🩺 Auditing & Health Checks

index=_internal sourcetype=scheduler   host=YOURHOST* OR host=YOUROTHERHOST* app=SplunkEnterpriseSecuritySuite status=success 
| timechart span=1m count by savedsearch_name limit=200

index=_audit   sourcetype=audittrail (host=YOURHOST* OR host=YOUROTHERHOST* ) savedsearch_name!="" action=search app=SplunkEnterpriseSecuritySuite NOT info=granted (savedsearch_name="access *" OR savedsearch_name="endpoint *" OR savedsearch_name="threat *" OR savedsearch_name="network *" OR savedsearch_name="identity *" OR savedsearch_name="audit *")
| stats  avg(total_run_time) as avg_runtime, count(eval(info="bad_request")) as bad_request, count(eval(info="failed")) as failed, count(eval(info="completed")) as completed,by savedsearch_name 
| eval avg_runtime=round(avg_runtime,2)
| timechart avg(total_run_time)

index=_audit   sourcetype=audittrail (host=YOURHOST* OR host=YOUROTHERHOST* ) savedsearch_name!="" action=search app=SplunkEnterpriseSecuritySuite NOT info=granted (savedsearch_name="access *" OR savedsearch_name="endpoint *" OR savedsearch_name="threat *" OR savedsearch_name="network *" OR savedsearch_name="identity *" OR savedsearch_name="audit *")
| stats  avg(total_run_time) as avg_runtime, count(eval(info="bad_request")) as bad_request, count(eval(info="failed")) as failed, count(eval(info="completed")) as completed,by savedsearch_name 
| eval avg_runtime=round(avg_runtime,2)

index=notable sourcetype=stash 
| eval search_name=replace(search_name," - Rule", "")
| timechart count by search_name limit=100

index=notable sourcetype=stash 
| eval search_name=replace(search_name," - Rule", "")
| timechart span=1h count by search_name limit=100

index=risk sourcetype=stash 
| eval search_name=replace(search_name," - Rule", "")
| timechart count by search_name limit=100