My current method of troubleshooting just searching by source type plotting on table and then looking at specific fields.
sourcetype=haproxy* api/v1/workspace | table _time,backend*,Tr,Tc,Tw,bytes,status,uri_path
Charting HAProxy specific API Tr over time. #
sourcetype=haproxy* api/v1/workspace | bucket _time span=5m | stats avg(Tr) as total_time by _time
Locating Windows domain locked accounts #
Figuring out locked accounts.
index=windows EventCode=4740 host=* Account_Name=myAdminAccount | table Caller_Computer_Name, ComputerName, Security_ID<Paste>
Get a list of all indexes #
| eventcount summarize=false index=* | dedup index | fields index
Use the One shot command to ingest a directory #
for i in `ls -1`; \
do /opt/splunkforwarder/bin/splunk add oneshot $i -index iis -sourcetype "iis"; \
done
Get a count of all occurrences of field #
index=nginx source=/var/www/somelog | dc visitor_ip