-
Notifications
You must be signed in to change notification settings - Fork 7
/
Splunk Internal Search Queries.txt
320 lines (250 loc) · 10 KB
/
Splunk Internal Search Queries.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
Troubleshooting search performance:
index=_internal sourcetype=splunkd component=SearchEvator
| stats avg(evalDuration) by search_id
| sort - avg(evalDuration)
Identifying slow searches:
index=_internal sourcetype=splunkd component=SearchPerformance search_id=*
| stats max(total_run_time) as MaxRunTime by search_id
| sort - MaxRunTime
| head 10
Troubleshooting indexers:
index=_internal sourcetype=splunkd component=TailingProcessor
| stats count by host, source, sourcetype
Troubleshooting forwarders:
index=_internal sourcetype=splunkd component=Forwarder host=*
| stats count by host, source, sourcetype
Troubleshooting license usage:
index=_internal sourcetype=splunkd component=LicenseUsage
| timechart sum(b) as volume by pool
Troubleshooting login failures:
index=_internal sourcetype=audittrail action=failure
| stats count by user, action, info
Monitoring resource usage by Splunk processes:
index=_introspection sourcetype=resource_usage data.processType=*
| stats avg(data.pctCPU) as AvgCPU, avg(data.pctMemory) as AvgMemory by data.processType
| sort - AvgCPU, -AvgMemory
Troubleshooting data input errors:
index=_internal sourcetype=splunkd component=ExecProcessor log_level=ERROR
| stats count by log_level, message
Identifying failed searches:
index=_audit action=search status=failure
| stats count by user, search, reason
| sort - count
Monitoring concurrent searches:
index=_internal sourcetype=scheduler status=success
| timechart count by user
Identifying indexing delays:
index=_internal sourcetype=splunkd component=TailingProcessor
| eval delay=(_indextime - _time)
| stats avg(delay) as AvgDelay, max(delay) as MaxDelay, min(delay) as MinDelay by source, sourcetype
| sort - AvgDelay
Monitoring search concurrency per user:
index=_audit action=search
| stats count by user, search_id
| sort - count
Troubleshooting search errors:
index=_internal sourcetype=splunkd component=SearchMessages log_level=ERROR
| stats count by log_level, message
Investigating missing data:
| tstats count where index=* by index, sourcetype
| sort - count
Identifying high disk usage by index:
| dbinspect index=*
| stats sum(sizeOnDiskMB) as totalSize by index
| sort - totalSize
Monitoring Splunk Web access:
index=_internal sourcetype=access_combined
| stats count by uri_path, status, user
| sort - count
Finding errors in index configuration:
index=_internal sourcetype=splunkd component=Indexes
| search log_level=ERROR
| stats count by log_level, message
Analyzing search head clustering activity:
index=_internal sourcetype=splunkd_search_head_cluster
| stats count by action, log_level
Identifying searches with high memory usage:
index=_internal sourcetype=splunk_resource_usage data.search_props.sid=*
| stats max(data.search_props.mem_used_mb) as MaxMemUsed by data.search_props.sid
| sort - MaxMemUsed
| head 10
Monitoring distributed search errors:
index=_internal sourcetype=distsearch component=DistSched log_level=ERROR
| stats count by log_level, message
Identifying skipped searches due to search concurrency limit:
index=_internal sourcetype=scheduler status=skipped
| stats count by app, user, search
Monitoring data ingestion rate:
index=_internal source=*/metrics.log* group=pipeline
| timechart span=1h sum(eval(eps*.001)) as IngestionRate
Finding searches with high disk usage:
index=_internal sourcetype=splunk_resource_usage data.search_props.sid=*
| stats max(data.search_props.disk_used_mb) as MaxDiskUsed by data.search_props.sid
| sort - MaxDiskUsed
| head 10
Investigating search head pooling activity:
index=_internal sourcetype=splunkd_shpooling
| stats count by log_level, message
Monitoring deployment server activity:
index=_internal sourcetype=splunkd_deploy_server
| stats count by log_level, message
Troubleshooting KV Store issues:
index=_internal sourcetype=splunkd component=kvstore log_level=ERROR
| stats count by log_level, message
Identifying top event types:
index=*
| stats count by eventtype
| sort - count
Analyzing indexer clustering activity:
index=_internal sourcetype=splunkd_indexer_cluster
| stats count by action, log_level
Monitoring search head cluster captain activity:
index=_internal sourcetype=splunkd_search_head_cluster component=SHCCaptain
| stats count by log_level, message
Identifying throttled searches:
index=_internal sourcetype=scheduler status=throttled
| stats count by app, user, search
Investigating bundle replication issues in search head cluster:
index=_internal sourcetype=splunkd_shcluster_replication
| stats count by log_level, message
Monitoring indexer cluster peer activity:
index=_internal sourcetype=splunkd_indexer_cluster component=IndexerClusterPeer
| stats count by log_level, message
Identifying rare sourcetypes:
index=*
| stats count by sourcetype
| sort count
Troubleshooting search head cluster member activity:
index=_internal sourcetype=splunkd_search_head_cluster component=SHCMember
| stats count by log_level, message
Finding real-time searches:
index=_audit action=search earliest=-1h
| search search=*rt*
| stats count by user, search
Analyzing search dispatch directory disk usage:
| rest splunk_server=local /services/server/status/resource-usage/dispatch_usage
| stats sum(size_on_disk) as DispatchSize by splunk_server
| sort - DispatchSize
Monitoring Universal Forwarder data throughput:
index=_internal source=*/metrics.log* group=tcpin_connections
| stats sum(eval(agg_size*.001)) as Throughput by hostname
| sort - Throughput
Troubleshooting search job failures:
index=_internal sourcetype=splunkd component=SearchJob status=failure
| stats count by log_level, message
Identifying users with the most scheduled searches:
index=_internal sourcetype=scheduler
| stats count by user
| sort - count
Investigating distributed search activity:
index=_internal sourcetype=distsearch component=DistSearch
| stats count by log_level, message
Identifying top data generating hosts:
index=*
| stats count by host
| sort - count
Monitoring search artifact disk usage:
| rest splunk_server=local /services/server/status/resource-usage/search_artifacts
| stats sum(size_on_disk) as ArtifactSize by splunk_server
| sort - ArtifactSize
Investigating search head cluster election activity:
index=_internal sourcetype=splunkd_search_head_cluster component=SHCElection
| stats count by log_level, message
Troubleshooting data model acceleration issues:
index=_internal sourcetype=splunkd component=DataModelAccelerator log_level=ERROR
| stats count by log_level, message
Monitoring heavy forwarder data throughput:
index=_internal source=*/metrics.log* group=tcpout_connections
| stats sum(eval(agg_size*.001)) as Throughput by hostname
| sort - Throughput
Identifying top sources by event count:
index=*
| stats count by source
| sort - count
Troubleshooting saved search failures:
index=_internal sourcetype=scheduler savedsearch_name=* status=failure
| stats count by savedsearch_name, reason
| sort - count
Monitoring average search run time per user:
index=_audit action=search
| stats avg(run_time) as AvgRunTime by user
| sort - AvgRunTime
Investigating search head cluster rolling restart activity:
index=_internal sourcetype=splunkd_search_head_cluster component=SHCRollingRestart
| stats count by log_level, message
Identifying top indexes by event count:
index=*
| stats count by index
| sort - count
Analyzing search head cluster manager activity:
index=_internal sourcetype=splunkd_search_head_cluster component=SHCManager
| stats count by log_level, message
Monitoring average search latency:
index=_audit action=search
| stats avg(latency) as AvgLatency by user
| sort - AvgLatency
Investigating indexer cluster master activity:
index=_internal sourcetype=splunkd_indexer_cluster component=IndexerClusterMaster
| stats count by log_level, message
Identifying searches with the longest run time:
index=_audit action=search
| stats max(run_time) as LongestRunTime by search
| sort - LongestRunTime
| head 10
Troubleshooting scripted input errors:
index=_internal sourcetype=script_runner log_level=ERROR
| stats count by log_level, message
Monitoring search head cluster member replication activity:
index=_internal sourcetype=splunkd_search_head_cluster component=SHCReplication
| stats count by log_level, message
Identifying top users by search count:
index=_audit action=search
| stats count by user
| sort - count
Analyzing Splunk Web server activity:
index=_internal sourcetype=splunk_web_service
| stats count by log_level, message
Investigating license manager activity:
index=_internal sourcetype=splunkd component=LicenseManager
| stats count by log_level, message
Identifying top search commands by usage:
index=_audit action=search
| rex field=search "(?<search_command>\\|\\s?[a-zA-Z]+)"
| stats count by search_command
| sort - count
Monitoring average search execution time:
index=_internal sourcetype=searches_admin
| stats avg(execution_time) as AvgExecutionTime by user
| sort - AvgExecutionTime
Investigating search scheduler activity:
index=_internal sourcetype=scheduler
| stats count by log_level, message
Identifying most frequent search errors:
index=_internal sourcetype=search_messages log_level=ERROR
| top limit=10 message
Monitoring app server activity:
index=_internal sourcetype=splunk_app_server
| stats count by log_level, message
Identifying most recent search errors:
index=_internal sourcetype=search_messages log_level=ERROR
| table _time, message
| sort - _time
Troubleshooting REST API errors:
index=_internal sourcetype=splunkd_rest_access status!=200
| stats count by status, uri_path
| sort - count
Monitoring search concurrency by app:
index=_audit action=search
| stats count by app, search_id
| sort - count
Investigating search metadata activity:
index=_internal sourcetype=splunkd component=SearchMetadata
| stats count by log_level, message
Identifying most frequent failed searches:
index=_audit action=search status=failure
| top limit=10 search
Monitoring search concurrency by search type (adhoc, scheduled, or other):
index=_audit action=search
| eval search_type=if(isnull(savedsearch_name),"adhoc",if(savedsearch_name="scheduler","scheduled","other"))
| stats count by search_type, search_id
| sort - count