REST Archives -

User Info Dashboard – Using REST

I found this very useful user statistics/information splunk dashboard on www.function1.com/2016/06/rest-easy-with-the-splunk-rest-api. They have additional Splunk REST queries and examples worth checking out!

<dashboard>
      <label>REST API: access control</label>
      <row>
        <panel>
          <single>
            <title>You are</title>
            <searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields username</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="drilldown">none</option>
          </single>
        </panel>
        <panel>
          <table>
            <title>And you have these permissions</title>
            <searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields capabilities | mvexpand capabilities</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="wrap">true</option>
            <option name="rowNumbers">false</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">cell</option>
            <option name="count">5</option>
          </table>
        </panel>
      </row>
      <row>
        <panel>
          <table>
            <title>Active users (sessions)</title>
            <searchString>| rest /services/authentication/httpauth-tokens | fields userName, timeAccessed | dedup userName sortby timeAccessed</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="wrap">true</option>
            <option name="rowNumbers">false</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">cell</option>
            <option name="count">10</option>
          </table>
        </panel>
        <panel>
          <table>
            <title>All users (limited to 100)</title>
            <searchString>| rest /services/authentication/users | fields title, realname | head 100</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="wrap">true</option>
            <option name="rowNumbers">false</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">cell</option>
            </table>
        </panel>
        <panel>
          <chart>
            <title>Users by authentication system</title>
            <searchString>| rest /services/authentication/users | fields title, type | stats count by type</searchString>
            <earliestTime>0</earliestTime>
            <latestTime/>
            <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
            <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
            <option name="charting.axisTitleX.visibility">visible</option>
            <option name="charting.axisTitleY.visibility">visible</option>
            <option name="charting.axisTitleY2.visibility">visible</option>
            <option name="charting.axisX.scale">linear</option>
            <option name="charting.axisY.scale">linear</option>
            <option name="charting.axisY2.enabled">false</option>
            <option name="charting.axisY2.scale">inherit</option>
            <option name="charting.chart">pie</option>
            <option name="charting.chart.nullValueMode">gaps</option>
            <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
            <option name="charting.chart.stackMode">default</option>
            <option name="charting.chart.style">shiny</option>
            <option name="charting.drilldown">all</option>
            <option name="charting.layout.splitSeries">0</option>
            <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
            <option name="charting.legend.placement">right</option>
          </chart>
        </panel>
      </row>
    </dashboard>

<label>REST API: access control</label>

<row>

<panel>

<searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields username</searchString>

</single>

</panel>

<panel>

<table>

<title>And you have these permissions</title>

<searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields capabilities | mvexpand capabilities</searchString>

<option name="rowNumbers">false</option>

</table>

</panel>

</row>

<row>

<panel>

<table>

<title>Active users (sessions)</title>

<searchString>| rest /services/authentication/httpauth-tokens | fields userName, timeAccessed | dedup userName sortby timeAccessed</searchString>

<option name="rowNumbers">false</option>

</table>

</panel>

<panel>

<table>

<title>All users (limited to 100)</title>

<searchString>| rest /services/authentication/users | fields title, realname | head 100</searchString>

<option name="rowNumbers">false</option>

</table>

</panel>

<panel>

<chart>

<title>Users by authentication system</title>

<searchString>| rest /services/authentication/users | fields title, type | stats count by type</searchString>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.enabled">false</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.placement">right</option>

</chart>

</panel>

</row>

</dashboard>

Continue Reading →

Use REST to gather Index Info

Here is some SPL to get useful information via REST on indexes within your Splunk environment:

| REST /services/data/indexes
| eval currentDBSizeMB=tostring(currentDBSizeMB, "commas")
| eval totalEventCount=tostring(totalEventCount, "commas")
| eval frozenTimePeriodInHours=(frozenTimePeriodInSecs/60/60)
| table title splunk_server currentDBSizeMB frozenTimePeriodInHours maxTime minTime totalEventCount

| REST /services/data/indexes

| eval currentDBSizeMB=tostring(currentDBSizeMB, "commas")

| eval totalEventCount=tostring(totalEventCount, "commas")

| eval frozenTimePeriodInHours=(frozenTimePeriodInSecs/60/60)

| table title splunk_server currentDBSizeMB frozenTimePeriodInHours maxTime minTime totalEventCount

