Searching Your Searches

• Dashboards
• kdor
• 11 0

Below is the raw XML of a dashboard we wrote about on our blog a couple of months ago. Click here to read that blog, or copy/paste this XML in your Splunk instance!

<form theme="dark"> <label>Searching for Searches</label> <fieldset submitButton="true"> <input type="text" token="search_input"> <label>Search for field here:</label> </input> </fieldset> <row> <panel> <title>Dashboards</title> <single> <search> <query>| rest splunk_server=local /servicesNS/-/-/data/ui/views | search eai:data="*$search_input$*" | stats count</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="height">285</option> <option name="rangeColors">["0xdc4e41","0x53a051"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <!--Setting the token for the hidden panel--> <drilldown> <set token="peekaboo">| rest splunk_server=local /servicesNS/-/-/data/ui/views | search eai:data="*$search_input$*" | rename author AS Author eai:acl.sharing AS Permissions eai:appName AS App eai:data AS "Dashboard XML" | fields Author Permissions App "Dashboard XML"</set> </drilldown> </single> </panel> <panel> <title>Saved Searches</title> <single> <search> <query>| rest splunk_server=local /services/saved/searches | search search="*$search_input$*" | stats count</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="height">285</option> <option name="rangeColors">["0xdc4e41","0x53a051"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <!--Setting the token for the hidden panel--> <drilldown> <set token="peekaboo">| rest splunk_server=local /services/saved/searches | search search="*$search_input$*" | rename eai:acl.owner AS Author eai:acl.sharing AS Permissions eai:acl.app AS App search AS "Saved Search" | fields Author Permissions App "Saved Search"</set> </drilldown> </single> </panel> <panel> <title>Event Types</title> <single> <search> <query>| rest splunk_server=local /servicesNS/-/-/saved/eventtypes | search search="*$search_input$*" | stats count</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="height">285</option> <option name="rangeColors">["0xdc4e41","0x53a051"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <!--Setting the token for the hidden panel--> <drilldown> <set token="peekaboo">| rest splunk_server=local /servicesNS/-/-/saved/eventtypes | search search="*$search_input$*" | rename eai:acl.owner AS Author eai:acl.sharing AS Permissions eai:acl.app AS App search AS "Event Type" | fields Author Permissions App "Event Type"</set> </drilldown> </single> </panel> </row> <row> <!--Here is said hidden panel--> <panel depends="$peekaboo$"> <table> <search> <query>$peekaboo$</query> <earliest>-24h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <drilldown> <unset token="peekaboo"></unset> </drilldown> </table> </panel> </row> </form>

