Helpful Splunk Queries

Cowboy Denny

Here are some helpful queries I've used.


Show all hosts in an index

| tstats count where index=infra_network by index sourcetype host
| metadata type=hosts index=infra_network




Find Audit Log Messages (which doesn't always work since not always is audit logs in Splunk)

index=net_ops_prod_infoblox sourcetype="Infoblox:audit"


Find Mac-Address

index=net_ops_prod_infoblox "54:bf:64:a5:e0:82"


Find DNS entries

index=net_ops_prod_infoblox sourcetype="infoblox:dns"


Find DHCP entries

index=net_ops_prod_infoblox sourcetype="infoblox:dhcp"



Another way of doing it

index=infra_network host=* sourcetype=f5:bigip:syslog | stats count by host instance | stats list(count) list(instance) by host


More coming


