| rename srchIndexesDefault TO "Searched by default", srchIndexesAllowed TO "AllowedIndexes by Role", inheritedAllowed TO "AllowedIndexes by Inheritance", imported_roles TO "Inherited Roles"Ĩ. | makemv allowempty=t srchIndexesDefault delim=" " | makemv allowempty=t srchIndexesAllowed delim=" " | makemv allowempty=t inheritedAllowed delim=" " | stats values(inheritedAllowed) as inheritedAllowed by ir ] | eval inheritedAllowed=if(idxtype="Invalid","",srchIndexesAllowed." (by ".ir.") ") [ | rest splunk_server=local /services/authorization/roles | fields - imported_roles | eval srchIndexesDefault=replace(>,"\*$"," ") | eval srchIndexesDefault=replace(>,"\*\s"," ")
| eval srchIndexesAllowed=replace(>,"\*$"," ") | eval srchIndexesAllowed=replace(>,"\*\s"," ") Suggestions: “ Metadata vs Metasearch“ | rest splunk_server=local /services/authentication/users | rename title as username | mvexpand roles | table realname, username, roles, email | table "Saved Search Name", App, Owner, "SPL Query" "Cron Schedule" hosts, execution_count, sparkline, *(result_count), sum(run_time) *(run_time) | rename savedsearch_name AS "Saved Search Name" search AS "SPL Query" app AS App | rename title AS savedsearch_name eai:acl.app AS App eai:acl.owner AS Owner cron_schedule AS "Cron Schedule" dispatch.earliest_time AS "Dispatch Earliest Time" dispatch.latest_time AS "Dispatch Latest Time"] | fields title eai:acl.owner cron_schedule dispatch.earliest_time dispatch.latest_time search | stats avg(result_count) min(result_count) max(result_count), sparkline avg(run_time) min(run_time) max(run_time) sum(run_time) values(host) AS hosts count AS execution_count by savedsearch_name, app | extract pairdelim=",", kvdelim="=", auto=f Advanced query for saved searches information index=_internal sourcetype=scheduler result_count | stats latest(_time) as Latest by user search SourcetypeUsed IndexUsedĦ. Search History index=_audit action=search sourcetype=audittrail search_id=* NOT (user=splunk-system-user) search!="'typeahead*" | fieldformat "Last use" = strftime('Last use', "%F %T.%Q")ĥ. | chart sum(total_run_time) as "Total search time" count as "Search count" max(_time) as "Last use" by user | search search!=*_internal* search!=*_audit*
| stats min(_time) as _time first(user) as user max(total_run_time) as total_run_time first(search) as search by search_id | eval user = if(user="n/a", null(), user) | eval search_id = if(isnull(search_id), id, search_id) Splunk users search activity i ndex=_audit splunk_server=local action=search (id=* OR search_id=*) | stats count by Hostname version architectureĤ. | eval Hostname=if(isnull(hostname), sourceHost,hostname),version=if(isnull(version),"pre 4.2",version),architecture=if(isnull(arch),"n/a",arch) List of Forwarders Installed index="_internal" sourcetype=splunkd group=tcpin_connections NOT eventType=* | eventstats sum(b) as volume by idx, Dateģ.
SPLUNK ADVANCED SEARCH QUERY EXAMPLES LICENSE
License usage by index index=_internal source=*license_usage.log type="Usage" splunk_server=*
0 kommentar(er)
