| stats latest(_time) as Latest by user search SourcetypeUsed IndexUsedĦ. Search History index=_audit action=search sourcetype=audittrail search_id=* NOT (user=splunk-system-user) search!="'typeahead*" | fieldformat "Last use" = strftime('Last use', "%F %T.%Q")ĥ.
| chart sum(total_run_time) as "Total search time" count as "Search count" max(_time) as "Last use" by user | search search!=*_internal* search!=*_audit* | stats min(_time) as _time first(user) as user max(total_run_time) as total_run_time first(search) as search by search_id | eval user = if(user="n/a", null(), user) | eval search_id = if(isnull(search_id), id, search_id) Splunk users search activity i ndex=_audit splunk_server=local action=search (id=* OR search_id=*) | stats count by Hostname version architectureĤ. | eval Hostname=if(isnull(hostname), sourceHost,hostname),version=if(isnull(version),"pre 4.2",version),architecture=if(isnull(arch),"n/a",arch)
List of Forwarders Installed index="_internal" sourcetype=splunkd group=tcpin_connections NOT eventType=* | eventstats sum(b) as volume by idx, Dateģ. License usage by index index=_internal source=*license_usage.log type="Usage" splunk_server=*
0 kommentar(er)
