Just sharing a query I found useful lately when licensing dashboards are being silly. Mileage may vary. index=”_introspection” component=”licensing.stack”| bucket _time span=1d | stats latest(“data.consumption”) as dataConsumption latest(“data.pools{}.quota”) as poolQuota by _time| eval pctUsed=(dataConsumption/poolQuota * 100)| timechart span=1d max(pctUsed)
Reports Owned by Admin Users and Writable by Others
| rest /servicesNS/-/-/saved/searches splunk_server=local | where [|rest /services/authentication/users splunk_server=local | search roles=”admin” |fields title | rename title as author] OR author=”nobody” | rename title AS savedsearch_name, eai:acl.app as app, eai:acl.perms.write as write_roles | table author write_roles splunk_server app savedsearch_name splunk_server | mvexpand write_roles | where NOT write_roles IN(“”,”admin”) | mvcombine write_roles | eval search_name_for_link=savedsearch_name […]
Disk Usage per Index by Indexer
Summary: Instead of grabbing data from all time, using the dbinspect command will allow administrators to quickly determine how big an index is. There are additional fields in the dbinspect, so explore that to gain other data pivots. |dbinspect index=_internal | stats sum(sizeOnDiskMB) by splunk_server
Show Searches with Details (Who | When | What)
The following Splunk search will show a list of searches ran on a splunk server with the following details: Who ran the search What sourcetype was used What index was used What the search string was When the search was last ran index=_audit action=search sourcetype=audittrail search_id=* NOT (user=splunk-system-user) search!=”‘typeahead*” | rex “search\=\'(search|\s+)\s(?P<search>[\n\S\s]+?(?=\’))” | rex field=search […]
List All Splunk Users & Associated Roles
The following Splunk query will show a table of all users and their roles: | rest /services/authentication/users | stats values(roles) as Roles by user *Admin Notes* I’ve found the following query to work better in my environment: | rest /services/authentication/users | stats values(roles) as Roles by title
Splunk Admin Account Activity – Role Modifications
This Splunk query shows when the admin account performed Create or Modify Roles actions: index=”_audit” action=edit_roles operation=* | table _time user operation object*
Splunk Admin Account Activity – Account Modifications
This Splunk query shows when the admin account performed Account Modification / Deletion / Creation actions: index=_audit user=admin action=edit_user operation=* | table _time user operation object*
Index Modifications
This Splunk query should show which users attempted to modify an index and if that action was successful: index=_audit user=* action=indexes_edit | stats count by index info user action
