Useful Splunk searches. | A Single Failure Without A Point!

List all agents and versions :)

index=_internal source=*metrics.log group=tcpin_connections | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | dedup sourceHost | where sourceIp != sourceHost | table sourceHost sourceIp os version | sort 0 version

List all sourcetypes and event dates

| metadata type=sourcetypes index=* | convert ctime(firstTime) ctime(lastTime) | table firstTime lastTime sourcetype | sort +firstTime

List sources and size

index="_internal" source="*metrics.log" group="per_source_thruput"| eval GB=kb/1024/1024 | chart sum(GB) by series | sort - sum(GB)

List License days remaining

| rest /services/licenser/licenses | search group_id="enterprise" status="valid" OR status="expired" | rename group_id as Type | rename splunk_server as "Splunk Server" | eval "Quota (GB)"=(quota/1024/1024/1024) | eval now=now() | eval "Days Remaining"=(expiration_time-now)/86400 | eval "Expiration Time"=strftime(expiration_time, "%Y-%m-%d %H:%M:%S") | eval "Days Remaining"=round('Days Remaining', 0) | table "Type" "Quota (GB)" "Expiration Time" "Days Remaining" "Splunk Server" status | where 'Days Remaining' < 10

List index size per day

index=_internal source="*license_usage.log"
| eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| eval sourcetypename = st
| bin _time span=1d
| stats values(poolsz) as poolsz sum(b) as b by _time, pool, indexname, sourcetypename
| eval GB=(b/1024/1024/1024)
| eval pool=(poolsz/1024/1024/1024)
| fields _time, indexname, sourcetypename, GB, pool
| search indexname=* sourcetypename=*
| stats sum(GB) as GB by _time indexname
| eval GB = round(GB,4)

List index size per indexer

| rest /services/data/indexes
| where disabled = 0
| search title= "wh_aws"
| eval currentDBSizeGB = round( currentDBSizeMB / 1024)
| where currentDBSizeGB > 0
| eval maxTotalDataSizeMB = round( maxTotalDataSizeMB / 1024)
| eval frozenTimePeriodInSecs= round( frozenTimePeriodInSecs / 60 /60/ 24)
| eval first_event=strptime(minTime,"%Y-%m-%dT%H:%M")
| eval last_event=strptime(maxTime,"%Y-%m-%dT%H:%M")
| eval TimeDiff=last_event-first_event | eval TimeDiff = round(TimeDiff/60/60/24,2)
| table splunk_server title summaryHomePath_expanded minTime maxTime currentDBSizeGB totalEventCount frozenTimePeriodInSecs maxTotalDataSizeMB TimeDiff
| eval diff=(latest-earliest)
| rename minTime AS earliest maxTime AS latest summaryHomePath_expanded AS index_path currentDBSizeGB AS Size(GB) totalEventCount AS Count frozenTimePeriodInSecs AS Days maxTotalDataSizeMB AS "Max(GB)" title AS index TimeDiff as "Duration"

List users

|rest /services/authentication/users splunk_server=local |fields title type realname email roles | nomv roles| rename title as Username type as Authentication realname as "Full Name" email as Email roles as Roles

List sourcetypes where data is older than X

| tstats latest(_time) as latest where index=* by sourcetype host index | where latest < relative_time(now(), "-4h") | convert ctime(latest)

List indexes on remote search head

| rest /services/data/indexes | search NOT (title="_*" OR title="history" OR title="summary" OR title="example" OR title="main" OR title="splunklogger") | dedup title | table title currentDBSizeMB maxTotalDataSizeMB totalEventCount minTime maxTime

# Find top hosts

| tstats count by host | eventstats sum(count) as total | eval percentage = round(count/total*100,0) | fields - total | sort - count | head 40

Linux and other fun things!