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89

<form theme="dark">   <label>Searching for Searches</label>   <fieldset submitButton="true">     <input type="text" token="search_input">       <label>Search for field here:</label>     </input>   </fieldset>   <row>     <panel>       <title>Dashboards</title>       <single>         <search>           <query>| rest splunk_server=local /servicesNS/-/-/data/ui/views | search eai:data="*$search_input$*" | stats count</query>           <earliest>-7d@h</earliest>           <latest>now</latest>         </search>         <option name="colorMode">block</option>         <option name="drilldown">all</option>         <option name="height">285</option>         <option name="rangeColors">["0xdc4e41","0x53a051"]</option>         <option name="rangeValues">[0]</option>         <option name="refresh.display">progressbar</option>         <option name="useColors">1</option>         <!--Setting the token for the hidden panel-->         <drilldown>           <set token="peekaboo">| rest splunk_server=local /servicesNS/-/-/data/ui/views | search eai:data="*$search_input$*" | rename author AS Author eai:acl.sharing AS Permissions eai:appName AS App eai:data AS "Dashboard XML" | fields Author Permissions App "Dashboard XML"</set>         </drilldown>       </single>     </panel>     <panel>       <title>Saved Searches</title>       <single>         <search>           <query>| rest splunk_server=local /services/saved/searches | search search="*$search_input$*" | stats count</query>           <earliest>-24h@h</earliest>           <latest>now</latest>         </search>         <option name="colorMode">block</option>         <option name="drilldown">all</option>         <option name="height">285</option>         <option name="rangeColors">["0xdc4e41","0x53a051"]</option>         <option name="rangeValues">[0]</option>         <option name="refresh.display">progressbar</option>         <option name="useColors">1</option>         <!--Setting the token for the hidden panel-->         <drilldown>           <set token="peekaboo">| rest splunk_server=local /services/saved/searches | search search="*$search_input$*" | rename eai:acl.owner AS Author eai:acl.sharing AS Permissions eai:acl.app AS App search AS "Saved Search" | fields Author Permissions App "Saved Search"</set>         </drilldown>       </single>     </panel>     <panel>       <title>Event Types</title>       <single>         <search>           <query>| rest splunk_server=local /servicesNS/-/-/saved/eventtypes | search search="*$search_input$*" | stats count</query>           <earliest>-24h@h</earliest>           <latest>now</latest>         </search>         <option name="colorMode">block</option>         <option name="drilldown">all</option>         <option name="height">285</option>         <option name="rangeColors">["0xdc4e41","0x53a051"]</option>         <option name="rangeValues">[0]</option>         <option name="refresh.display">progressbar</option>         <option name="useColors">1</option>         <!--Setting the token for the hidden panel-->         <drilldown>           <set token="peekaboo">| rest splunk_server=local /servicesNS/-/-/saved/eventtypes | search search="*$search_input$*" | rename eai:acl.owner AS Author eai:acl.sharing AS Permissions eai:acl.app AS App search AS "Event Type" | fields Author Permissions App "Event Type"</set>         </drilldown>       </single>     </panel>   </row>   <row>     <!--Here is said hidden panel-->     <panel depends="$peekaboo$">       <table>         <search>           <query>$peekaboo$</query>           <earliest>-24h</earliest>           <latest>now</latest>         </search>         <option name="drilldown">cell</option>         <drilldown>           <unset token="peekaboo"></unset>         </drilldown>       </table>     </panel>   </row> </form>

Continue Reading →

List All Splunk Users & Associated Roles

• REST
• john117
• 1 1

The following Splunk query will show a table of all users and their roles:

| rest /services/authentication/users | stats values(roles) as Roles by user

1	| rest /services/authentication/users | stats values(roles) as Roles by user

*Admin Notes* I’ve found the following query to work better in my environment:

| rest /services/authentication/users | stats values(roles) as Roles by title

1	| rest /services/authentication/users | stats values(roles) as Roles by title

Continue Reading →

Dashboard and App views by user

• _internal
• john117
• 3 Comments
• 4 0

This Splunk query / search shows historical access to dashboards and apps on a local splunk server.

index=_internal sourcetype=splunk_web_access host=* user=* | rex field=uri_path ".*/(?<title>[^/]*)$" | join title [| rest /servicesNS/-/-/data/ui/views splunk_server=* | search isDashboard=1 isVisible=1 | rename eai:acl.app as app | fields title app ] | rename title as dashboard | stats count by _time user dashboard app host

1 2 3 4 5 6 7 8 9

index=_internal sourcetype=splunk_web_access host=* user=* | rex field=uri_path ".*/(?<title>[^/]*)$" | join title [| rest /servicesNS/-/-/data/ui/views splunk_server=* | search isDashboard=1 isVisible=1 | rename eai:acl.app as app | fields title app ] | rename title as dashboard | stats count by _time user dashboard app host

Continue Reading →

REST API response time

• _internal
• SplunkNinja
• 2 0

This is a Splunk query to measure REST API response time from the various rest URI’s in Splunk.

index=_internal sourcetype=splunkd_access source=*splunkd_access.log | rex "- - - (?P<Response_Time>.*)" | rex "\"(?<REST_uri>[^\"]+)" | table _time, REST_uri, Response_Time

1	index=_internal sourcetype=splunkd_access source=*splunkd_access.log | rex "- - - (?P<Response_Time>.*)" | rex "\"(?<REST_uri>[^\"]+)" | table _time, REST_uri, Response_Time

Credit goes to somesoni2 on answers.splunk.com! Query found here: https://answers.splunk.com/answers/112073/splunk-query-to-measure-rest-api-response-time.html

