| fields REGEX FORMAT disabled eai:acl.app title FIELDS [| rest /servicesNS/-/-/admin/transforms-extract count=0 splunk_server=local
| eval props_sourcetype=if(st=attribute,"",st) All props and transforms information in detail | rest /servicesNS/-/-/admin/directory count=0 splunk_server=local | fields eai:acl.app, eai:acl.owner, eai:acl.perms.*, eai:acl.sharing, title, eai:type, disabled | rename srchIndexesDefault TO "Searched by default", srchIndexesAllowed TO "AllowedIndexes by Role", inheritedAllowed TO "AllowedIndexes by Inheritance", imported_roles TO "Inherited Roles"Ĩ. | makemv allowempty=t srchIndexesDefault delim=" " | makemv allowempty=t srchIndexesAllowed delim=" " | makemv allowempty=t inheritedAllowed delim=" " | stats values(inheritedAllowed) as inheritedAllowed by ir ] | eval inheritedAllowed=if(idxtype="Invalid","",srchIndexesAllowed." (by ".ir.") ") [ | rest splunk_server=local /services/authorization/roles | fields - imported_roles | eval srchIndexesDefault=replace(>,"\*$"," ") | eval srchIndexesDefault=replace(>,"\*\s"," ") | eval srchIndexesAllowed=replace(>,"\*$"," ") | eval srchIndexesAllowed=replace(>,"\*\s"," ") Suggestions: “ Metadata vs Metasearch“ | rest splunk_server=local /services/authentication/users | rename title as username | mvexpand roles | table realname, username, roles, email | table "Saved Search Name", App, Owner, "SPL Query" "Cron Schedule" hosts, execution_count, sparkline, *(result_count), sum(run_time) *(run_time) | rename savedsearch_name AS "Saved Search Name" search AS "SPL Query" app AS App | rename title AS savedsearch_name eai:acl.app AS App eai:acl.owner AS Owner cron_schedule AS "Cron Schedule" dispatch.earliest_time AS "Dispatch Earliest Time" dispatch.latest_time AS "Dispatch Latest Time"] | fields title eai:acl.owner cron_schedule dispatch.earliest_time dispatch.latest_time search | stats avg(result_count) min(result_count) max(result_count), sparkline avg(run_time) min(run_time) max(run_time) sum(run_time) values(host) AS hosts count AS execution_count by savedsearch_name, app | extract pairdelim=",", kvdelim="=", auto=f Advanced query for saved searches information index=_internal sourcetype=scheduler result_count | stats latest(_time) as Latest by user search SourcetypeUsed IndexUsedĦ. Search History index=_audit action=search sourcetype=audittrail search_id=* NOT (user=splunk-system-user) search!="'typeahead*" | fieldformat "Last use" = strftime('Last use', "%F %T.%Q")ĥ. | chart sum(total_run_time) as "Total search time" count as "Search count" max(_time) as "Last use" by user | search search!=*_internal* search!=*_audit* | stats min(_time) as _time first(user) as user max(total_run_time) as total_run_time first(search) as search by search_id | eval user = if(user="n/a", null(), user) | eval search_id = if(isnull(search_id), id, search_id) Splunk users search activity i ndex=_audit splunk_server=local action=search (id=* OR search_id=*) | stats count by Hostname version architectureĤ. | eval Hostname=if(isnull(hostname), sourceHost,hostname),version=if(isnull(version),"pre 4.2",version),architecture=if(isnull(arch),"n/a",arch) List of Forwarders Installed index="_internal" sourcetype=splunkd group=tcpin_connections NOT eventType=* | eventstats sum(b) as volume by idx, Dateģ.
#SPLUNK JOIN LICENSE#
License usage by index index=_internal source=*license_usage.log type="Usage" splunk_server=* List of Login attempts of splunk local usersįollow the below query to find how can we get the list of login attempts by the Splunk local user using SPL.In this blog, we gonna show you the top 10 most used and familiar Splunk queries.
0 kommentar(er)
