https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501321#M8421 <P>Latest /search 20 /option none /option&gt;option name="rowNumbers"&gt;falsetrue</P> Wed, 05 Feb 2020 07:38:42 GMT ritchierich 2020-02-05T07:38:42Z https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501319#M8419 <P>Hi ,<BR /> I am trying to print user active from directory </P> <P>Splunk active/inactive users</P> <PRE><CODE>&lt;input type="radio" token="active_account"&gt; &lt;label&gt;Active accounts&lt;/label&gt; &lt;choice value="*"&gt;all&lt;/choice&gt; &lt;choice value="1"&gt;active&lt;/choice&gt; &lt;choice value="0"&gt;inactive&lt;/choice&gt; &lt;default&gt;1&lt;/default&gt; &lt;/input&gt; &lt;input type="text" token="user_field" searchWhenChanged="true"&gt; &lt;label&gt;User:&lt;/label&gt; &lt;default&gt;*&lt;/default&gt; &lt;/input&gt; &lt;input type="text" token="role_field" searchWhenChanged="true"&gt; &lt;label&gt;Role:&lt;/label&gt; &lt;default&gt;*&lt;/default&gt; &lt;/input&gt; &lt;panel&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;| rest /services/authentication/users | dedup title | rename title as user | eval firstHit=0 | eval lastHit=0 | eval active=1 | table user, firstHit, lastHit, roles, active | inputlookup append=true splunk_users | eval user=if(isnull(_key), user, _key) | stats max(firstHit) as firstHit, max(lastHit) as lastHit, values(roles) as roles, max(active) as active by user | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(firstHit) | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(lastHit) | eval active=if(active==1, active, 0) | search user="$user_field$" | search active=$active_account$ | search roles="$role_field$"&lt;/query&gt; &lt;earliest&gt;-15m@m&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/search&gt; &lt;option name="wrap"&gt;true&lt;/option&gt; &lt;option name="rowNumbers"&gt;true&lt;/option&gt; &lt;option name="dataOverlayMode"&gt;none&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="count"&gt;100&lt;/option&gt; &lt;/table&gt; &lt;/panel&gt; </CODE></PRE> <P>User/Role/Index Management</P> <PRE><CODE>&lt;panel&gt; &lt;title&gt;Splunk indexes with corresponding roles&lt;/title&gt; &lt;input type="radio" token="view_field1" searchWhenChanged="true"&gt; &lt;label&gt;View:&lt;/label&gt; &lt;choice value="| nomv index"&gt;One line&lt;/choice&gt; &lt;choice value=""&gt;Human readable (currently not working)&lt;/choice&gt; &lt;default&gt;| nomv index&lt;/default&gt; &lt;/input&gt; &lt;input type="text" token="role_field1" searchWhenChanged="true"&gt; &lt;label&gt;Role:&lt;/label&gt; &lt;default&gt;*&lt;/default&gt; &lt;/input&gt; &lt;input type="text" token="index_field1"&gt; &lt;label&gt;Index:&lt;/label&gt; &lt;default&gt;*&lt;/default&gt; &lt;/input&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;| inputlookup admin_role_indexes </CODE></PRE> <P>| eval index = mvappend(srchIndexesAllowed, imported_srchIndexesAllowed) | fields role, index $view_field1$ | search role=$role_field1$ | search index=$index_field1$<BR /> | dedup role<BR /> | rex field=index max_match=200 "(?&lt;idx&gt;\w+)"<BR /> | lookup admin_indexes_data_owners index as idx<BR /> | stats values(index) as index, values(data_owner) as data_owner by role<BR /> <EARLIEST>-15m@m</EARLIEST><BR /> <LATEST>now</LATEST><BR /> <BR /> 20<BR /> none<BR /> none<BR /> false<BR /> true<BR /> <BR /> </P> <PRE><CODE>&lt;panel&gt; &lt;title&gt;Splunk users details&lt;/title&gt; &lt;input type="radio" token="view_field2" searchWhenChanged="true"&gt; &lt;label&gt;View:&lt;/label&gt; &lt;choice value="| nomv index | nomv role"&gt;One line&lt;/choice&gt; &lt;choice value=""&gt;Human readable (currently not working)&lt;/choice&gt; &lt;default&gt;| nomv index | nomv role&lt;/default&gt; &lt;/input&gt; &lt;input type="text" token="user_field2" searchWhenChanged="true"&gt; &lt;label&gt;User:&lt;/label&gt; &lt;default&gt;*&lt;/default&gt; &lt;/input&gt; &lt;input type="text" token="role_field2" searchWhenChanged="true"&gt; &lt;label&gt;Role:&lt;/label&gt; &lt;default&gt;*&lt;/default&gt; &lt;/input&gt; &lt;input type="text" token="index_field2"&gt; &lt;label&gt;Index:&lt;/label&gt; &lt;default&gt;*&lt;/default&gt; &lt;/input&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;| inputlookup admin_user_index_role | rename roles as role $view_field2$ | search user=$user_field2$ | search role=$role_field2$ | search index=$index_field2$ | lookup splunk_users _key as user OUTPUT lastHit as last_seen| eval user=if(isnull(_key), user, _key) | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(last_seen) | table user, last_seen, index, role | eval last_seen=if(isnull(last_seen), "never", last_seen)&lt;/query&gt; &lt;earliest&gt;-15m@m&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/search&gt; &lt;option