a decent read.
search.goes.here | […]-
When I posted this I got it here:
Detecting malware beacons using Splunk
Never tested it, but thought it was a pretty interesting idea!
-
- Load More
please can someone create me a search query that will show the highest source utilizing the license?