Monday, June 29, 2015

Splunk useful commands

put cluster in maintenance mode

$SPLUNK_HOME/bin/splunk enable maintenance-mode

rolling restart


splunk rolling-restart cluster-peers


Daily License volume by host

index=_internal source=*license_usage.log type=Usage 
 | stats sum(b) as bytes by h 
 | eval MB = round(bytes/1024/1024,1)
 | fields h MB
 | rename h as host


Find AD account lockout status in Splunk

EventCode=4740 Account_Name=<account name>