androchentw · July 5, 2021 15:18 · Jun 20, 2014 · Jun 15, 2014 · Jun 15, 2014 · Jun 10, 2014
diff --git a/Average Splunk Web requests by hour b/Average Splunk Web requests by hour
@@ -0,0 +1,19 @@
+index=_internal sourcetype=splunk_web_access 
+  [
+    rest / splunk_server=local 
+    | fields splunk_server 
+    | rename splunk_server as host
+  ] 
+  | bin _time span=1d 
+  | stats count by date_hour _time 
+  | appendpipe 
+    [
+      fields _time 
+      | dedup _time 
+      | eval date_hour=mvrange(0,24,1) 
+      | eval count=0 
+      | mvexpand date_hour
+    ] 
+  | stats sum(count) as count by date_hour _time 
+  | stats avg(count) as avg by date_hour 
+  | sort date_hour
diff --git a/...to get all indexes, or those available to a particular role, or named with a certain name b/...to get all indexes, or those available to a particular role, or named with a certain name
@@ -1,40 +1,46 @@
 | rest /servicesNS/-/-/data/indexes count=0 
-  | rename title as index 
-  | search index=$indexName$ AND 
-    [
-      rest /servicesNS/-/-/authorization/roles/$roleName$ splunk_server=local 
-      | appendpipe 
-        [
-          stats count 
-          | eval srchIndexesAllowed="*" 
-          | where count=0 
-        ] 
-      | fields *srchIndexesAllowed 
-      | eval index=mvappend(imported_srchIndexesAllowed,srchIndexesAllowed) 
-      | fields index 
-      | mvexpand index 
-      | dedup index
-    ] 
-  | fillnull isReadOnly 
-  | where disabled=0 AND isReadOnly=0 AND index!="_blocksignature" AND index!="_thefishbucket" AND NOT 
-    [
-      rest / splunk_server=local 
-      | head 1 
-      | fields splunk_server
-    ] 
-  | rename index as indexserver 
-  | eval indexcombined=indexserver 
-  | stats 
-      sum(totalEventCount) as eventCountcombined, 
-      list(totalEventCount) as eventCountserver, 
-      sum(currentDBSizeMB) as sizeMBcombined, 
-      list(currentDBSizeMB) as sizeMBserver, 
-      max(maxTime) as maxTimecombined, 
-      list(maxTime) as maxTimeserver, 
-      min(minTime) as minTimecombined, 
-      list(minTime) as minTimeserver, 
-      list(splunk_server) as indexerserver 
-    by indexcombined,indexserver
-  | fields *$serverResults$ 
-  | rename *$serverResults$ as *
-  | table index, eventCount, sizeMB, maxTime, minTime, *
+| rename title as index 
+| search index=$indexName$ [
+    rest /servicesNS/-/-/authorization/roles/ splunk_server=local 
+    | search [
+        rest / splunk_server=local 
+        | head 1 
+        | fields - * 
+        | eval title=split("$roleName$",";") 
+        | mvexpand title
+      ] 
+    | where "$roleName$"!="*" 
+    | append [
+        rest / splunk_server=local 
+        | head 1 
+        | fields - * 
+        | eval srchIndexesAllowed=split("*;_*",";")
+        | where "$roleName$"="*"
+      ] 
+    | eval index=mvappend(imported_srchIndexesAllowed,srchIndexesAllowed) 
+    | fields index 
+    | mvexpand index 
+    | dedup index
+    | eval isInternal=case(index="*",0)
+  ]
+| fillnull isReadOnly 
+| where disabled=0 AND isReadOnly=0 AND index!="_blocksignature" AND index!="_thefishbucket" AND NOT [
+    rest / splunk_server=local 
+    | head 1 
+    | fields splunk_server
+  ] 
+| stats 
+    sum(totalEventCount) as eventCountcombined, 
+    list(totalEventCount) as eventCountserver, 
+    sum(currentDBSizeMB) as sizeMBcombined, 
+    list(currentDBSizeMB) as sizeMBserver, 
+    max(maxTime) as maxTimecombined, 
+    list(maxTime) as maxTimeserver, 
+    min(minTime) as minTimecombined, 
+    list(minTime) as minTimeserver, 
+    list(splunk_server) as indexerserver 
+  by index
+| rename index as index$serverResults$
+| fields *$serverResults$
+| rename *$serverResults$ as *
+| table index, eventCount,sizeMB,maxTime,minTime,*
diff --git a/...to get all indexes, or those available to a particular role, or named with a certain name b/...to get all indexes, or those available to a particular role, or named with a certain name
@@ -0,0 +1,40 @@
+| rest /servicesNS/-/-/data/indexes count=0 
+  | rename title as index 
+  | search index=$indexName$ AND 
+    [
+      rest /servicesNS/-/-/authorization/roles/$roleName$ splunk_server=local 
+      | appendpipe 
+        [
