#   Version 9.2.2.20240415
[Errors in the last 24 hours]
search = error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
dispatch.earliest_time = -1d

[Errors in the last hour]
search = error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
dispatch.earliest_time = -1h

[Messages by minute last 3 hours]
search = index=_internal source="*metrics.log" eps "group=per_source_thruput" NOT filetracker | eval events=eps*kb/kbps | timechart fixedrange=t span=1m limit=5 sum(events) by series
dispatch.earliest_time = -3h
displayview = report_builder_display

[Splunk errors last 24 hours]
search = index=_internal " error " NOT debug source=*splunkd.log*
dispatch.earliest_time = -24h

[Orphaned scheduled searches]
search = | rest timeout=600 splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0 \
| search orphan=1 disabled=0 is_scheduled=1 \
| eval status = if(disabled = 0, "enabled", "disabled") \
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions \
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing

# For license usage report dashboard
[License Usage Data Cube]
dispatch.earliest_time = -31d
dispatch.latest_time = -0d
auto_summarize = 0
auto_summarize.dispatch.earliest_time = -1mon@d
auto_summarize.cron_schedule = 3,13,23,33,43,53 * * * *
search = index=_internal source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx

# For bucket merger
[Bucket Merge Retrieve Conf Settings]
search = | rest services/data/indexes datatype=all \
| search disabled!=1 AND bucketMerging=1 \
| dedup title \
| fields title bucketMerging bucketMerge.minMergeSizeMB bucketMerge.maxMergeSizeMB bucketMerge.maxMergeTimeSpanSecs bucketMerge.minMergeCount bucketMerge.maxMergeCount