Continue Reading →

identify knowledge objects, permissions and extractions

• sedi
• 3 0

The following will: list all knowledge objects for your SH (or given search peer(s)) each objects name, type, app, permissions, sharing (e.g. global, app, private) and owner if props-extract: the props stanza, props type (e.g if its Inline or Transforms), props sourcetype and props value (e.g. the regex) if transforms-extract: the state (tf_disabled), format (tf_format), tf_fields […]

Continue Reading →

List permissions for Users, roles, allowed indexes and indexes searched by default

• sedi
• 1 Comment
• 4 0

Ok that one is a big one so be prepared ;) The following will (on a SH / SH Cluster): list all users and their roles list inherited roles list all indexes allowed by the shown roles list all indexes allowed for inherited roles (one level!) inherited allowed indexes will show the originator (which inherited […]

Continue Reading →

Show Splunk User to Role mapping

• _internal/ REST
• SplunkNinja
• 2 1

The following Splunk REST query shows all roles, number of  capabilities, and landing app for each user.

| rest /services/authentication/users | eval name=coalesce(realname, title) | stats values(roles) as Role first(defaultApp) as "Landing App" count(capabilities) as "Number of Capabilities" by name

1 2 3

| rest /services/authentication/users | eval name=coalesce(realname, title) | stats values(roles) as Role first(defaultApp) as "Landing App" count(capabilities) as "Number of Capabilities" by name

Continue Reading →

Show all Indexes and Sourcetypes via REST

• REST
• ItsJohnLocke
• 2 0

The following Splunk query uses REST to display non internal indexes associated with sourcetypes. It is my understanding that this is all time (such is the way of REST searches)

| rest /services/data/inputs/all | search index!=_* | stats values(sourcetype) by index

1 2 3

| rest /services/data/inputs/all | search index!=_* | stats values(sourcetype) by index

Continue Reading →

User Info Dashboard – Using REST

• REST
• ItsJohnLocke
• 13 0

I found this very useful user statistics/information splunk dashboard on www.function1.com/2016/06/rest-easy-with-the-splunk-rest-api. They have additional Splunk REST queries and examples worth checking out!

<dashboard>       <label>REST API: access control</label>       <row>         <panel>           <single>             <title>You are</title>             <searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields username</searchString>             <earliestTime>0</earliestTime>             <latestTime/>             <option name="drilldown">none</option>           </single>         </panel>         <panel>           <table>             <title>And you have these permissions</title>             <searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields capabilities | mvexpand capabilities</searchString>             <earliestTime>0</earliestTime>             <latestTime/>             <option name="wrap">true</option>             <option name="rowNumbers">false</option>             <option name="dataOverlayMode">none</option>             <option name="drilldown">cell</option>             <option name="count">5</option>           </table>         </panel>       </row>       <row>         <panel>           <table>             <title>Active users (sessions)</title>             <searchString>| rest /services/authentication/httpauth-tokens | fields userName, timeAccessed | dedup userName sortby timeAccessed</searchString>             <earliestTime>0</earliestTime>             <latestTime/>             <option name="wrap">true</option>             <option name="rowNumbers">false</option>             <option name="dataOverlayMode">none</option>             <option name="drilldown">cell</option>             <option name="count">10</option>           </table>         </panel>         <panel>           <table>             <title>All users (limited to 100)</title>             <searchString>| rest /services/authentication/users | fields title, realname | head 100</searchString>             <earliestTime>0</earliestTime>             <latestTime/>             <option name="wrap">true</option>             <option name="rowNumbers">false</option>             <option name="dataOverlayMode">none</option>             <option name="drilldown">cell</option>             </table>         </panel>         <panel>           <chart>             <title>Users by authentication system</title>             <searchString>| rest /services/authentication/users | fields title, type | stats count by type</searchString>             <earliestTime>0</earliestTime>             <latestTime/>             <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>             <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>             <option name="charting.axisTitleX.visibility">visible</option>             <option name="charting.axisTitleY.visibility">visible</option>             <option name="charting.axisTitleY2.visibility">visible</option>             <option name="charting.axisX.scale">linear</option>             <option name="charting.axisY.scale">linear</option>             <option name="charting.axisY2.enabled">false</option>             <option name="charting.axisY2.scale">inherit</option>             <option name="charting.chart">pie</option>             <option name="charting.chart.nullValueMode">gaps</option>             <option name="charting.chart.sliceCollapsingThreshold">0.01</option>             <option name="charting.chart.stackMode">default</option>             <option name="charting.chart.style">shiny</option>             <option name="charting.drilldown">all</option>             <option name="charting.layout.splitSeries">0</option>             <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>             <option name="charting.legend.placement">right</option>           </chart>         </panel>       </row>     </dashboard>

