splunk-queries
This is an old revision of the document!
Table of Contents
Splunk Queries
Count Events per Index
| tstats count WHERE index=* OR index=_* by index
List Indexes
| eventcount summarize=false index=* | dedup index | fields index
Events per Host / Index / Sourcetype
| tstats count as EVENTS_PER_HOST where index=* by index,sourcetype,host | table * | sort by index
Ingestion by Index
index=_internal sourcetype=splunkd source=*license_usage.log type=Usage | stats sum(b) as bytes by idx | eval mb=round(bytes/1024/1024,3)
Timechart
index=_internal sourcetype=splunkd source=*license_usage.log type=Usage
| timechart span=1d sum(b) as usage by idx limit=0 | foreach * [ eval "<<FIELD>>"=round('<<FIELD>>'/1024/1024,3)]
Export Lookup file
| inputlookup my_lookup.csv
List of Macros
| rest /servicesNS/-/-/admin/macros count=0
splunk-queries.1707818057.txt.gz · Last modified: 2024/02/13 10:54 by baumi