All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello @whitecat001 try this : index=_audit action="search" search="*" NOT user="splunk-system-user" savedsearch_name="" NOT search="\'|history*" NOT search="\'typeahead*" | rex "index=(?P<myIndex>... See more...
Hello @whitecat001 try this : index=_audit action="search" search="*" NOT user="splunk-system-user" savedsearch_name="" NOT search="\'|history*" NOT search="\'typeahead*" | rex "index=(?P<myIndex>\w+)\s+\w+=" | stats count by myIndex
Was able to get this to give me one line for the non-critical pods total missing count over time. index=abc sourcetype=kubectl importance=non-critical | lookup pod_list pod_name_lookup as pod_name O... See more...
Was able to get this to give me one line for the non-critical pods total missing count over time. index=abc sourcetype=kubectl importance=non-critical | lookup pod_list pod_name_lookup as pod_name OUTPUT pod_name_lookup | append [inputlookup pod_list where importance = non-critical | rename pod_name_lookup as pod_name_all] | eventstats values(pod_name_all) as pod_name_all | where sourcetype == "kubectl" | timechart span=1h@h values(pod_name_lookup) as pod_name_lookup values(pod_name_all) as pod_name_all | eval missing = mvappend(missing, mvmap(pod_name_all, if(pod_name_all IN (pod_name_lookup), null(), pod_name_all))) | timechart span=1h@h count(missing) as non-critical-pods-missing   Working towards the goal of being able to get another line for critical.
So I have the following setup and everything is good but I want to kind of do a subsearch In the Event - Sample User-ABCDEF assigned Role-'READ' on Project-1234 to GHIJKL Current SPL  index="... See more...
So I have the following setup and everything is good but I want to kind of do a subsearch In the Event - Sample User-ABCDEF assigned Role-'READ' on Project-1234 to GHIJKL Current SPL  index="xxxx" "role-'WRITE'" OR "role-'READ'" | rex "User-(?<userid>[^,]*)" | rex "(?<resource>\w+)$" | eval userid=upper(userid) | stats c as Count latest(_time) as _time by userid I get an output as this ABCDEF ASSIGNED ROLE-'READ' ON PROJECT-1234 TO GHIJKL   What I want is to search on just the GHIJKL after it extracts or should I just put it at the front so it only fetches that?
Hi KVStore and CSV are considered internal, correct? Based on your experience which one is the fastest?   KVStore? Thanks
Maybe this is what you need. Note, as far as I know there are no fields that show the index used by a search,  that show the index used by searches, so you have to extract that from the SPL code,  an... See more...
Maybe this is what you need. Note, as far as I know there are no fields that show the index used by a search,  that show the index used by searches, so you have to extract that from the SPL code,  and index= can be all over the place in the code and also in macros,  so its tricky, but may be this will work for you. This shows the count of searches by index_used | rest splunk_server=local /services/search/jobs | fields author title, updated, search, runDuration, provenance, latestTime, owner eai:acl.app, diskUsage | rename author AS user eai:acl.app AS app title AS search_code | rex field=search_code "(?<index_used>index\s*=\s*[^ ]+|index\s+IN|search\s*=\s*index=|search\s*=\s*inputlookup\s+in|index\s*=_\*)" | stats count(search_code) AS volume_of_searches_ran BY index_used | sort - volume_of_searches_ran    
Hi @Pablo.Jaña, Does this help: https://docs.appdynamics.com/appd/onprem/23.x/23.11/en/extend-appdynamics/appdynamics-apis/create-central-identity-user-api
Thanks for the response can i get a query that helps to show how much searches are been ran per indexes volume
The TA for Genesys cloud logs ingestion can be installed from: https://github.com/SplunkBAUG/CCA/blob/main/TA_genesys_cloud-1.0.14.spl   And the app for visualization is " Genesys Cloud Operationa... See more...
The TA for Genesys cloud logs ingestion can be installed from: https://github.com/SplunkBAUG/CCA/blob/main/TA_genesys_cloud-1.0.14.spl   And the app for visualization is " Genesys Cloud Operational Analytics App"
Assuming you can still be dependent on column names, you should go back to pre-transpose and add the following | eval row=mvrange(0,3) | mvexpand row | eval column=mvindex(split("search_name,ID,Time... See more...
Assuming you can still be dependent on column names, you should go back to pre-transpose and add the following | eval row=mvrange(0,3) | mvexpand row | eval column=mvindex(split("search_name,ID,Time",","),row) | eval new_row=case(row=0,search_name,row=1,ID,row=2,Time) | table column new_row
For running jobs - try this from the GUI - see the link for curl base CLI command | rest splunk_server=local /services/search/jobs | fields author title, updated, search, runDuration, provenanc... See more...
For running jobs - try this from the GUI - see the link for curl base CLI command | rest splunk_server=local /services/search/jobs | fields author title, updated, search, runDuration, provenance, latestTime, owner eai:acl.app, diskUsage | rename author AS user eai:acl.app AS app title AS search_code | eval diskUsage_MB = round(diskUsage/1024/1024,2) | table user search_code, updated, search, runDuration, provenance, latestTime, owner, app diskUsage_MB Here's the Rest API and others https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTsearch#search.2Fjobs   
Pls what is the rest endpoint for searches that users are running 
I want a query that shows  the total volume of indexes used for splunk searches. Query on information that has to do with how much indexes are used based on splunk searches     
what indexes are used the most in splunk searches 
I want to know the total volume of indexes used for splunk searches. Query on information that has to do with how much indexes are used based on splunk searches 
Hi @whitecat001, sorry, it isn't so clear: do you want the amount of data of each search or to know which indexes are used in each search or what else? Ciao. Giuseppe
I want to know how much volume of  index is used for splunk searches 
Hi @whitecat001 , do you want the list of savedsearches, the list or runned searches or what else? could you better detail your request? Ciao. Giuseppe
Hi, I've a similar use case but to get the second and last Saturday's. I tried to use your search but couldn't get there. Can you please help me with that. TIA
Can i get a query that will find searches that users are running in splunk
unfortunately dataset is old and can't be changed  I'd be happy if fields have decent naming pattern..