name="wrap"&gt;true&lt;/option&gt; &lt;option name="rowNumbers"&gt;false&lt;/option&gt; &lt;option name="dataOverlayMode"&gt;none&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="count"&gt;20&lt;/option&gt; &lt;/table&gt; &lt;/panel&gt; </CODE></PRE> Wed, 30 Sep 2020 04:00:32 GMT https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501319#M8419 ritchierich 2020-09-30T04:00:32Z https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501320#M8420 <P>Latest 20nonefalsetrue</P> Wed, 05 Feb 2020 07:37:32 GMT https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501320#M8420 ritchierich 2020-02-05T07:37:32Z https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501321#M8421 <P>Latest /search 20 /option none /option&gt;option name="rowNumbers"&gt;falsetrue</P> Wed, 05 Feb 2020 07:38:42 GMT https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501321#M8421 ritchierich 2020-02-05T07:38:42Z https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501322#M8422 <P>Latest /searchoption name="count"20optionoption name="drill down"noneoptionoption name="rowNumbers"false/optionoption name="wrap"true/option/table/panel/row</P> Wed, 05 Feb 2020 07:40:48 GMT https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501322#M8422 ritchierich 2020-02-05T07:40:48Z https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501323#M8423 <P>Unpredictable data volume in Splunk indexes</P> <PRE><CODE>&lt;input type="radio" token="time_field"&gt; &lt;label&gt;Splunk data volume alerts:&lt;/label&gt; &lt;choice value="20"&gt;Yesterday&lt;/choice&gt; &lt;choice value="140"&gt;Last 7 days&lt;/choice&gt; &lt;choice value="600"&gt;Last 30 days&lt;/choice&gt; &lt;default&gt;20&lt;/default&gt; &lt;initialValue&gt;20&lt;/initialValue&gt; &lt;/input&gt; &lt;panel&gt; &lt;html&gt; &lt;h1&gt;Information:&lt;/h1&gt; &lt;div&gt; All &lt;font color="#d93f3c"&gt;critical&lt;/font&gt; alerts are monitored by &lt;a href="https://splunk.analytics.vodafone.com/en-US/app/analytics/alert?s=%2FservicesNS%2Fnobody%2Fanalytics%2Fsaved%2Fsearches%2FSplunk%2520Alert%2520-%2520Detected%2520unpredicted%2520data%2520volume%2520in%2520Splunk%2520indexes" target="_blank"&gt;Splunk Alert - Detected unpredicted data volume in Splunk indexes&lt;/a&gt; and sent to Operational Intelligence Team. &lt;/div&gt; &lt;div&gt; Please also visit &lt;a href="https://splunk.analytics.vodafone.com/en-US/app/analytics/admin_traffic_forecasts_teams_products" target="_blank"&gt;Traffic forecasts by teams/products&lt;/a&gt; dashboard for more details. &lt;/div&gt; &lt;/html&gt; &lt;/panel&gt; &lt;panel&gt; &lt;title&gt;Number of indexes with data volume alerts&lt;/title&gt; &lt;single&gt; &lt;search&gt; &lt;query&gt;index=splunk_internal_db source=splunk_internals_daily_load </CODE></PRE> <P>[ search index=splunk_internal_db source=splunk_internals_daily_load <BR /> | stats sum(usage) as usageMB by idx<BR /> | sort - usageMB<BR /> | head 20 | table idx ]<BR /> | bucket _time span=1d <BR /> | stats sum(eval(usage/1024)) as usage by _time, idx <BR /> | streamstats window=400 current=false mean(usage) as median_number by idx<BR /> | eval absDev=(abs(usage-median_number))<BR /> | streamstats window=400 current=false mean(absDev) as medianAbsDev by idx<BR /> | eval lowerBound=abs(median_number-medianAbsDev*3), upperBound=(median_number+medianAbsDev*3)<BR /> | eval upperBound=if((median_number/upperBound*100 &gt; 85) OR (median_number/upperBound*100 &lt; 75), median_number+median_number*0.15, upperBound)<BR /> | eval lowerBound=if(lowerBound/median_number*100 &gt; 95, median_number*0.90, lowerBound)<BR /> | eval isOutlier=if(usage &lt; lowerBound OR usage &gt; upperBound, 1, 0)<BR /> | eval priority=case(<BR /> isOutlier=1 AND usage&gt;50 AND usage&gt;upperBound, "1. critical",<BR /> isOutlier=1 AND usage&gt;20 AND usage&lt;50 AND usage&gt;lowerBound, "2. warning",<BR /> isOutlier=1, "3. low"<BR /> )<BR /> | stats max(isOutlier) as isOutlier, max(usage) as data_volume_GB, values(priority) as priority by _time, idx<BR /> | tail $time_field$</P> <P>| stats dc(idx) as number by priority<BR /> | where priority="1. critical" <BR /> | table number<BR /> <EARLIEST>-60d@d</EARLIEST><BR /> <LATEST>@d</LATEST><BR /> <BR /> block<BR /> ["0xd93f3c","0xd93f3c"]<BR /> [0]<BR /> critical<BR /> 1<BR /> <BR /> <SINGLE><BR /> <SEARCH><BR /> <QUERY>index=splunk_internal_db source=splunk_internals_daily_load <BR /> [ search index=splunk_internal_db source=splunk_internals_daily_load <BR /> | stats sum(usage) as usageMB by idx<BR /> | sort - usageMB<BR /> | head 20 | table idx ]<BR /> | bucket _time span=1d <BR /> | stats sum(eval(usage/1024)) as usage by _time, idx <BR /> | streamstats window=400 current=false mean(usage) as median_number by idx<BR /> | eval absDev=(abs(usage-median_number))<BR /> | streamstats window=400 current=false mean(absDev) as medianAbsDev by idx<BR /> | eval lowerBound=abs(median_number-medianAbsDev*3), upperBound=(median_number+medianAbsDev*3)<BR /> | eval upperBound=if((median_number/upperBound*100 &gt; 85) OR (median_number/upperBound*100 &lt; 75), median_number+median_number*0.15, upperBound)<BR /> | eval lowerBound=if(lowerBound/median_number*100 &gt; 95, median_number*0.90, lowerBound)<BR /> | eval isOutlier=if(usage &lt; lowerBound OR usage &gt; upperBound, 1, 0)<BR /> | eval priority=case(<BR /> isOutlier=1 AND usage&gt;50 AND usage&gt;upperBound, "1. critical",<BR /> isOutlier=1 AND usage&gt;20 AND usage&lt;50 AND usage&gt;lowerBound, "2. warning",<BR /> isOutlier=1, "3. low"<BR /> )<BR /> | stats max(isOutlier) as isOutlier, max(usage) as data_volume_GB, values(priority) as priority by _time, idx<BR /> | tail $time_field$<BR /> | stats dc(idx) as number by priority<BR /> | where priority="2. warning" <BR /> | fillnull value=0 number<BR /> | table number<BR /> <EARLIEST>-60d@d</EARLIEST><BR /> <LATEST>@d</LATEST><BR /> </QUERY><BR /> block<BR /> ["0xf7bc38","0xf7bc38"]<BR /> [0]<BR /> warning<BR /> 1<BR /> </SEARCH><BR /> <SINGLE><BR /> <SEARCH><BR /> <QUERY>index=splunk_internal_db source=splunk_internals_daily_load <BR /> [ search index=splunk_internal_db source=splunk_internals_daily_load <BR /> | stats sum(usage) as usageMB by idx<BR /> | sort - usageMB<BR /> | head 20 | table idx ]<BR /> | bucket _time span=1d <BR /> | stats sum(eval(usage/1024)) as usage by _time, idx <BR /> | streamstats window=400 current=false mean(usage) as median_number by idx<BR /> | eval absDev=(abs(usage-median_number))<BR /> | streamstats window=400 current=false mean(absDev) as medianAbsDev by idx<BR /> | eval lowerBound=abs(median_number-medianAbsDev*3), upperBound=(median_number+medianAbsDev*3)<BR /> | eval upperBound=if((median_number/upperBound*100 &gt; 85) OR (median_number/upperBound*100 &lt; 75), median_number+median_number*0.15, upperBound)<BR /> | eval lowerBound=if(lowerBound/median_number*100 &gt; 95, median_number*0.90, lowerBound)<BR /> | eval isOutlier=if(usage &lt; lowerBound OR usage &gt; upperBound, 1, 0)<BR /> | eval priority=case(<BR /> isOutlier=1 AND usage&gt;50 AND usage&gt;upperBound, "1. critical",<BR /> isOutlier=1 AND usage&gt;20 AND usage&lt;50 AND usage&gt;lowerBound, "2. warning",<BR /> isOutlier=1, "3. low"<BR /> )<BR /> | stats max(isOutlier) as isOutlier, max(usage) as data_volume_GB, values(priority) as priority by _time, idx<BR /> | tail $time_field$<BR /> | stats dc(idx) as number by priority<BR /> | where priority="3. low" <BR /> | table number<BR /> <EARLIEST>-60d@d</EARLIEST><BR /> <LATEST>@d</LATEST><BR /> </QUERY><BR /> block<BR /> ["0x6db7c6","0x6db7c6"]<BR /> [0]<BR /> low<BR /> 1<BR /> </SEARCH><BR /> </SINGLE></SINGLE></P> <PRE><CODE>&lt;panel&gt; &lt;table&gt; &lt;title&gt;Data volume alerts for Top 20 indexes (click for details)&lt;/title&gt; &lt;search&gt; &lt;query&gt;index=splunk_internal_db source=splunk_internals_daily_load </CODE></PRE> <P>[ search index=splunk_internal_db source=splunk_internals_daily_load <BR /> | stats sum(usage) as usageMB by idx<BR /> | sort - usageMB<BR /> | head 20 | table idx ]<BR /> | bucket _time span=1d <BR /> | stats sum(eval(usage/1024)) as usage by _time, idx <BR /> | streamstats window=400 current=false mean(usage) as median_number by idx<BR /> | eval absDev=(abs(usage-median_number))<BR /> | streamstats window=400 current=false mean(absDev) as medianAbsDev by idx<BR /> | eval lowerBound=abs(median_number-medianAbsDev*3), upperBound=(median_number+medianAbsDev*3)<BR /> | eval upperBound=if((median_number/upperBound*100 &gt; 85) OR (median_number/upperBound*100 &lt; 75), median_number+median_number*0.15, upperBound)<BR /> | eval lowerBound=if(lowerBound/median_number*100 &gt; 95, median_number*0.90, lowerBound)<BR /> | eval isOutlier=if(usage &lt; lowerBound OR usage &gt; upperBound, 1, 0)<BR /> | eval priority=case(<BR /> isOutlier=1 AND usage&gt;50 AND usage&gt;upperBound, "1. critical",<BR /> isOutlier=1 AND usage&gt;20 AND usage&lt;50 AND usage&gt;lowerBound, "2. warning",<BR /> isOutlier=1, "3. low"<BR /> )<BR /> | stats max(isOutlier) as isOutlier, max(usage) as data_volume_GB, values(priority) as priority by _time, idx<BR /> | tail $time_field$<BR /> | search isOutlier&gt;0<BR /> | chart count over idx by priority<BR /> | sort - "1. critical", "2. warning", "3.low"<BR /> <EARLIEST>-60d@d</EARLIEST><BR /> <LATEST>@d</LATEST><BR /> <SAMPLERATIO>1</SAMPLERATIO><BR /> <BR /> 100<BR /> none<BR /> cell<BR /> false<BR /> false<BR /> false<BR /> true<BR /> <FORMAT type="color" field="1. critical"><BR /> <COLORPALETTE type="minMidMax" maxcolor="#D93F3C" mincolor="#65A637"></COLORPALETTE><BR /> <SCALE type="minMidMax" maxvalue="1" minvalue="0"></SCALE><BR /> </FORMAT><BR /> <FORMAT type="color" field="2. warning"><BR /> <COLORPALETTE type="minMidMax" maxcolor="#F7BC38" mincolor="#65A637"></COLORPALETTE><BR /> <SCALE type="minMidMax" maxvalue="1" minvalue="0"></SCALE><BR /> </FORMAT><BR /> <FORMAT type="color" field="3. low"><BR /> <COLORPALETTE type="minMidMax" maxcolor="#6DB7C6" mincolor="#65A637"></COLORPALETTE><BR /> <SCALE type="minMidMax" maxvalue="1" minvalue="0"></SCALE><BR /> </FORMAT><BR /> <DRILLDOWN><BR /> &lt;!-- Use set to specify the new token to be created.<BR /> Use any token from the page or from the click event to produce the value needed. --&gt;<BR /> <SET token="index_token">$row.idx|n$</SET><BR /> &lt;!-- If we also set the form.sourcetype the input will get updated too<BR /> <SET token="form.sourcetype">$row.sourcetype$</SET> --&gt;<BR /> </DRILLDOWN><BR /> <BR /> </P> <PRE><CODE>&lt;panel depends="$index_token$"&gt; &lt;viz type="Splunk_ML_Toolkit.OutliersViz"&gt; &lt;title&gt;Outlier detection for index=$index_token$ in last 60 days&lt;/title&gt; &lt;search&gt; &lt;query&gt;index=splunk_internal_db source=splunk_internals_daily_load idx=$index_token$ </CODE></PRE> <P>| bucket _time span=1d <BR /> | stats sum(eval(usage/1024)) as usage by _time, idx <BR /> | streamstats window=20 current=false mean(usage) as median_number by idx<BR /> | eval absDev=(abs(usage-median_number))<BR /> | streamstats window=20 current=false mean(absDev) as medianAbsDev by idx<BR /> | eval lowerBound=abs(median_number-medianAbsDev*3), upperBound=(median_number+medianAbsDev*3)<BR /> | eval upperBound=if((median_number/upperBound*100 &gt; 85) OR (median_number/upperBound*100 &lt; 75), median_number+median_number*0.15, upperBound)<BR /> | eval lowerBound=if(lowerBound/median_number*100 &gt; 95, median_number*0.90, lowerBound)</P> <P>| eval isOutlier=if(usage &lt; lowerBound OR usage &gt; upperBound, 1, 0)</P> <P>| table _time, usage, lowerBound, upperBound, median_number, isOutlier<BR /> | rename usage as "data volume [GB]"<BR /> <EARLIEST>-60d@d</EARLIEST><BR /> <LATEST>@d</LATEST><BR /> <SAMPLERATIO>1</SAMPLERATIO><BR /> <BR /> true<BR /> <BR /> </P> <PRE><CODE>&lt;panel&gt; &lt;chart&gt; &lt;title&gt;Daily volume by sourcetype for index=$index_token$ in last 10 days&lt;/title&gt; &lt;search&gt; &lt;query&gt;index=_internal tag=LS source=*license_usage.log type=Usage idx=$index_token$ st=* </CODE></PRE> <P>| bucket _time span=1d<BR /> | stats sum(b) as "usage" by _time, st<BR /> | eval usage=round(usage/1024/1024/1024,2)<BR /> | timechart limit=30 span=1d max(usage) as usage by st<BR /> <EARLIEST>-10d@d</EARLIEST><BR /> <LATEST>@d</LATEST><BR /> <BR /> collapsed<BR /> GB/day<BR /> visible<BR /> line<BR /> 469<BR /> progressbar<BR /> <BR /> </P> Wed, 30 Sep 2020 04:03:23 GMT https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501323#M8423 ritchierich 2020-09-30T04:03:23Z https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501324#M8424 <P>dbinspect status about all indexes</P> <PRE><CODE>&lt;panel&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;| dbinspect index=* | stats sum(rawSize) as rawSize, sum(sizeOnDiskMB) as sizeOnDiskMB by index | eval rawSizeGB=round(rawSize/1024/1024/1024,2) | eval sizeOnDiskGB=round(sizeOnDiskMB/1024,2) | fields - rawSize, sizeOnDiskMB | accum rawSizeGB as totalRawSizeGB&lt;/query&gt; &lt;earliest&gt;0&lt;/earliest&gt; &lt;/search&gt; &lt;option name="wrap"&gt;true&lt;/option&gt; &lt;option name="rowNumbers"&gt;false&lt;/option&gt; &lt;option name="dataOverlayMode"&gt;none&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="count"&gt;100&lt;/option&gt; &lt;/table&gt; &lt;/panel&gt; </CODE></PRE> Thu, 06 Feb 2020 03:18:54 GMT https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501324#M8424 ritchierich 2020-02-06T03:18:54Z https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501325#M8425 <P>dbinspect status about all indexes</P> <PRE><CODE>&lt;panel&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;| dbinspect index=* | stats sum(rawSize) as rawSize, sum(sizeOnDiskMB) as sizeOnDiskMB by index | eval rawSizeGB=round(rawSize/1024/1024/1024,2) | eval sizeOnDiskGB=round(sizeOnDiskMB/1024,2) | fields - rawSize, sizeOnDiskMB | accum rawSizeGB as totalRawSizeGB&lt;/query&gt; &lt;earliest&gt;0&lt;/earliest&gt; &lt;/search&gt; &lt;option name="wrap"&gt;true&lt;/option&gt; &lt;option name="rowNumbers"&gt;false&lt;/option&gt; &lt;option name="dataOverlayMode"&gt;none&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="count"&gt;100&lt;/option&gt; &lt;/table&gt; &lt;/panel&gt; </CODE></PRE> Thu, 06 Feb 2020 03:24:53 GMT https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501325#M8425 ritchierich 2020-02-06T03:24:53Z https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501326#M8426 <P>Search Performance</P> <PRE><CODE>&lt;input type="time" token="field1" searchWhenChanged="true"&gt; &lt;label&gt;&lt;/label&gt; &lt;default&gt; &lt;earliest&gt;@d&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/default&gt; &lt;/input&gt; &lt;input type="checkbox" token="host_field" searchWhenChanged="true"&gt; &lt;label&gt;Search Head:&lt;/label&gt; &lt;choice value="tag=SHC"&gt;Search Head Cluster&lt;/choice&gt; &lt;choice value="tag=TSS_SH"&gt;TSS SHC&lt;/choice&gt; &lt;choice value="host=vgsp26hr"&gt;Support/Monitoring SH (vgsp26hr)&lt;/choice&gt; &lt;choice value="host=splunksh08.ena"&gt;SDP SH2 (splunksh08.ena)&lt;/choice&gt; &lt;choice value="host=now-ena-bac144"&gt;SDP DB export (now-ena-bac144)&lt;/choice&gt; &lt;choice value="host=now-bac806"&gt;Legacy SH (now-bac806.prd)&lt;/choice&gt; &lt;delimiter&gt; OR &lt;/delimiter&gt; &lt;default&gt;tag=SHC&lt;/default&gt; &lt;initialValue&gt;tag=SHC&lt;/initialValue&gt; &lt;/input&gt; &lt;panel&gt; &lt;chart&gt; &lt;title&gt;Number of ad-hoc searches per user (click for details)&lt;/title&gt; &lt;search&gt; &lt;query&gt;index=_audit $host_field$ action=search info=completed search search_id!='*scheduler_*' savedsearch_name="" OR savedsearch_name="search*" | top user limit=20&lt;/query&gt; &lt;earliest&gt;$field1.earliest$&lt;/earliest&gt; &lt;latest&gt;$field1.latest$&lt;/latest&gt; &lt;/search&gt; &lt;option name="charting.axisLabelsX.majorLabelStyle.overflowMode"&gt;ellipsisNone&lt;/option&gt; &lt;option name="charting.axisLabelsX.majorLabelStyle.rotation"&gt;0&lt;/option&gt; &lt;option name="charting.axisTitleX.visibility"&gt;visible&lt;/option&gt; &lt;option name="charting.axisTitleY.visibility"&gt;visible&lt;/option&gt; &lt;option name="charting.axisTitleY2.visibility"&gt;visible&lt;/option&gt; &lt;option name="charting.axisX.scale"&gt;linear&lt;/option&gt; &lt;option name="charting.axisY.scale"&gt;linear&lt;/option&gt; &lt;option name="charting.axisY2.enabled"&gt;0&lt;/option&gt; &lt;option name="charting.axisY2.scale"&gt;inherit&lt;/option&gt; &lt;option name="charting.chart"&gt;bar&lt;/option&gt; &lt;option name="charting.chart.bubbleMaximumSize"&gt;50&lt;/option&gt; &lt;option name="charting.chart.bubbleMinimumSize"&gt;10&lt;/option&gt; &lt;option name="charting.chart.bubbleSizeBy"&gt;area&lt;/option&gt; &lt;option name="charting.chart.nullValueMode"&gt;gaps&lt;/option&gt; &lt;option name="charting.chart.showDataLabels"&gt;all&lt;/option&gt; &lt;option name="charting.chart.sliceCollapsingThreshold"&gt;0.01&lt;/option&gt; &lt;option name="charting.chart.stackMode"&gt;default&lt;/option&gt; &lt;option name="charting.chart.style"&gt;shiny&lt;/option&gt; &lt;option name="charting.drilldown"&gt;all&lt;/option&gt; &lt;option name="charting.layout.splitSeries"&gt;0&lt;/option&gt; &lt;option name="charting.layout.splitSeries.allowIndependentYRanges"&gt;0&lt;/option&gt; &lt;option name="charting.legend.labelStyle.overflowMode"&gt;ellipsisMiddle&lt;/option&gt; &lt;option name="charting.legend.placement"&gt;right&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;drilldown&gt; &lt;!-- Use set to specify the new token to be created. Use any token from the page or from the click event to produce the value needed. --&gt; &lt;set token="drilldown_user_token"&gt;$row.user$&lt;/set&gt; &lt;!-- If we also set the form.sourcetype the input will get updated too &lt;set token="form.sourcetype"&gt;$row.sourcetype$&lt;/set&gt; --&gt; &lt;/drilldown&gt; &lt;/chart&gt; &lt;/panel&gt; &lt;panel&gt; &lt;chart&gt; &lt;title&gt;Number of Dashboard vs Typed searches (last 24 hours)&lt;/title&gt; &lt;search&gt; &lt;query&gt;index=_audit $host_field$ action=search info=completed user=* search_id!="'scheduler*" </CODE></PRE> <P>| eval type=if(match('search_id',"^\'\d{10}..*'$"),"Typed","Dashboard") <BR /> | timechart span=1h c as "Total Searches" by type<BR /> <EARLIEST>-24h@h</EARLIEST><BR /> <LATEST>now</LATEST><BR /> <BR /> area<BR /> stacked<BR /> right<BR /> progressbar<BR /> <BR /> </P> <PRE><CODE>&lt;panel&gt; &lt;chart&gt; &lt;title&gt;Number of ad-hoc searches (last 3 days)&lt;/title&gt; &lt;search&gt; &lt;query&gt;index=_audit $host_field$ action=search info=completed search search_id!='*scheduler_*' search_id!='Summary*' savedsearch_name="" OR savedsearch_name="search*" | chart count by date_hour, date_mday&lt;/query&gt; &lt;earliest&gt;-2d@d&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/search&gt; &lt;option name="charting.chart"&gt;column&lt;/option&gt; &lt;option name="charting.axisY2.enabled"&gt;0&lt;/option&gt; &lt;option name="charting.axisLabelsX.majorLabelStyle.overflowMode"&gt;ellipsisNone&lt;/option&gt; &lt;option name="charting.axisLabelsX.majorLabelStyle.rotation"&gt;0&lt;/option&gt; &lt;option name="charting.axisTitleX.visibility"&gt;visible&lt;/option&gt; &lt;option name="charting.axisTitleY.visibility"&gt;visible&lt;/option&gt; &lt;option name="charting.axisTitleY2.visibility"&gt;visible&lt;/option&gt; &lt;option name="charting.axisX.scale"&gt;linear&lt;/option&gt; &lt;option name="charting.axisY.scale"&gt;linear&lt;/option&gt; &lt;option name="charting.axisY2.scale"&gt;inherit&lt;/option&gt; &lt;option name="charting.chart.bubbleMaximumSize"&gt;50&lt;/option&gt; &lt;option name="charting.chart.bubbleMinimumSize"&gt;10&lt;/option&gt; &lt;option name="charting.chart.bubbleSizeBy"&gt;area&lt;/option&gt; &lt;option name="charting.chart.nullValueMode"&gt;gaps&lt;/option&gt; &lt;option name="charting.chart.sliceCollapsingThreshold"&gt;0.01&lt;/option&gt; &lt;option name="charting.chart.stackMode"&gt;default&lt;/option&gt; &lt;option name="charting.chart.style"&gt;shiny&lt;/option&gt; &lt;option name="charting.drilldown"&gt;all&lt;/option&gt; &lt;option name="charting.layout.splitSeries"&gt;0&lt;/option&gt; &lt;option name="charting.legend.labelStyle.overflowMode"&gt;ellipsisMiddle&lt;/option&gt; &lt;option name="charting.legend.placement"&gt;right&lt;/option&gt; &lt;option name="charting.chart.showDataLabels"&gt;none&lt;/option&gt; &lt;option name="charting.layout.splitSeries.allowIndependentYRanges"&gt;0&lt;/option&gt; &lt;/chart&gt; &lt;/panel&gt; &lt;panel&gt; &lt;table id="detail" depends="$drilldown_user_token$"&gt; &lt;title&gt;Search details for $drilldown_user_token$&lt;/title&gt; &lt;search&gt; &lt;query&gt;index=_audit $host_field$ action=search (info=granted OR info=completed) search search_id!='*scheduler_*' savedsearch_name="" OR savedsearch_name="search*" user=$drilldown_user_token$ </CODE></PRE> <P>| eval span_mins=round((search_lt-search_et)/60,0)<BR /> | stats max(_time) as _time, values(search) as user_search, sum(total_run_time) as total_run_time, count(eval(info="completed")) as number, max(span_mins) as span_mins by search_id | where number&gt;0 | stats max(_time) as _time, median(total_run_time) as median_run_time, sum(total_run_time) as total_run_time, sum(number) as number, min(span_mins) as min_span_mins, max(span_mins) as max_span_mins by user_search | table _time, user_search, median_run_time, total_run_time, number, min_span_mins, max_span_mins | sort - _time<BR /> <EARLIEST>$field1.earliest$</EARLIEST><BR /> <LATEST>$field1.latest$</LATEST><BR /> <BR /> 20<BR /> none<BR /> none<BR /> true<BR /> true<BR /> <BR /> </P> <PRE><CODE>&lt;panel&gt; &lt;chart&gt; &lt;title&gt;Total run time of scheduled searches in hours&lt;/title&gt; &lt;search&gt; &lt;query&gt;index=_internal $host_field$ sourcetype=scheduler status="success" | timechart limit=30 sum(eval(run_time/3600)) as total_runtime by user&lt;/query&gt; &lt;earliest&gt;$field1.earliest$&lt;/earliest&gt; &lt;latest&gt;$field1.latest$&lt;/latest&gt; &lt;/search&gt; &lt;selection&gt; &lt;set token="selection.earliest"&gt;$start$&lt;/set&gt; &lt;set token="selection.latest"&gt;$end$&lt;/set&gt; &lt;/selection&gt; &lt;option name="charting.axisLabelsX.majorLabelStyle.overflowMode"&gt;ellipsisNone&lt;/option&gt; &lt;option name="charting.axisLabelsX.majorLabelStyle.rotation"&gt;0&lt;/option&gt; &lt;option name="charting.axisTitleX.visibility"&gt;collapsed&lt;/option&gt; &lt;option name="charting.axisTitleY.visibility"&gt;visible&lt;/option&gt; &lt;option name="charting.axisTitleY2.visibility"&gt;visible&lt;/option&gt; &lt;option name="charting.axisX.scale"&gt;linear&lt;/option&gt; &lt;option name="charting.axisY.scale"&gt;linear&lt;/option&gt; &lt;option name="charting.axisY2.enabled"&gt;0&lt;/option&gt; &lt;option name="charting.axisY2.scale"&gt;inherit&lt;/option&gt; &lt;option name="charting.chart"&gt;area&lt;/option&gt; &lt;option name="charting.chart.bubbleMaximumSize"&gt;50&lt;/option&gt; &lt;option name="charting.chart.bubbleMinimumSize"&gt;10&lt;/option&gt; &lt;option name="charting.chart.bubbleSizeBy"&gt;area&lt;/option&gt; &lt;option name="charting.chart.nullValueMode"&gt;zero&lt;/option&gt; &lt;option name="charting.chart.showDataLabels"&gt;none&lt;/option&gt; &lt;option name="charting.chart.sliceCollapsingThreshold"&gt;0.01&lt;/option&gt; &lt;option name="charting.chart.stackMode"&gt;stacked&lt;/option&gt; &lt;option name="charting.chart.style"&gt;shiny&lt;/option&gt; &lt;option name="charting.drilldown"&gt;all&lt;/option&gt; &lt;option name="charting.layout.splitSeries"&gt;0&lt;/option&gt; &lt;option name="charting.layout.splitSeries.allowIndependentYRanges"&gt;0&lt;/option&gt; &lt;option name="charting.legend.labelStyle.overflowMode"&gt;ellipsisMiddle&lt;/option&gt; &lt;option name="charting.legend.placement"&gt;right&lt;/option&gt; &lt;/chart&gt; &lt;/panel&gt; &lt;panel&gt; &lt;input type="text" token="user_field"&gt; &lt;label&gt;User:&lt;/label&gt; &lt;default&gt;admin&lt;/default&gt; &lt;/input&gt; &lt;input type="text" token="pattern_field"&gt; &lt;label&gt;Pattern:&lt;/label&gt; &lt;default&gt;*&lt;/default&gt; &lt;/input&gt; &lt;table&gt; &lt;title&gt;Scheduled searches per user with status=success&lt;/title&gt; &lt;search&gt; &lt;query&gt;index=_internal $host_field$ sourcetype=scheduler status="success" user="$user_field$" $pattern_field$ | stats max(_time) as _time, mean(run_time) as mean_run_time_seconds, max(run_time) as max_run_time_seconds, count as number_of_jobs, sum(run_time) as total_run_time_seconds by savedsearch_name, user | eval total_run_time_hours=round(total_run_time_seconds/3600,2) | table savedsearch_name, user, _time, mean_run_time_seconds, max_run_time_seconds, number_of_jobs, total_run_time_seconds, total_run_time_hours&lt;/query&gt; &lt;earliest&gt;$field1.earliest$&lt;/earliest&gt; &lt;latest&gt;$field1.latest$&lt;/latest&gt; &lt;/search&gt; &lt;option name="wrap"&gt;true&lt;/option&gt; &lt;option name="rowNumbers"&gt;false&lt;/option&gt; &lt;option name="dataOverlayMode"&gt;none&lt;/option&gt; &lt;option name="list.drilldown"&gt;full&lt;/option&gt; &lt;option name="list.wrap"&gt;1&lt;/option&gt; &lt;option name="maxLines"&gt;5&lt;/option&gt; &lt;option name="raw.drilldown"&gt;full&lt;/option&gt; &lt;option name="table.drilldown"&gt;all&lt;/option&gt; &lt;option name="table.wrap"&gt;1&lt;/option&gt; &lt;option name="type"&gt;list&lt;/option&gt; &lt;option name="drilldown"&gt;cell&lt;/option&gt; &lt;option name="count"&gt;30&lt;/option&gt; &lt;/table&gt; &lt;/panel&gt; &lt;panel&gt; &lt;table&gt; &lt;title&gt;Heatmap with scheduled searches (status=*)&lt;/title&gt; &lt;search&gt; &lt;query&gt;index=_internal $host_field$ sourcetype=scheduler status=*| eval alert_actions = if(isnull(alert_actions) OR alert_actions == "", "none", alert_actions) | stats count values(reason) as reasons, values(concurrency_limit) as concurrency_limits by user, host, status | sort - count | eventstats sum(count) AS total | eval percent = round(count / total * 100, 2)." %" | fields - total | rename user as User, count as Count, percent as "Percent of Total"&lt;/query&gt; &lt;earliest&gt;$field1.earliest$&lt;/earliest&gt; &lt;latest&gt;$field1.latest$&lt;/latest&gt; &lt;/search&gt; &lt;option name="count"&gt;30&lt;/option&gt; &lt;option name="dataOverlayMode"&gt;heatmap&lt;/option&gt; &lt;option name="drilldown"&gt;cell&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;option name="rowNumbers"&gt;false&lt;/option&gt; &lt;option name="wrap"&gt;true&lt;/option&gt; &lt;format type="color" field="status"&gt; &lt;colorPalette type="map"&gt;{"continued":#F8BE34,"skipped":#F1813F}&lt;/colorPalette&gt; &lt;/format&gt; &lt;/table&gt; &lt;/panel&gt; &lt;panel&gt; &lt;chart&gt; &lt;title&gt;Total run time and number of scheduled searches (today/yesterday)&lt;/title&gt; &lt;search&gt; &lt;query&gt;index=_internal $host_field$ sourcetype=scheduler status="success" | timechart span=1h sum(eval(run_time/3600)) as total_runtime, count as total_jobs </CODE></PRE> <P>| eval total_runtime=round(total_runtime,2)<BR /> <EARLIEST>-1d@d</EARLIEST><BR /> <LATEST>@h</LATEST><BR /> <BR /> ellipsisNone<BR /> 0<BR /> collapsed<BR /> visible<BR /> visible<BR /> linear<BR /> linear<BR /> 1<BR /> inherit<BR /> column<BR /> 50<BR /> 10<BR /> area<BR /> gaps<BR /> total_jobs<BR /> none<BR /> 0.01<BR /> default<BR /> shiny<BR /> all<BR /> 0<BR /> 0<BR /> ellipsisMiddle<BR /> bottom<BR /> progressbar<BR /> <BR /> <BR /> <PANEL><BR /> <CHART><BR /> <TITLE>Frequency of hitting search concurrency limits</TITLE><BR /> <SEARCH><BR /> <QUERY>index=_internal tag=SHC OR tag=TSS_SH OR host=vgsp26hr sourcetype=scheduler status=continued OR status=skipped "The maximum number of concurrent historical scheduled searches on this cluster has been reached"<BR /> | timechart span=1m max(concurrency_limit) by host<BR /> <EARLIEST>$field1.earliest$</EARLIEST><BR /> <LATEST>$field1.latest$</LATEST><BR /> <SAMPLERATIO>1</SAMPLERATIO><BR /> </QUERY><BR /> ellipsisNone<BR /> 0<BR /> visible<BR /> visible<BR /> visible<BR /> none<BR /> linear<BR /> none<BR /> linear<BR /> none<BR /> 0<BR /> inherit<BR /> line<BR /> 50<BR /> 10<BR /> area<BR /> gaps<BR /> none<BR /> 0.01<BR /> default<BR /> shiny<BR /> none<BR /> 0<BR /> 0<BR /> ellipsisMiddle<BR /> standard<BR /> right<BR /> 2<BR /> progressbar<BR /> 0<BR /> 1<BR /> medium<BR /> </SEARCH><BR /> </CHART></PANEL></P> <PRE><CODE>&lt;panel&gt; &lt;chart&gt; &lt;title&gt;Search concurrency&lt;/title&gt; &lt;search&gt; &lt;query&gt;index=_internal host=splunksh* OR tag=SHC OR host=vgsp26hr OR $host_field$ source="*metrics.log" "system total" search_concurrency | timechart max(active_hist_searches) as active_searches by