I'm looking for a Splunk search to list all indexes that were not used by users for last 30 days. I've tried the below query from audit logs, but it's not giving me the accurate results. This query is only giving me few indexes but not all the indexes that we used. ...
./splunk bootstrap shcluster-captain -servers_list "https://192.168.2.148:8089,https://192.168.2.149:8089" -auth admin:1234.com [monitor://E:YJMyunjm.log] index=bm sourcetype = all disabled = 0 whitelist = blacklist = [tcpout] defaultGroup = default-autolb-group [tcpout:default-autol...
How can you list all indexes and the time of their first indexed event? metadata seems to only show you the hosts, sources or sourcetypes. I can list all indexes with | eventcount summarize=false index=* | dedup index | fields index . Also tried something ...
To confirm that the index has been deleted, send a GET request to theindexesendpoint and check that the index is no longer present in the list of indexes. Or send a GET request to theindexes/{name}endpoint, which returns a message stating that the index is not found. ...
Delete all of the Splunk Enterprise log file events for the `REST_Calls` component from the `_internal` index by running the following search command: `index=_internal component=REST_Calls | delete` Splunk rates this vulnerability as a 4.9, Medium, with...
index="_internal" source="*metrics.log" group="per_sourcetype_thruput" | eval MB=kb/1024 | chart sum(MB) avg(eps) over series If we are having trouble with data input and we want a way to troubleshoot it, particularly if our whitelist/blacklist rules are not working the way we exp...
kind:RoleapiVersion:rbac.authorization.k8s.io/v1metadata:namespace:kube-system name:role-cnych rules:-apiGroups:[""]resources:["pods"]verbs:["get","watch","list"]-apiGroups:["extensions","apps"]resources:["deployments"]verbs:["get","list","watch","create","update","patch","delete"...
Fieldsare searchable name and value pairings that distinguish one event from another. Not all events have the same fields and field values. Using fields, you can write tailored searches to retrieve the specific events that you want. When Splunk software processes events at index-time and search-...
Even with a SmartStore index, some index data is temporarily stored locally, in the cache. However, except for hot buckets, the index's master copies of buckets are stored remotely. For the sake of simplicity, the list of storage options assumes the index's master copies when discussing stor...
index=main | stats dc(clientip) as f1, estdc(clientip) as f3 计算分位 sourcetype=access_* | stats min(other), max(other), perc0(other), perc99(other), perc95(other) by action upperperc list vs values sourcetype=access_* | head 10 | stats list(action), values(action) Eval ...