Continue Reading →

List of Alerts via REST

The following Splunk search (query) will show a list of alerts within Splunk via the | rest call:

| rest /services/alerts/fired_alerts splunk_server=local| table eai:acl.owner eai:acl.app id title triggered_alert_count

1	\| rest /services/alerts/fired_alerts splunk_server=local\| table eai:acl.owner eai:acl.app id title triggered_alert_count

Continue Reading →

List Inputs using REST

As the title says. Pretty nice Splunk Search if you’ve forgotten what inputs you have configured and need a central place to list them.

| rest /services/data/inputs/all | convert ctime(starttime) AS "Start Time"  | convert ctime(endtime) AS "End Time" | table index interval source sourcetype title updated starttime endtime "Start Time" "End Time"

1	\| rest /services/data/inputs/all \| convert ctime(starttime) AS "Start Time" \| convert ctime(endtime) AS "End Time" \| table index interval source sourcetype title updated starttime endtime "Start Time" "End Time"

Continue Reading →

Show all currently logged in users

Use this Splunk rest query to list all currently logged in users (to your Splunk server). | rest /services/authentication/current-context | search NOT username=”splunk-system-user” | table username roles updated

Continue Reading →

REST Call for Memory & CPU usage on Splunk Servers

This Splunk search will show you use and available CPU and Memory statistics. Depending on your environment you may see multiple Splunk servers:

| rest  /services/server/status/resource-usage/hostwide | eval cpu_count = if(isnull(cpu_count), "N/A", cpu_count) | eval cpu_usage = cpu_system_pct + cpu_user_pct | eval mem_used_pct = round(mem_used / mem * 100 , 2) | eval mem_used = round(mem_used, 0) | eval mem = round(mem, 0) |eval mem=tostring(mem, "commas") | eval mem_used=tostring(mem_used, "commas")| fields splunk_server, cpu_count, cpu_usage, mem, mem_used, mem_used_pct | sort - cpu_usage, -mem_used | rename splunk_server AS Instance, cpu_count AS "CPU Cores", cpu_usage AS "CPU Usage (%)", mem AS "Physical Memory Capacity (MB)", mem_used AS "Physical Memory Usage (MB)", mem_used_pct AS "Physical Memory Usage (%)"

| rest /services/server/status/resource-usage/hostwide | eval cpu_count = if(isnull(cpu_count), "N/A", cpu_count) | eval cpu_usage = cpu_system_pct + cpu_user_pct | eval mem_used_pct = round(mem_used / mem * 100 , 2) | eval mem_used = round(mem_used, 0) | eval mem = round(mem, 0) |eval mem=tostring(mem, "commas") | eval mem_used=tostring(mem_used, "commas")| fields splunk_server, cpu_count, cpu_usage, mem, mem_used, mem_used_pct | sort - cpu_usage, -mem_used | rename splunk_server AS Instance, cpu_count AS "CPU Cores", cpu_usage AS "CPU Usage (%)", mem AS "Physical Memory Capacity (MB)", mem_used AS "Physical Memory Usage (MB)", mem_used_pct AS "Physical Memory Usage (%)"

Slightly modified from: http://www.brainfold.net/2016/03/frequently-used-rest-api-calls-in-splunk.html

Continue Reading →

REST Call for a list of Lookup Files

Use this splunk search to get a list of all lookup files:

| rest /services/data/transforms/lookups | table eai:acl.app eai:appName filename title fields_list updated id

1	\| rest /services/data/transforms/lookups \| table eai:acl.app eai:appName filename title fields_list updated id

Continue Reading →

REST Call for Splunk Server Role Status

This REST Splunk search returns the status of roles on each Splunk server in your environment.

| rest /services/server/introspection | table title splunk_server status updated

1	\| rest /services/server/introspection \| table title splunk_server status updated

Continue Reading →

Splunk Objects With Permissions Granted to Non-existent Roles

Useful search to show a bit of detail on roles and user permissions.

| rest /servicesNS/-/-/admin/directory count=0 splunk_server=local
 | fields eai:acl.app, eai:acl.owner, eai:acl.perms.*, eai:acl.sharing, eai:location, title
 | eval perms=mvappend('eai:acl.perms.read','eai:acl.perms.write')
 | fields - eai:acl.perms.*
 | mvexpand perms
 | where perms!="*" AND NOT
 [
 | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
 | fields title
 | rename title as perms
 ]

| rest /servicesNS/-/-/admin/directory count=0 splunk_server=local

| fields eai:acl.app, eai:acl.owner, eai:acl.perms.*, eai:acl.sharing, eai:location, title

| eval perms=mvappend('eai:acl.perms.read','eai:acl.perms.write')

| fields - eai:acl.perms.*

| mvexpand perms

| where perms!="*" AND NOT

[

| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local

| fields title

| rename title as perms

]

I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376 Credit goes to acharlieh!

