Splunk Recipes: Difference between revisions
No edit summary |
|||
| Line 50: | Line 50: | ||
At the right of the search box there's a green dropdown time box. | At the right of the search box there's a green dropdown time box. | ||
=Sort per Specific Field= | |||
<pre> | |||
ERROR | top logger | |||
</pre> | |||
where "logger" is a field. | |||
=Reverse the Time Order= | |||
"Natural order" (from oldest to newest): | |||
<pre> | |||
... | reverse | |||
</pre> | |||
=What is the Oldest Event I Can See?= | |||
Dashboards & View -> Data Retention -> Select Index -> mobileapps_core -> Search | |||
You get "Data Retention by sourcetype" -> Oldest Event. | |||
Revision as of 16:29, 21 September 2016
Internal
Searching with Fields
For more details on Splunk Fields fundamentals see Splunk Concepts - Fields.
When searching for a specific field, use the following syntax:
field_name="field value"
Field names are case sensitive. Field values are not case sensitive.
Quotation marks are required when the field values include spaces.
Wildcards can be used in field values:
field_name="prefix*"
Search Syntax
Expression involving fields are explained above in Searching with Fields.
The logical AND is the implicit logical operator between expressions involving fields:
sourcetype=access_* status=200 action=purchase
Not Equals
Use "!=".
Boolean Operators
Parentheses can be used to group parts of the search string.
OR
(error OR fail* OR severe) OR (status=404 OR status=500 OR status=503)
Controlling Time Range
At the right of the search box there's a green dropdown time box.
Sort per Specific Field
ERROR | top logger
where "logger" is a field.
Reverse the Time Order
"Natural order" (from oldest to newest):
... | reverse
What is the Oldest Event I Can See?
Dashboards & View -> Data Retention -> Select Index -> mobileapps_core -> Search
You get "Data Retention by sourcetype" -> Oldest Event.