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80

<dashboard>       <label>REST API: access control</label>       <row>         <panel>           <single>             <title>You are</title>             <searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields username</searchString>             <earliestTime>0</earliestTime>             <latestTime/>             <option name="drilldown">none</option>           </single>         </panel>         <panel>           <table>             <title>And you have these permissions</title>             <searchString>| rest /services/authentication/current-context | where NOT username="splunk-system-user" | fields capabilities | mvexpand capabilities</searchString>             <earliestTime>0</earliestTime>             <latestTime/>             <option name="wrap">true</option>             <option name="rowNumbers">false</option>             <option name="dataOverlayMode">none</option>             <option name="drilldown">cell</option>             <option name="count">5</option>           </table>         </panel>       </row>       <row>         <panel>           <table>             <title>Active users (sessions)</title>             <searchString>| rest /services/authentication/httpauth-tokens | fields userName, timeAccessed | dedup userName sortby timeAccessed</searchString>             <earliestTime>0</earliestTime>             <latestTime/>             <option name="wrap">true</option>             <option name="rowNumbers">false</option>             <option name="dataOverlayMode">none</option>             <option name="drilldown">cell</option>             <option name="count">10</option>           </table>         </panel>         <panel>           <table>             <title>All users (limited to 100)</title>             <searchString>| rest /services/authentication/users | fields title, realname | head 100</searchString>             <earliestTime>0</earliestTime>             <latestTime/>             <option name="wrap">true</option>             <option name="rowNumbers">false</option>             <option name="dataOverlayMode">none</option>             <option name="drilldown">cell</option>             </table>         </panel>         <panel>           <chart>             <title>Users by authentication system</title>             <searchString>| rest /services/authentication/users | fields title, type | stats count by type</searchString>             <earliestTime>0</earliestTime>             <latestTime/>             <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>             <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>             <option name="charting.axisTitleX.visibility">visible</option>             <option name="charting.axisTitleY.visibility">visible</option>             <option name="charting.axisTitleY2.visibility">visible</option>             <option name="charting.axisX.scale">linear</option>             <option name="charting.axisY.scale">linear</option>             <option name="charting.axisY2.enabled">false</option>             <option name="charting.axisY2.scale">inherit</option>             <option name="charting.chart">pie</option>             <option name="charting.chart.nullValueMode">gaps</option>             <option name="charting.chart.sliceCollapsingThreshold">0.01</option>             <option name="charting.chart.stackMode">default</option>             <option name="charting.chart.style">shiny</option>             <option name="charting.drilldown">all</option>             <option name="charting.layout.splitSeries">0</option>             <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>             <option name="charting.legend.placement">right</option>           </chart>         </panel>       </row>     </dashboard>

Continue Reading →

Use REST to gather Index Info

• REST
• ItsJohnLocke
• 4 2

Here is some SPL to get useful information via REST on indexes within your Splunk environment:

| REST /services/data/indexes | eval currentDBSizeMB=tostring(currentDBSizeMB, "commas") | eval totalEventCount=tostring(totalEventCount, "commas") | eval frozenTimePeriodInHours=(frozenTimePeriodInSecs/60/60) | table title splunk_server currentDBSizeMB frozenTimePeriodInHours maxTime minTime totalEventCount

1 2 3 4 5

| REST /services/data/indexes | eval currentDBSizeMB=tostring(currentDBSizeMB, "commas") | eval totalEventCount=tostring(totalEventCount, "commas") | eval frozenTimePeriodInHours=(frozenTimePeriodInSecs/60/60) | table title splunk_server currentDBSizeMB frozenTimePeriodInHours maxTime minTime totalEventCount

