====== Splunk Queries ======

===== Indexes & Events =====
==== List Indexes ====
<code>
| eventcount summarize=false index=* 
| dedup index 
| fields index
</code>
==== Count Events per Index ====
<code>
| tstats count WHERE index=* OR index=_* by index
</code>
<code>
| tstats count where index=<indexname> by _time host span=1h prestats=true
| timechart count span=1h
| addtotals
</code>
==== Events per Host / Index / Sourcetype ====
<code>
| tstats count as EVENTS_PER_HOST where index=* by index,sourcetype,host 
| table * 
| sort by index
</code>

==== Ingestion by Index ====
<code>
index=_internal sourcetype=splunkd source=*license_usage.log type=Usage 
| stats sum(b) as bytes by idx | eval mb=round(bytes/1024/1024,3)
</code>

=== Timechart ===
<code>
index=_internal sourcetype=splunkd source=*license_usage.log type=Usage 
| timechart span=1d sum(b) as usage by idx limit=0 
| foreach * [ eval "<<FIELD>>"=round('<<FIELD>>'/1024/1024,3)]
</code>

==== Total Ingestion ====
<code>
index=_internal sourcetype=splunkd source=*license_usage.log type=Usage 
| timechart span=1d sum(b) as usage 
| eval gb=round(usage/1073741824,3) 
| table _time, gb
</code>

===== Lookups & Macros =====

==== Export Lookup file ====
<code>
| inputlookup my_lookup.csv
</code>

==== List of Macros ====
<code>
| rest /servicesNS/-/-/admin/macros count=0
</code>

{{tag>kb splunk}}