androchentw · July 5, 2021 15:18
diff --git a/Fun Splunk Queries b/Fun Splunk Queries
 This is a Gist of useful Splunk Queries.
diff --git a/All indexes not explicitly granted to a role b/All indexes not explicitly granted to a role
 | rest /servicesNS/-/-/data/indexes count=0 
  | stats max(isInternal) as internal, max(disabled) as disabled, max(isReadOnly) as readonly by title 
  | fillnull 
  | where internal=0 AND disabled=0 AND readonly=0 
  | fields title
  | rename title as index 
  | join index type=left 
    [ rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local 
      | fields title,srchIndexesAllowed 
      | rename srchIndexesAllowed as index title as role
      | mvexpand index 
      | where NOT match(index,".*\*.*")
    ]
  | search NOT role=*
  | fields index
diff --git a/Every index explicitly granted to a role b/Every index explicitly granted to a role
 | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local 
  | fields title,srchIndexesAllowed 
  | rename srchIndexesAllowed as index title as role
  | mvexpand index 
  | where NOT match(index,".*\*.*")
diff --git a/Parameterized query to get all indexes, or those available to a particular role, or named with a certain name b/Parameterized query to get all indexes, or those available to a particular role, or named with a certain name
 | rest /servicesNS/-/-/data/indexes count=0 
  | rename title as index 
  | search index=$indexName$ AND 
    [
      rest /servicesNS/-/-/authorization/roles/$roleName$ splunk_server=local 
      | appendpipe 
        [
          stats count 
          | eval srchIndexesAllowed="*" 
          | where count=0 
        ] 
      | fields *srchIndexesAllowed 
      | eval index=mvappend(imported_srchIndexesAllowed,srchIndexesAllowed) 
      | fields index 
      | mvexpand index 
      | dedup index
    ] 
  | fillnull isReadOnly 
  | where disabled=0 AND isReadOnly=0 AND index!="_blocksignature" AND index!="_thefishbucket" AND NOT 
    [
      rest / splunk_server=local 
      | head 1 
      | fields splunk_server
    ] 
  | rename index as indexserver 
  | eval indexcombined=indexserver 
  | stats 
      sum(totalEventCount) as eventCountcombined, 
      list(totalEventCount) as eventCountserver, 
      sum(currentDBSizeMB) as sizeMBcombined, 
      list(currentDBSizeMB) as sizeMBserver, 
      max(maxTime) as maxTimecombined, 
      list(maxTime) as maxTimeserver, 
      min(minTime) as minTimecombined, 
      list(minTime) as minTimeserver, 
      list(splunk_server) as indexerserver 
    by indexcombined,indexserver
  | fields *$serverResults$ 
  | rename *$serverResults$ as *
  | table index, eventCount, sizeMB, maxTime, minTime, *
diff --git a/Splunk Objects With Perms granted to non-existent roles b/Splunk Objects With Perms granted to non-existent roles
 | rest /servicesNS/-/-/admin/directory count=0 splunk_server=local 
  | fields eai:acl.app, eai:acl.owner, eai:acl.perms.*, eai:acl.sharing, eai:location, title
  | eval perms=mvappend('eai:acl.perms.read','eai:acl.perms.write')
  | fields - eai:acl.perms.*
  | mvexpand perms
  | where perms!="*" AND NOT 
    [
      | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
        | fields title 
        | rename title as perms
    ]
	\| rest /servicesNS/-/-/data/indexes count=0
	\| stats max(isInternal) as internal, max(disabled) as disabled, max(isReadOnly) as readonly by title
	\| fillnull
	\| where internal=0 AND disabled=0 AND readonly=0
	\| fields title
	\| rename title as index
	\| join index type=left
	[ rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
	\| fields title,srchIndexesAllowed
	\| rename srchIndexesAllowed as index title as role
	\| mvexpand index
	\| where NOT match(index,".\.*")
	]
	\| search NOT role=*
	\| fields index
	\| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
	\| fields title,srchIndexesAllowed
	\| rename srchIndexesAllowed as index title as role
	\| mvexpand index
	\| where NOT match(index,".\.*")
	\| rest /servicesNS/-/-/data/indexes count=0
	\| rename title as index
	\| search index=$indexName$ AND
	[
	rest /servicesNS/-/-/authorization/roles/$roleName$ splunk_server=local
	\| appendpipe
	[
	stats count
	\| eval srchIndexesAllowed="*"
	\| where count=0
	]
	\| fields *srchIndexesAllowed
	\| eval index=mvappend(imported_srchIndexesAllowed,srchIndexesAllowed)
	\| fields index
	\| mvexpand index
	\| dedup index
	]
	\| fillnull isReadOnly
	\| where disabled=0 AND isReadOnly=0 AND index!="_blocksignature" AND index!="_thefishbucket" AND NOT
	[
	rest / splunk_server=local
	\| head 1
	\| fields splunk_server
	]
	\| rename index as indexserver
	\| eval indexcombined=indexserver
	\| stats
	sum(totalEventCount) as eventCountcombined,
	list(totalEventCount) as eventCountserver,
	sum(currentDBSizeMB) as sizeMBcombined,
	list(currentDBSizeMB) as sizeMBserver,
	max(maxTime) as maxTimecombined,
	list(maxTime) as maxTimeserver,
	min(minTime) as minTimecombined,
	list(minTime) as minTimeserver,
	list(splunk_server) as indexerserver
	by indexcombined,indexserver
	\| fields *$serverResults$
	\| rename $serverResults$ as
	\| table index, eventCount, sizeMB, maxTime, minTime, *
	\| rest /servicesNS/-/-/admin/directory count=0 splunk_server=local
	\| fields eai:acl.app, eai:acl.owner, eai:acl.perms.*, eai:acl.sharing, eai:location, title
	\| eval perms=mvappend('eai:acl.perms.read','eai:acl.perms.write')
	\| fields - eai:acl.perms.*
	\| mvexpand perms
	\| where perms!="*" AND NOT
	[
	\| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
	\| fields title
	\| rename title as perms
	]