Continue Reading →

List of Alerts via REST

• REST
• ItsJohnLocke
• 1 Comment
• 2 1

The following Splunk search (query) will show a list of alerts within Splunk via the | rest call:

| rest /services/alerts/fired_alerts splunk_server=local| table eai:acl.owner eai:acl.app id title triggered_alert_count

1	| rest /services/alerts/fired_alerts splunk_server=local| table eai:acl.owner eai:acl.app id title triggered_alert_count

Continue Reading →

List Inputs using REST

• REST
• ItsJohnLocke
• 1 Comment
• 0 0

As the title says. Pretty nice Splunk Search if you’ve forgotten what inputs you have configured and need a central place to list them.

| rest /services/data/inputs/all | convert ctime(starttime) AS "Start Time"  | convert ctime(endtime) AS "End Time" | table index interval source sourcetype title updated starttime endtime "Start Time" "End Time"

1	| rest /services/data/inputs/all | convert ctime(starttime) AS "Start Time"  | convert ctime(endtime) AS "End Time" | table index interval source sourcetype title updated starttime endtime "Start Time" "End Time"

Continue Reading →

Show all currently logged in users

• REST
• ItsJohnLocke
• 1 Comment
• 3 0

Use this Splunk rest query to list all currently logged in users (to your Splunk server).   | rest /services/authentication/current-context | search NOT username=”splunk-system-user” | table username roles updated  

Continue Reading →

REST Call for Memory & CPU usage on Splunk Servers

• REST
• ItsJohnLocke
• 9 0

This Splunk search will show you use and available CPU and Memory statistics. Depending on your environment you may see multiple Splunk servers:

| rest /services/server/status/resource-usage/hostwide | eval cpu_count = if(isnull(cpu_count), "N/A", cpu_count) | eval cpu_usage = cpu_system_pct + cpu_user_pct | eval mem_used_pct = round(mem_used / mem * 100 , 2) | eval mem_used = round(mem_used, 0) | eval mem = round(mem, 0) |eval mem=tostring(mem, "commas") | eval mem_used=tostring(mem_used, "commas")| fields splunk_server, cpu_count, cpu_usage, mem, mem_used, mem_used_pct | sort - cpu_usage, -mem_used | rename splunk_server AS Instance, cpu_count AS "CPU Cores", cpu_usage AS "CPU Usage (%)", mem AS "Physical Memory Capacity (MB)", mem_used AS "Physical Memory Usage (MB)", mem_used_pct AS "Physical Memory Usage (%)"

1

| rest  /services/server/status/resource-usage/hostwide | eval cpu_count = if(isnull(cpu_count), "N/A", cpu_count) | eval cpu_usage = cpu_system_pct + cpu_user_pct | eval mem_used_pct = round(mem_used / mem * 100 , 2) | eval mem_used = round(mem_used, 0) | eval mem = round(mem, 0) |eval mem=tostring(mem, "commas") | eval mem_used=tostring(mem_used, "commas")| fields splunk_server, cpu_count, cpu_usage, mem, mem_used, mem_used_pct | sort - cpu_usage, -mem_used | rename splunk_server AS Instance, cpu_count AS "CPU Cores", cpu_usage AS "CPU Usage (%)", mem AS "Physical Memory Capacity (MB)", mem_used AS "Physical Memory Usage (MB)", mem_used_pct AS "Physical Memory Usage (%)"

Slightly modified from: http://www.brainfold.net/2016/03/frequently-used-rest-api-calls-in-splunk.html

Continue Reading →

REST Call for a list of Lookup Files

• REST
• ItsJohnLocke
• 1 Comment
• 5 0

Use this splunk search to get a list of all lookup files:

| rest /services/data/transforms/lookups | table eai:acl.app eai:appName filename title fields_list updated id

1	| rest /services/data/transforms/lookups | table eai:acl.app eai:appName filename title fields_list updated id

Continue Reading →

REST Call for Splunk Server Role Status

• REST
• ItsJohnLocke
• 0 1

This REST Splunk search returns the status of roles on each Splunk server in your environment.

