questsin · February 20, 2019 18:33
diff --git a/splunk.txt b/splunk.txt
 index="iptv_sol_cdn_ats" | stats count by _raw

 index="staging" NOT name="*"   sourcetype=DownloadSessionEvent | af classfield=status

 index=iptv_*  index !=*cdn*
 | eval diff= (_indextime - _time)/1000
 | bin diff bins=20 
 | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") 
 |eval capturetime=strftime(_time,"%Y-%m-%d %H:%M:%S")  
 | stats count by  index diff

 index="iptv_sol_cdn_ats" sourcetype="custom_ats_2" pssc=200
 | rex field=host "ats(?<CDN_Type>[^\-]+)\-(?<Site>[^\-]+)\-"
 | stats count by ttms Site

 index=iptv_*  index !=*cdn*
 | eval diff= (_indextime - _time)/1000
 | bin diff bins=20 
 | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") 
 |eval capturetime=strftime(_time,"%Y-%m-%d %H:%M:%S")  
 | stats count by  index diff

 | tstats count where index=iptv_* by index _time span=1m 
 | stats count max(_time) as T by index
 | eval c_time=strftime(T,"%m/%d/%y %H:%M:%S")

 index=_audit action=edit_user operation=edit OR operation=create
 | stats min(timestamp) as "created" by object
 | rename object as user
 | inputlookup append=t inactiveusers.csv
 | sort -created
 | dedup user
 | outputlookup inactiveusers.csv

 index=oss 
 | stats count latest(_time) as lt by kevent.Records{}.eventSourceARN 
 | eval secondsAgo=now() - lt 
 | table  kevent.Records{}.eventSourceARN count secondsAgo 
 | sort -secondsAgo

 index="staging" 
 |  eval topic=if(isnull(name),sourcetype,name)  
 | stats count by topic
	index="iptv_sol_cdn_ats" \| stats count by _raw

	index="staging" NOT name="*" sourcetype=DownloadSessionEvent \| af classfield=status

	index=iptv_* index !=cdn
	\| eval diff= (_indextime - _time)/1000
	\| bin diff bins=20
	\| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")
	\|eval capturetime=strftime(_time,"%Y-%m-%d %H:%M:%S")
	\| stats count by index diff

	index="iptv_sol_cdn_ats" sourcetype="custom_ats_2" pssc=200
	\| rex field=host "ats(?<CDN_Type>[^\-]+)\-(?<Site>[^\-]+)\-"
	\| stats count by ttms Site

	index=iptv_* index !=cdn
	\| eval diff= (_indextime - _time)/1000
	\| bin diff bins=20
	\| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")
	\|eval capturetime=strftime(_time,"%Y-%m-%d %H:%M:%S")
	\| stats count by index diff

	\| tstats count where index=iptv_* by index _time span=1m
	\| stats count max(_time) as T by index
	\| eval c_time=strftime(T,"%m/%d/%y %H:%M:%S")

	index=_audit action=edit_user operation=edit OR operation=create
	\| stats min(timestamp) as "created" by object
	\| rename object as user
	\| inputlookup append=t inactiveusers.csv
	\| sort -created
	\| dedup user
	\| outputlookup inactiveusers.csv

	index=oss
	\| stats count latest(_time) as lt by kevent.Records{}.eventSourceARN
	\| eval secondsAgo=now() - lt
	\| table kevent.Records{}.eventSourceARN count secondsAgo
	\| sort -secondsAgo

	index="staging"
	\| eval topic=if(isnull(name),sourcetype,name)
	\| stats count by topic