Continue Reading →

Every index explicitly granted to a role

Self explanatory, maps roles to indexes. Useful if you have a lot of indexes!

| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
 | fields title,srchIndexesAllowed
 | rename srchIndexesAllowed as index title as role
 | mvexpand index
 | where NOT match(index,".*\*.*")

| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local

| fields title,srchIndexesAllowed

| rename srchIndexesAllowed as index title as role

| mvexpand index

| where NOT match(index,".*\*.*")

I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376 Credit goes to acharlieh!

Continue Reading →

Average Splunk Web requests by hour

This query is pretty awesome! It helped enlighten us to exactly when our splunk infrastructure is being hit with users

index=_internal sourcetype=splunk_web_access
 [ rest / splunk_server=local
 | fields splunk_server
 | rename splunk_server as host ]
 | bin _time span=1d
 | stats count by date_hour _time
 | appendpipe [ fields _time
 | dedup _time
 | eval date_hour=mvrange(0,24,1)
 | eval count=0
 | mvexpand date_hour ]
 | stats sum(count) as count by date_hour _time
 | stats avg(count) as avg by date_hour
 | sort date_hour

index=_internal sourcetype=splunk_web_access

[ rest / splunk_server=local

| fields splunk_server

| rename splunk_server as host ]

| bin _time span=1d

| stats count by date_hour _time

| appendpipe [ fields _time

| dedup _time

| eval date_hour=mvrange(0,24,1)

| eval count=0

| mvexpand date_hour ]

| stats sum(count) as count by date_hour _time

| stats avg(count) as avg by date_hour

| sort date_hour

I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376 Credit goes to acharlieh!

Continue Reading →

All indexes not explicitly granted to a role

| rest /servicesNS/-/-/data/indexes count=0
 | stats max(isInternal) as internal, max(disabled) as disabled, max(isReadOnly) as readonly by title
 | fillnull
 | where internal=0 AND disabled=0 AND readonly=0
 | fields title
 | rename title as index
 | join index type=left
 [ rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
 | fields title,srchIndexesAllowed
 | rename srchIndexesAllowed as index title as role
 | mvexpand index
 | where NOT match(index,".*\*.*") ]
 | search NOT role=*
 | fields index

| rest /servicesNS/-/-/data/indexes count=0

| stats max(isInternal) as internal, max(disabled) as disabled, max(isReadOnly) as readonly by title

| fillnull

| where internal=0 AND disabled=0 AND readonly=0

| fields title

| rename title as index

| join index type=left

[ rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local

| fields title,srchIndexesAllowed

| rename srchIndexesAllowed as index title as role

| mvexpand index

| where NOT match(index,".*\*.*") ]

| search NOT role=*

| fields index

I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376 Credit goes to acharlieh!

Continue Reading →

Memory Usage and Information on Splunk Server

This Splunk Search Query will perform a rest call to indicate current memory consumption on the Splunk server(s) itself/themselves: *NOTE* The following has been modified from the “Distributed Management Console” to be more generic for a copy, paste, and search example.

| rest splunk_server=* /services/server/status/resource-usage/hostwide  | stats first(normalized_load_avg_1min) as load_average first(cpu_system_pct) as system, first(cpu_user_pct) as user first(mem) AS mem first(mem_used) AS mem_used by splunk_server | fields splunk_server mem mem_used | eval pctmemused=round((mem_used/mem)*100)."%" | table splunk_server pctmemused | rename splunk_server as "Splunk Server" pctmemused as "Percent of Memory Used"

| rest splunk_server=* /services/server/status/resource-usage/hostwide | stats first(normalized_load_avg_1min) as load_average first(cpu_system_pct) as system, first(cpu_user_pct) as user first(mem) AS mem first(mem_used) AS mem_used by splunk_server | fields splunk_server mem mem_used | eval pctmemused=round((mem_used/mem)*100)."%" | table splunk_server pctmemused | rename splunk_server as "Splunk Server" pctmemused as "Percent of Memory Used"

Continue Reading →

Tag: REST