+          stats count 
+          | eval srchIndexesAllowed="*" 
+          | where count=0 
+        ] 
+      | fields *srchIndexesAllowed 
+      | eval index=mvappend(imported_srchIndexesAllowed,srchIndexesAllowed) 
+      | fields index 
+      | mvexpand index 
+      | dedup index
+    ] 
+  | fillnull isReadOnly 
+  | where disabled=0 AND isReadOnly=0 AND index!="_blocksignature" AND index!="_thefishbucket" AND NOT 
+    [
+      rest / splunk_server=local 
+      | head 1 
+      | fields splunk_server
+    ] 
+  | rename index as indexserver 
+  | eval indexcombined=indexserver 
+  | stats 
+      sum(totalEventCount) as eventCountcombined, 
+      list(totalEventCount) as eventCountserver, 
+      sum(currentDBSizeMB) as sizeMBcombined, 
+      list(currentDBSizeMB) as sizeMBserver, 
+      max(maxTime) as maxTimecombined, 
+      list(maxTime) as maxTimeserver, 
+      min(minTime) as minTimecombined, 
+      list(minTime) as minTimeserver, 
+      list(splunk_server) as indexerserver 
+    by indexcombined,indexserver
+  | fields *$serverResults$ 
+  | rename *$serverResults$ as *
+  | table index, eventCount, sizeMB, maxTime, minTime, *
diff --git a/All indexes not explicitly granted to a role b/All indexes not explicitly granted to a role
@@ -11,4 +11,5 @@
       | mvexpand index 
       | where NOT match(index,".*\*.*")
     ]
-  | search NOT role=*
+  | search NOT role=*
+  | fields index
diff --git a/All indexes not explicitly granted to a role b/All indexes not explicitly granted to a role
@@ -1,5 +1,14 @@
-| rest /servicesNS/-/-/data/indexes count=0 | stats max(isInternal) as internal, max(disabled) as disabled, max(isReadOnly) as readonly by title | fillnull | where internal=0 AND disabled=0 AND readonly=0 | fields title | rename title as index | join index type=left [rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local 
-  | fields title,srchIndexesAllowed 
-  | rename srchIndexesAllowed as index title as role
-  | mvexpand index 
-  | where NOT match(index,".*\*.*")] | search NOT role=*
+| rest /servicesNS/-/-/data/indexes count=0 
+  | stats max(isInternal) as internal, max(disabled) as disabled, max(isReadOnly) as readonly by title 
+  | fillnull 
+  | where internal=0 AND disabled=0 AND readonly=0 
+  | fields title
+  | rename title as index 
+  | join index type=left 
+    [ rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local 
+      | fields title,srchIndexesAllowed 
+      | rename srchIndexesAllowed as index title as role
+      | mvexpand index 
+      | where NOT match(index,".*\*.*")
+    ]
+  | search NOT role=*
diff --git a/All indexes not explicitly granted to a role b/All indexes not explicitly granted to a role
@@ -0,0 +1,5 @@
+| rest /servicesNS/-/-/data/indexes count=0 | stats max(isInternal) as internal, max(disabled) as disabled, max(isReadOnly) as readonly by title | fillnull | where internal=0 AND disabled=0 AND readonly=0 | fields title | rename title as index | join index type=left [rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local 
+  | fields title,srchIndexesAllowed 
+  | rename srchIndexesAllowed as index title as role
+  | mvexpand index 
+  | where NOT match(index,".*\*.*")] | search NOT role=*
diff --git a/Fun Splunk Queries b/Fun Splunk Queries
@@ -0,0 +1 @@
+This is a Gist of useful Splunk Queries.
diff --git a/Every index explicitly granted to a role b/Every index explicitly granted to a role
@@ -0,0 +1,5 @@
+| rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local 
+  | fields title,srchIndexesAllowed 
+  | rename srchIndexesAllowed as index title as role
+  | mvexpand index 
+  | where NOT match(index,".*\*.*")
diff --git a/Splunk Objects With Perms granted to non-existent roles b/Splunk Objects With Perms granted to non-existent roles
@@ -0,0 +1,11 @@
+| rest /servicesNS/-/-/admin/directory count=0 splunk_server=local 
+  | fields eai:acl.app, eai:acl.owner, eai:acl.perms.*, eai:acl.sharing, eai:location, title
+  | eval perms=mvappend('eai:acl.perms.read','eai:acl.perms.write')
+  | fields - eai:acl.perms.*
+  | mvexpand perms
+  | where perms!="*" AND NOT 
+    [
+      | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local
+        | fields title 
+        | rename title as perms
+    ]