faststeak

| rest splunk_server=local /services/deployment/client/config
| fields serverClasses
| mvexpand serverClasses
| rex field=serverClasses "(?<serverClass>[^:]+):(?<app>\S+)"
| fields serverClass app

faststeak

| rest splunk_server=local /services/deployment/server/applications
| fields title id serverclasses
| where isnotnull(serverclasses)
| mvexpand serverclasses

faststeak

index=firewall sourcetype="cisco:acs" eventtype=cisco_acs_auth_events
| streamstats values(message) as message by message_id
| eval message=mvjoin(message, ",")
| stats values(UserName) as UserName values(User_Name) as User_Name values(Called_Station_ID) as Called_Station_ID by Calling_Station_ID

faststeak

| rest /services/apps/local
| search disabled=0 NOT (label="Apps Browser" OR label="splunk_httpinput" OR label="learned" OR label="framework" OR label="introspection_generator_addon" OR label="_cluster" OR label="Instrumentation" OR label="Search & Reporting" OR label="Home" OR label="Log Event Alert Action" OR label="Splunk Archiver App" OR label="Webhook Alert Action" OR label="Monitoring Console")
| stats max(version) as version values(*) as * by label
| fields label version description title details managed_by_deployment_client visible
| eval managed_by_deployment_client=case((managed_by_deployment_client==1),"Yes",(managed_by_deployment_client==0),"No")
| eval visible=case((visible==1),"Yes",(visible==0),"No")
| rename label as App version as Version title as Folder details as "Splunkbase URL" managed_by_deployment_client as "Managed by Deployment Server" visible as Visible

faststeak

## Note: This particular search has just about every character as you type it. It takes some scrolling to find the actual search you ran. When I find a better way, I'll update this.

index=_internal user=<your splunk user here> sourcetype=splunkd_ui_access search=* | eval search=urldecode(search) | stats count by user search

faststeak

# This is possibly an interesting search to find dns pre-fetching and other odd dns behavior.
# Suggestion: Use the initial DNS.query="*.someplace.net" to aim at the internal network.

| tstats `summariesonly` count from datamodel=Network_Resolution.DNS where DNS.query="*.someplace.net" NOT DNS.query="some hosts*" NOT DNS.query="*.arpa" NOT DNS.query="_ldap*" NOT DNS.query="_gc*" NOT DNS.query="_kerberos*" by DNS.query DNS.src
| rename DNS.query as query DNS.src as src
| eval query_punct=query
| rex mode=sed field=query_punct "s/\w+//g"
| search NOT query_punct="--.-.----"
|   `ut_shannon(query)`
| stats sum(ut_shannon) as ut_shannon_sum  values(query) as query by src

faststeak

| tstats summariesonly=true allow_old_summaries=true values(DNS.answer) as ip_query from datamodel=Network_Resolution.DNS where "DNS.message_type"=RESPONSE "DNS.record_type"=A* NOT DNS.answer="unknown" AND NOT DNS.answer="127.*" AND NOT DNS.answer="*:*" AND NOT DNS.query="*._msdcs.*" by "DNS.query"
    | rename DNS.query as dns 
    | lookup cim_corporate_web_domain_lookup domain as dns output domain as found 
    | search found=*
    | eval dns=lower(dns)

faststeak

index=_internal host=<your search head(s) here>  app=* source="/opt/splunk/var/log/splunk/splunkd_ui_access.log" OR source="/opt/splunk/var/log/splunk/web_access.log"
| rex "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+-\s+(?<user>\d+)"
|search NOT (user="-" OR user=<your user, if you recently visited the apps>)
| stats max(_time) as last_used dc(user) as app_user_count values(user) as user by app host
| convert ctime(last_used)
| search NOT (app=search OR app=launcher)

# I filtered my own user because I was visiting every app just before running this search.

faststeak

#/etc/systemd/system/splunkd.service
# https://answers.splunk.com/answers/59662/is-there-a-systemd-unit-file-for-splunk.html
[Unit]
Description=Splunk Enterprise
After=network.target
Wants=network.target

[Service]
#Type=forking
Type=simple

faststeak

if [ -f ~/.bashrc ]; then
    . ~/.bashrc
fi