| rest /services/server/introspection | table title splunk_server status updated

1	| rest /services/server/introspection | table title splunk_server status updated

 

Continue Reading →

Splunk Objects With Permissions Granted to Non-existent Roles

• REST
• ItsJohnLocke
• 1 0

Useful search to show a bit of detail on roles and user permissions.

| rest /servicesNS/-/-/admin/directory count=0 splunk_server=local | fields eai:acl.app, eai:acl.owner, eai:acl.perms.*, eai:acl.sharing, eai:location, title | eval perms=mvappend('eai:acl.perms.read','eai:acl.perms.write') | fields - eai:acl.perms.* | mvexpand perms | where perms!="*" AND NOT [ | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local | fields title | rename title as perms ]

1 2 3 4 5 6 7 8 9 10 11

| rest /servicesNS/-/-/admin/directory count=0 splunk_server=local | fields eai:acl.app, eai:acl.owner, eai:acl.perms.*, eai:acl.sharing, eai:location, title | eval perms=mvappend('eai:acl.perms.read','eai:acl.perms.write') | fields - eai:acl.perms.* | mvexpand perms | where perms!="*" AND NOT [ | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local | fields title | rename title as perms ]

I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376 Credit goes to acharlieh!

Continue Reading →

Every index explicitly granted to a role

• REST
• ItsJohnLocke
• 1 Comment
• 2 0

Self explanatory, maps roles to indexes. Useful if you have a lot of indexes!

| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local | fields title,srchIndexesAllowed | rename srchIndexesAllowed as index title as role | mvexpand index | where NOT match(index,".*\*.*")

1 2 3 4 5

| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local | fields title,srchIndexesAllowed | rename srchIndexesAllowed as index title as role | mvexpand index | where NOT match(index,".*\*.*")

I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376 Credit goes to acharlieh!

Continue Reading →

Average Splunk Web requests by hour

• _internal
• ItsJohnLocke
• 1 0

This query is pretty awesome! It helped enlighten us to exactly when our splunk infrastructure is being hit with users

index=_internal sourcetype=splunk_web_access [ rest / splunk_server=local | fields splunk_server | rename splunk_server as host ] | bin _time span=1d | stats count by date_hour _time | appendpipe [ fields _time | dedup _time | eval date_hour=mvrange(0,24,1) | eval count=0 | mvexpand date_hour ] | stats sum(count) as count by date_hour _time | stats avg(count) as avg by date_hour | sort date_hour

1 2 3 4 5 6 7 8 9 10 11 12 13 14

index=_internal sourcetype=splunk_web_access [ rest / splunk_server=local | fields splunk_server | rename splunk_server as host ] | bin _time span=1d | stats count by date_hour _time | appendpipe [ fields _time | dedup _time | eval date_hour=mvrange(0,24,1) | eval count=0 | mvexpand date_hour ] | stats sum(count) as count by date_hour _time | stats avg(count) as avg by date_hour | sort date_hour

I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376 Credit goes to acharlieh!

Continue Reading →

All indexes not explicitly granted to a role

• REST
• ItsJohnLocke
• 0 0

| rest /servicesNS/-/-/data/indexes count=0 | stats max(isInternal) as internal, max(disabled) as disabled, max(isReadOnly) as readonly by title | fillnull | where internal=0 AND disabled=0 AND readonly=0 | fields title | rename title as index | join index type=left [ rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local | fields title,srchIndexesAllowed | rename srchIndexesAllowed as index title as role | mvexpand index | where NOT match(index,".*\*.*") ] | search NOT role=* | fields index

1 2 3 4 5 6 7 8 9 10 11 12 13 14

| rest /servicesNS/-/-/data/indexes count=0 | stats max(isInternal) as internal, max(disabled) as disabled, max(isReadOnly) as readonly by title | fillnull | where internal=0 AND disabled=0 AND readonly=0 | fields title | rename title as index | join index type=left [ rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local | fields title,srchIndexesAllowed | rename srchIndexesAllowed as index title as role | mvexpand index | where NOT match(index,".*\*.*") ] | search NOT role=* | fields index

  I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376 Credit goes to acharlieh!

Continue Reading →