manderso

Displays sourcetypes being truncated on ingest, then on selection, shows the related _internal message & the an event that caused it to trigger.

Data Issues
Truncation, Date Parsing and Timestamp issues […]

ever make it work or still broke?

I’ve been looking a while for something like this, and decided to make it myself. This relies on the tinv_software _inventory add-on found on Splunkbase, but you can do it without, if you feel like it. […]

Yeah, I didn’t try to exclude them, as they gave slightly different results than the apps w/out the “.”. Let me know how it works for you if you exclude them.

Created this dashboard to see when or if an application was deployed successfully. Close to splunkninja’s query, this will also show if the host in question also restarted to apply the new app.

Deployed […]

manderso replied 3 years, 12 months ago

Yeah, I didn’t try to exclude them, as they gave slightly different results than the apps w/out the “.”. Let me know how it works for you if you exclude them.

Shows status of buckets per indexer host, when they rolled from warm to cold, and cold to frozen. Gives a timechart and table of each, as well as detailed bucket names per index & host.

Bucket Status […]

manderso replied 3 years, 6 months ago

ever make it work or still broke?

It’s written for 7.2.3. What do you see when you try and load one of the searches?

This relies on the search posted earlier:

This will display storage and license usage broken down by groups, predefined in the chargeback app customers.csv

License and Storage […]

This was cobbled together from multiple searches I found. This search feeds the license and storage dashboard posted here:

It relies on the Chargeback app for the customers.csv form.
index=_internal […]

Shows the login activity to our linux environments, sudo commands per host and users.

Admin Notes: index=main was changed to index=* due to not everyone using the same index. This dashboard has been tested for […]

SplunkNinja replied 6 years ago

gbr,
I’m testing the xml and have no issues. Feel free to join our discord and let us know your issue! https://discord.gg/fFJhGPw
manderso replied 5 years, 9 months ago

It’s written for 7.2.3. What do you see when you try and load one of the searches?
unknow787 replied 10 months, 2 weeks ago

How can I achieve this with no XML file? I have sourcetype and index but no XML file. I can’t us any Add on or ingest files. I have to use the sourctype and the index they provided to me that live in Splunk already. I am able to get visual, but no data is populating. Any help would be greatly appreciated

I didn’t like the CPU input from the Splunk TA Nix app, so I created this small ingest from top. The script takes a snapshot of the top command, and looks directly at the header:
top -b -n 1 | sed -n ‘1,5p’
and […]

The following query shows uptime of all systems over a certain period of time (days_uptime). Replace my indexes w/ yours.
index=os OR index=idx_appdev sourcetype=Unix:Uptime OR sourcetype=”WMI:Uptime” |dedup […]

| rest splunk_server=local /services/apps/local | search update.version=* | table title version update.version
If that Splunk has internet access, it’ll have the update.* fields filled with the latest version if […]

Another view for which splunk user can do what in your splunk environment
| rest /services/authentication/users | mvexpand roles | table realname, title, roles, email | join roles [ rest […]

SplunkNinja replied 9 years, 5 months ago

Awesome query, thanks for sharing!

Members

manderso