Splunk_Docker/files/splunkbeta/etc/apps/search/default/savedsearches.conf

#   Version 9.2.2.20240415
[Errors in the last 24 hours]
search = error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
dispatch.earliest_time = -1d

[Errors in the last hour]
search = error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
dispatch.earliest_time = -1h

[Messages by minute last 3 hours]
search = index=_internal source="*metrics.log" eps "group=per_source_thruput" NOT filetracker | eval events=eps*kb/kbps | timechart fixedrange=t span=1m limit=5 sum(events) by series
dispatch.earliest_time = -3h
displayview = report_builder_display

[Splunk errors last 24 hours]
search = index=_internal " error " NOT debug source=*splunkd.log*
dispatch.earliest_time = -24h

[Orphaned scheduled searches]
search = | rest timeout=600 splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0 \
| search orphan=1 disabled=0 is_scheduled=1 \
| eval status = if(disabled = 0, "enabled", "disabled") \
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions \
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing

# For license usage report dashboard
[License Usage Data Cube]
dispatch.earliest_time = -31d
dispatch.latest_time = -0d
auto_summarize = 0
auto_summarize.dispatch.earliest_time = -1mon@d
auto_summarize.cron_schedule = 3,13,23,33,43,53 * * * *
search = index=_internal source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx

# For bucket merger
[Bucket Merge Retrieve Conf Settings]
search = | rest services/data/indexes datatype=all \
| search disabled!=1 AND bucketMerging=1 \
| dedup title \
| fields title bucketMerging bucketMerge.minMergeSizeMB bucketMerge.maxMergeSizeMB bucketMerge.maxMergeTimeSpanSecs bucketMerge.minMergeCount bucketMerge.maxMergeCount
Inital Commit 5 months ago			`# Version 9.2.2.20240415`
			`[Errors in the last 24 hours]`
			`search = error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )`
			`dispatch.earliest_time = -1d`

			`[Errors in the last hour]`
			`search = error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )`
			`dispatch.earliest_time = -1h`

			`[Messages by minute last 3 hours]`
			`search = index=_internal source="metrics.log" eps "group=per_source_thruput" NOT filetracker \| eval events=epskb/kbps \| timechart fixedrange=t span=1m limit=5 sum(events) by series`
			`dispatch.earliest_time = -3h`
			`displayview = report_builder_display`

			`[Splunk errors last 24 hours]`
			`search = index=_internal " error " NOT debug source=splunkd.log`
			`dispatch.earliest_time = -24h`

			`[Orphaned scheduled searches]`
			`search = \| rest timeout=600 splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0 \`
			`\| search orphan=1 disabled=0 is_scheduled=1 \`
			`\| eval status = if(disabled = 0, "enabled", "disabled") \`
			`\| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions \`
			`\| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing`

			`# For license usage report dashboard`
			`[License Usage Data Cube]`
			`dispatch.earliest_time = -31d`
			`dispatch.latest_time = -0d`
			`auto_summarize = 0`
			`auto_summarize.dispatch.earliest_time = -1mon@d`
			`auto_summarize.cron_schedule = 3,13,23,33,43,53 * * * *`
			`search = index=_internal source=license_usage.log type="Usage" \| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) \| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) \| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) \| bin _time span=1d \| stats sum(b) as b by _time, pool, s, st, h, idx`

			`# For bucket merger`
			`[Bucket Merge Retrieve Conf Settings]`
			`search = \| rest services/data/indexes datatype=all \`
			`\| search disabled!=1 AND bucketMerging=1 \`
			`\| dedup title \`
			`\| fields title bucketMerging bucketMerge.minMergeSizeMB bucketMerge.maxMergeSizeMB bucketMerge.maxMergeTimeSpanSecs bucketMerge.minMergeCount bucketMerge.maxMergeCount`