#   Version 9.2.2.20240415
[audit_searchlocal]
definition = `audit_searchlocal("search_id!=rt_*")`

[audit_searchlocal(1)]
args = filter
definition = search index=_audit action=search (id=* OR search_id=*) | eval search_id = if(isnull(search_id), id, search_id) | replace '*' with * in search_id | search $filter$

[audit_rexsearch]
definition = rex "search='(?<search>.*?)', autojoin"

[truncate_search]
definition = eval search=if(length(search) > 150, substr(search, 0, 150) + "...", search)

[comment(1)]
args = text
definition = ""
iseval = 1

[set_local_host]
definition = rest splunk_server=local /services/server/info | return host

[histperc(3)]
args = perc, hist_rate, le
definition = sort $le$\
| eventstats max($hist_rate$) as total_hist_rate, last($le$) as uppermost_bound, count as num_buckets\
| eval rank=exact($perc$)*total_hist_rate\
| streamstats current=f last($le$) as gr, last($hist_rate$) as last_hist_rate\
| eval gr=if(isnull(gr), 0, gr), last_hist_rate=if(isnull(last_hist_rate), 0, last_hist_rate)\
| where $hist_rate$ >= rank\
| head 1\
| eval res=case(lower(uppermost_bound) != "+inf" or num_buckets < 2, "NaN", lower($le$) == "+inf", gr, gr == 0 and $le$ <= 0, $le$, true(), exact(gr + ($le$-gr)*(rank - last_hist_rate) / ($hist_rate$ - last_hist_rate)))\
| fields res\
| rename res as "histperc"
iseval = 0
validation = isnum($perc$) and $perc$ >= 0 and $perc$ <= 1 and isstr($hist_rate$) and isstr($le$)
errormsg = 1st arg "perc" must be a number between 0 and 1 (inclusive), 2nd arg "hist_rate" should be string representing a field name, and 3rd arg "le" must be the field name with the histogram buckets' upper boundaries.

[histperc(4)]
args = perc, hist_rate, le, groupby
definition = sort $groupby$, $le$\
| eventstats max($hist_rate$) as total_hist_rate, last($le$) as uppermost_bound, count as num_buckets by $groupby$\
| eval rank=exact($perc$)*total_hist_rate\
| streamstats current=f last($le$) as gr, last($hist_rate$) as last_hist_rate by $groupby$\
| eval gr=if(isnull(gr), 0, gr), last_hist_rate=if(isnull(last_hist_rate), 0, last_hist_rate)\
| where $hist_rate$ >= rank\
| dedup $groupby$\
| eval res=case(lower(uppermost_bound) != "+inf" or num_buckets < 2, "NaN", lower($le$) == "+inf", gr, gr == 0 and $le$ <= 0, $le$, true(), exact(gr + ($le$-gr)*(rank - last_hist_rate) / ($hist_rate$ - last_hist_rate)))\
| fields $groupby$, res\
| rename res as "histperc"
iseval = 0
validation = isnum($perc$) and $perc$ >= 0 and $perc$ <= 1 and isstr($hist_rate$) and isstr($le$) and isstr($groupby$)
errormsg = 1st arg "perc" must be a number between 0 and 1 (inclusive), 2nd arg "hist_rate" should be string representing a field name, and 3rd arg "le" must be the field name with the histogram buckets' upper boundaries. 4th arg "groupby" must be a string with one or more field names, and must be quoted if there are multiple fields.