Splunk

12/4/2017 - 5:32 PM

SPL = Splunk Processing Language

host="<host>"
source="<source>"
sourcetype="<sourcetype>"

* can be used as a wildcard
| used to chain filtering / commands / searches

Full Search Reference: http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/WhatsInThisManual

dedup <field>
    Deduplicate by <field> values
head <number>
    Show first <number> results
tail <number>
    Show last <number> results
reverse
    Reverse results
search <search>
    Search results    
sort <field>
    Sort by <field> ascending
sort -<field>
    Sort by <field> descending
top [<count>] <field>
    Show event counts by <field>
timechart <field> [BY <field>]
    Show agrregate graph

eval can be used in order to create variables and do calculations
    e.g. eval var=10/5 | search secs
    Allows you to add a generated / calculated field

stats can be used for generating statistics based on the results (which will be shown in the statistics tab)
  Lots of funcs here http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/CommonStatsFunctions
  e.g. distinct_count(<field>)

rex can be used for regular expressions
    rex [field=<field>] ( <regex-expression> [max_match=<int>] [offset_field=<string>] ) | (mode=sed <sed-expression>)
    e.g. rex mode="sed" field=uri "s/=[\d\w]+\&/=NULLED\&/g"
    Note: Ampersand represents full captured string in replace (so escape it)

Cacher is the code snippet organizer for pro developers

We empower you and your team to get more done, faster

Splunk