- 
      
- 
        Save Zohorul/dd7aae0b32d1e7f6c8153b3aa95e086c to your computer and use it in GitHub Desktop. 
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | This is a Gist of useful Splunk Queries. | 
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | | rest /servicesNS/-/-/data/indexes count=0 | |
| | stats max(isInternal) as internal, max(disabled) as disabled, max(isReadOnly) as readonly by title | |
| | fillnull | |
| | where internal=0 AND disabled=0 AND readonly=0 | |
| | fields title | |
| | rename title as index | |
| | join index type=left | |
| [ rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local | |
| | fields title,srchIndexesAllowed | |
| | rename srchIndexesAllowed as index title as role | |
| | mvexpand index | |
| | where NOT match(index,".*\*.*") | |
| ] | |
| | search NOT role=* | |
| | fields index | 
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | index=_internal sourcetype=splunk_web_access | |
| [ | |
| rest / splunk_server=local | |
| | fields splunk_server | |
| | rename splunk_server as host | |
| ] | |
| | bin _time span=1d | |
| | stats count by date_hour _time | |
| | appendpipe | |
| [ | |
| fields _time | |
| | dedup _time | |
| | eval date_hour=mvrange(0,24,1) | |
| | eval count=0 | |
| | mvexpand date_hour | |
| ] | |
| | stats sum(count) as count by date_hour _time | |
| | stats avg(count) as avg by date_hour | |
| | sort date_hour | 
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local | |
| | fields title,srchIndexesAllowed | |
| | rename srchIndexesAllowed as index title as role | |
| | mvexpand index | |
| | where NOT match(index,".*\*.*") | 
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | | rest /servicesNS/-/-/data/indexes count=0 | |
| | rename title as index | |
| | search index=$indexName$ [ | |
| rest /servicesNS/-/-/authorization/roles/ splunk_server=local | |
| | search [ | |
| rest / splunk_server=local | |
| | head 1 | |
| | fields - * | |
| | eval title=split("$roleName$",";") | |
| | mvexpand title | |
| ] | |
| | where "$roleName$"!="*" | |
| | append [ | |
| rest / splunk_server=local | |
| | head 1 | |
| | fields - * | |
| | eval srchIndexesAllowed=split("*;_*",";") | |
| | where "$roleName$"="*" | |
| ] | |
| | eval index=mvappend(imported_srchIndexesAllowed,srchIndexesAllowed) | |
| | fields index | |
| | mvexpand index | |
| | dedup index | |
| | eval isInternal=case(index="*",0) | |
| ] | |
| | fillnull isReadOnly | |
| | where disabled=0 AND isReadOnly=0 AND index!="_blocksignature" AND index!="_thefishbucket" AND NOT [ | |
| rest / splunk_server=local | |
| | head 1 | |
| | fields splunk_server | |
| ] | |
| | stats | |
| sum(totalEventCount) as eventCountcombined, | |
| list(totalEventCount) as eventCountserver, | |
| sum(currentDBSizeMB) as sizeMBcombined, | |
| list(currentDBSizeMB) as sizeMBserver, | |
| max(maxTime) as maxTimecombined, | |
| list(maxTime) as maxTimeserver, | |
| min(minTime) as minTimecombined, | |
| list(minTime) as minTimeserver, | |
| list(splunk_server) as indexerserver | |
| by index | |
| | rename index as index$serverResults$ | |
| | fields *$serverResults$ | |
| | rename *$serverResults$ as * | |
| | table index, eventCount,sizeMB,maxTime,minTime,* | 
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | | rest /servicesNS/-/-/admin/directory count=0 splunk_server=local | |
| | fields eai:acl.app, eai:acl.owner, eai:acl.perms.*, eai:acl.sharing, eai:location, title | |
| | eval perms=mvappend('eai:acl.perms.read','eai:acl.perms.write') | |
| | fields - eai:acl.perms.* | |
| | mvexpand perms | |
| | where perms!="*" AND NOT | |
| [ | |
| | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local | |
| | fields title | |
| | rename title as perms | |
| ] | 
  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment