https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Restart-Tracking/m-p/394385#M41656 <P>Thanks, these queries all work</P> <P>except for</P> <PRE><CODE>splunkShuttingDown </CODE></PRE> <P>which is not a thing, at least in 7.2.0</P> Thu, 02 Jan 2020 20:21:36 GMT nick405060 2020-01-02T20:21:36Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Restart-Tracking/m-p/394380#M41651 <P>Hi folks,</P> <P>I want to setup a dashboard to track Splunk activities. I need to know how to track who restarted Splunk via both UI and audit logs in Splunk Dashboard?</P> <P>Thanks in-advance.</P> Wed, 09 May 2018 15:32:43 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Restart-Tracking/m-p/394380#M41651 mbasharat 2018-05-09T15:32:43Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Restart-Tracking/m-p/394381#M41652 <P>hello there,</P> <P>check the _internal index for <CODE>"splunkd started"</CODE> or <CODE>"(build"</CODE><BR /> many answers here about that, here are couple examples:<BR /> <A href="https://answers.splunk.com/answers/242618/how-to-count-the-number-of-times-splunk-is-restart.html">https://answers.splunk.com/answers/242618/how-to-count-the-number-of-times-splunk-is-restart.html</A><BR /> <A href="https://answers.splunk.com/answers/105128/how-to-determine-how-long-splunk-has-been-up.html">https://answers.splunk.com/answers/105128/how-to-determine-how-long-splunk-has-been-up.html</A></P> <P>hope it helps</P> Wed, 09 May 2018 15:42:32 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Restart-Tracking/m-p/394381#M41652 adonio 2018-05-09T15:42:32Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Restart-Tracking/m-p/394382#M41653 <P>Thanks Adonio, is there a way to populate them in a clean list from events. I see my own name in that event and I never started it!</P> Wed, 09 May 2018 18:09:15 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Restart-Tracking/m-p/394382#M41653 mbasharat 2018-05-09T18:09:15Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Restart-Tracking/m-p/394383#M41654 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/86891">@mbasharat</a></P> <P>Please use these searches</P> <P>index=_audit action=restart_splunkd | stats c by user<BR /> index=_audit action=splunkStarting<BR /> index=_audit action=splunkShuttingDown</P> <P>for UI restart its writes in Splunkd_stdout.log </P> <P>index=_internal sourcetype=splunkd_stdout</P> <P>Thanks </P> Tue, 29 Sep 2020 19:30:38 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Restart-Tracking/m-p/394383#M41654 PowerPacked 2020-09-29T19:30:38Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Restart-Tracking/m-p/394384#M41655 <P>THANK YOU!!</P> Thu, 10 May 2018 01:17:02 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Restart-Tracking/m-p/394384#M41655 mbasharat 2018-05-10T01:17:02Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Restart-Tracking/m-p/394385#M41656 <P>Thanks, these queries all work</P> <P>except for</P> <PRE><CODE>splunkShuttingDown </CODE></PRE> <P>which is not a thing, at least in 7.2.0</P> Thu, 02 Jan 2020 20:21:36 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Restart-Tracking/m-p/394385#M41656 nick405060 2020-01-02T20:21:36Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Restart-Tracking/m-p/394386#M41657 <P>Splunk Restart Dashboard</P> <PRE><CODE>&lt;form theme="dark"&gt; &lt;label&gt;Splunk Restarts&lt;/label&gt; &lt;fieldset submitButton="false"&gt; &lt;input type="time" token="time" searchWhenChanged="true"&gt; &lt;label&gt;Time Range&lt;/label&gt; &lt;default&gt; &lt;earliest&gt;-24h@h&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/default&gt; &lt;/input&gt; &lt;input type="text" token="host_include_pattern" searchWhenChanged="true"&gt; &lt;label&gt;Host Include Pattern (host1,host2)&lt;/label&gt; &lt;initialValue&gt;*&lt;/initialValue&gt; &lt;/input&gt; &lt;input type="text" token="host_exclude_pattern" searchWhenChanged="true"&gt; &lt;label&gt;Host Exclude Pattern&lt;/label&gt; &lt;default&gt;null&lt;/default&gt; &lt;prefix&gt;NOT host="*&lt;/prefix&gt; &lt;suffix&gt;*"&lt;/suffix&gt; &lt;/input&gt; &lt;/fieldset&gt; &lt;row&gt; &lt;panel&gt; &lt;title&gt;Unique Instance Restarts&lt;/title&gt; &lt;single&gt; &lt;search&gt; &lt;query&gt;index=_internal sourcetype=splunkd source="*splunkd.log" "Splunkd starting" host IN ($host_include_pattern$) $host_exclude_pattern$ | stats dc(host)&lt;/query&gt; &lt;earliest&gt;$time.earliest$&lt;/earliest&gt; &lt;latest&gt;$time.latest$&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;refresh&gt;30s&lt;/refresh&gt; &lt;refreshType&gt;delay&lt;/refreshType&gt; &lt;/search&gt; &lt;option name="colorMode"&gt;block&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="rangeColors"&gt;["0x6db7c6","0x6db7c6"]&lt;/option&gt; &lt;option name="rangeValues"&gt;[0]&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;option name="trellis.enabled"&gt;0&lt;/option&gt; &lt;option name="trellis.scales.shared"&gt;1&lt;/option&gt; &lt;option name="trellis.size"&gt;medium&lt;/option&gt; &lt;option name="useColors"&gt;1&lt;/option&gt; &lt;/single&gt; &lt;/panel&gt; &lt;/row&gt; &lt;row&gt; &lt;panel&gt; &lt;title&gt;Host Restart Timeline&lt;/title&gt; &lt;chart&gt; &lt;search&gt; &lt;query&gt;index=_internal sourcetype=splunkd source="*splunkd.log" "Splunkd starting" host IN ($host_include_pattern$) $host_exclude_pattern$ | timechart limit=100 count by host&lt;/query&gt; &lt;earliest&gt;$time.earliest$&lt;/earliest&gt; &lt;latest&gt;$time.latest$&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;refresh&gt;30s&lt;/refresh&gt; &lt;refreshType&gt;delay&lt;/refreshType&gt; &lt;/search&gt; &lt;option name="charting.axisLabelsX.majorLabelStyle.overflowMode"&gt;ellipsisNone&lt;/option&gt; &lt;option name="charting.axisLabelsX.majorLabelStyle.rotation"&gt;0&lt;/option&gt; &lt;option name="charting.axisTitleX.visibility"&gt;visible&lt;/option&gt; &lt;option name="charting.axisTitleY.visibility"&gt;collapsed&lt;/option&gt; &lt;option name="charting.axisTitleY2.visibility"&gt;visible&lt;/option&gt; &lt;option name="charting.axisX.scale"&gt;linear&lt;/option&gt; &lt;option name="charting.axisY.scale"&gt;linear&lt;/option&gt; &lt;option name="charting.axisY2.enabled"&gt;0&lt;/option&gt; &lt;option name="charting.axisY2.scale"&gt;inherit&lt;/option&gt; &lt;option name="charting.chart"&gt;column&lt;/option&gt; &lt;option name="charting.chart.bubbleMaximumSize"&gt;50&lt;/option&gt; &lt;option name="charting.chart.bubbleMinimumSize"&gt;10&lt;/option&gt; &lt;option name="charting.chart.bubbleSizeBy"&gt;area&lt;/option&gt; &lt;option name="charting.chart.nullValueMode"&gt;gaps&lt;/option&gt; &lt;option name="charting.chart.showDataLabels"&gt;none&lt;/option&gt; &lt;option name="charting.chart.sliceCollapsingThreshold"&gt;0.01&lt;/option&gt; &lt;option name="charting.chart.stackMode"&gt;stacked&lt;/option&gt; &lt;option name="charting.chart.style"&gt;shiny&lt;/option&gt; &lt;option name="charting.drilldown"&gt;none&lt;/option&gt; &lt;option name="charting.layout.splitSeries"&gt;0&lt;/option&gt; &lt;option name="charting.layout.splitSeries.allowIndependentYRanges"&gt;0&lt;/option&gt; &lt;option name="charting.legend.labelStyle.overflowMode"&gt;ellipsisMiddle&lt;/option&gt; &lt;option name="charting.legend.placement"&gt;bottom&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;option name="trellis.enabled"&gt;0&lt;/option&gt; &lt;option name="trellis.scales.shared"&gt;1&lt;/option&gt; &lt;option name="trellis.size"&gt;medium&lt;/option&gt; &lt;/chart&gt; &lt;/panel&gt; &lt;/row&gt; &lt;row&gt; &lt;panel&gt; &lt;title&gt;Events&lt;/title&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;index=_internal sourcetype=splunkd source="*splunkd.log" "Splunkd starting" host IN ($host_include_pattern$) $host_exclude_pattern$ | bucket _time span=5m | table _time host _raw | sort -_time | transaction _time | table _time host _raw&lt;/query&gt; &lt;earliest&gt;$time.earliest$&lt;/earliest&gt; &lt;latest&gt;$time.latest$&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;refresh&gt;30s&lt;/refresh&gt; &lt;refreshType&gt;delay&lt;/refreshType&gt; &lt;/search&gt; &lt;option name="count"&gt;20&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;/table&gt; &lt;/panel&gt; &lt;/row&gt; &lt;/form&gt; </CODE></PRE> Fri, 03 Jan 2020 02:05:05 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Restart-Tracking/m-p/394386#M41657 bandit 2020-01-03T02:05:05Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Restart-Tracking/m-p/519705#M41658 Nice. Thanks! Tue, 15 Sep 2020 14:22:12 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Restart-Tracking/m-p/519705#M41658 _smp_ 2020-09-15T14:22:12Z