host&lt;/query&gt; &lt;earliest&gt;$field1.earliest$&lt;/earliest&gt; &lt;latest&gt;$field1.latest$&lt;/latest&gt; &lt;/search&gt; &lt;option name="charting.axisLabelsX.majorLabelStyle.overflowMode"&gt;ellipsisNone&lt;/option&gt; &lt;option name="charting.axisLabelsX.majorLabelStyle.rotation"&gt;0&lt;/option&gt; &lt;option name="charting.axisTitleX.visibility"&gt;collapsed&lt;/option&gt; &lt;option name="charting.axisTitleY.text"&gt;Number of running searches&lt;/option&gt; &lt;option name="charting.axisTitleY.visibility"&gt;visible&lt;/option&gt; &lt;option name="charting.axisTitleY2.visibility"&gt;visible&lt;/option&gt; &lt;option name="charting.axisX.scale"&gt;linear&lt;/option&gt; &lt;option name="charting.axisY.scale"&gt;linear&lt;/option&gt; &lt;option name="charting.axisY2.enabled"&gt;0&lt;/option&gt; &lt;option name="charting.axisY2.scale"&gt;inherit&lt;/option&gt; &lt;option name="charting.chart"&gt;area&lt;/option&gt; &lt;option name="charting.chart.bubbleMaximumSize"&gt;50&lt;/option&gt; &lt;option name="charting.chart.bubbleMinimumSize"&gt;10&lt;/option&gt; &lt;option name="charting.chart.bubbleSizeBy"&gt;area&lt;/option&gt; &lt;option name="charting.chart.nullValueMode"&gt;connect&lt;/option&gt; &lt;option name="charting.chart.showDataLabels"&gt;none&lt;/option&gt; &lt;option name="charting.chart.sliceCollapsingThreshold"&gt;0.01&lt;/option&gt; &lt;option name="charting.chart.stackMode"&gt;stacked&lt;/option&gt; &lt;option name="charting.chart.style"&gt;shiny&lt;/option&gt; &lt;option name="charting.drilldown"&gt;all&lt;/option&gt; &lt;option name="charting.layout.splitSeries"&gt;0&lt;/option&gt; &lt;option name="charting.layout.splitSeries.allowIndependentYRanges"&gt;0&lt;/option&gt; &lt;option name="charting.legend.labelStyle.overflowMode"&gt;ellipsisMiddle&lt;/option&gt; &lt;option name="charting.legend.placement"&gt;bottom&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;/chart&gt; &lt;/panel&gt; &lt;panel&gt; &lt;title&gt;Top 50 memory consuming searches&lt;/title&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;index=_introspection $host_field$ sourcetype=splunk_resource_usage data.search_props.sid::* </CODE></PRE> <P>| rename data.elapsed as elapsed, data.mem_used as mem_used, data.search_props.sid as sid, data.search_props.label as label, data.search_props.provenance as provenance, data.search_props.type as type, data.search_props.mode as mode, data.search_props.app as app, data.search_props.user as user<BR /> | fillnull value=missing label<BR /> | stats max(elapsed) as runtime max(mem_used) as mem_used earliest(_time) as _time by sid, label, provenance, type, mode, app, host, user<BR /> | eval mem_used = round(mem_used, 2) <BR /> | sort 50 - mem_used <BR /> | fields - day, hour, minute, second <BR /> | eval _time = strftime(_time,"%+") <BR /> | table label, mem_used, app, user, *<BR /> | rename sid as SID, label as "Search Name", provenance AS Provenance, type as Type, mode as Mode, app as App, search_head as "Search Head", user as User, mem_used as "Memory Usage (MB)", _time as Started, runtime as Runtime<BR /> <EARLIEST>$field1.earliest$</EARLIEST><BR /> <LATEST>$field1.latest$</LATEST><BR /> <BR /> 10<BR /> none<BR /> progressbar<BR /> <FORMAT type="color" field="Memory Usage (MB)"><BR /> <COLORPALETTE type="list">[#65A637,#F7BC38,#D93F3C]</COLORPALETTE><BR /> <SCALE type="threshold">500,5000</SCALE><BR /> </FORMAT><BR /> <BR /> </P> Wed, 30 Sep 2020 04:03:26 GMT https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501326#M8426 ritchierich 2020-09-30T04:03:26Z https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501327#M8427 <P>index="_internal" source="*license_usage.log" type=Usage | bin _time span=1d | stats sum(b) AS bytes by _time,idx | eval DailyGB=bytes/1024/1024/1024 | timechart sum(DailyGB) by idx span=1d</P> Wed, 30 Sep 2020 04:03:38 GMT https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501327#M8427 ritchierich 2020-09-30T04:03:38Z https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501328#M8428 <P>Monitor license usage<BR /> Use the foreach command to monitor license usage.</P> <P>First run the following search on the license master to return the daily license usage per sourcetype in bytes:</P> <P>index=_internal source=*license_usage.log type!="*Summary" earliest=-30d<BR /> | timechart span=1d sum(b) AS daily_bytes by st</P> <P>Use the foreach command to calculate the daily license usage in gigabytes for each field:</P> <P>index=_internal source=*license_usage.log type!="*Summary" earliest=-30d<BR /> | timechart span=1d sum(b) AS daily_bytes by st<BR /> | foreach * [eval &lt;&gt;='&lt;&gt;'/1024/1024/1024]</P> Wed, 30 Sep 2020 04:03:59 GMT https://community.splunk.com/t5/Monitoring-Splunk/Use-activity/m-p/501328#M8428 ritchierich 2020-09-30T04:03:59Z