Splunk Recipes: Difference between revisions
No edit summary |
|||
| (20 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
* [[Splunk#Concepts|Splunk]] | * [[Splunk#Concepts|Splunk]] | ||
=Metadata Inventory= | |||
Settings -> | |||
: [[Splunk_Concepts#Event|Event]] Types | |||
: [[Splunk_Concepts#Field|Fields]] | |||
: [[Splunk_Concepts#Tag|Tags]] | |||
==All Indexes== | |||
{{Internal|Splunk_Concepts#All_Indexes|All Indexes}} | |||
=Searching with Fields= | =Searching with Fields= | ||
For more details on Splunk Fields fundamentals see [[Splunk Concepts#Field|Splunk Concepts - Fields]]. | |||
When searching for a specific field, use the following syntax: | When searching for a specific field, use the following syntax: | ||
| Line 11: | Line 25: | ||
</pre> | </pre> | ||
Field names '''are case sensitive'''. Field values are not case sensitive. | Field names '''are case sensitive'''. Field values are not case sensitive. | ||
Quotation marks are required when the field values include spaces. | |||
Wildcards can be used in field values: | |||
<pre> | |||
field_name="prefix*" | |||
</pre> | |||
=Search Syntax= | |||
Expression involving fields are explained above in [[#Searching_with_Fields|Searching with Fields]]. | |||
The logical AND is the implicit logical operator between expressions involving fields: | |||
<pre> | |||
sourcetype=access_* status=200 action=purchase | |||
</pre> | |||
==Not Equals== | |||
Use "!=". | |||
==Boolean Operators== | |||
Parentheses can be used to group parts of the search string. | |||
===OR=== | |||
<pre> | |||
(error OR fail* OR severe) OR (status=404 OR status=500 OR status=503) | |||
</pre> | |||
==Controlling Time Range== | |||
At the right of the search box there's a green dropdown time box. | |||
=Sort per Specific Field= | |||
<pre> | |||
ERROR | top logger | |||
</pre> | |||
where "logger" is a field. | |||
=Reverse the Time Order= | |||
"Natural order" (from oldest to newest): | |||
<pre> | |||
... | reverse | |||
</pre> | |||
=What is the Oldest Event I Can See?= | |||
Dashboards & View -> Data Retention -> Select Index -> mobileapps_core -> Search | |||
You get "Data Retention by sourcetype" -> Oldest Event. | |||
=Extract only a Line Fragment= | |||
* rex help http://docs.splunk.com/Documentation/Splunk/6.0.5/SearchReference/Rex | |||
* Regular Expression help http://docs.splunk.com/Documentation/Splunk/6.0.5/Knowledge/AboutSplunkregularexpressions | |||
Use <tt>rex</tt> with the modifiers <tt>field=<tt> and <tt>mode=sed</tt>. | |||
If <tt>field=</tt> is not specified, it defaults to <tt>_raw</tt> (everything in that event). | |||
Example: | |||
<pre> | |||
logger="com.example.SomeClass" | rex mode=sed "s/.*identifer \'(.*)\' in context.*/\1/g" | |||
</pre> | |||
Or with Perl regex: | |||
<pre> | |||
logger="com.example.SomeClass" | rex "identifer \'(?<id>.*)\' in context" | top id | |||
</pre> | |||
The variable is declared with <tt>(?<var_name>.*)</tt> | |||
Generically: | |||
<pre> | |||
... | rex "expr_to_match_before0(?<id>.*)expr_to_match_after" | top id | |||
</pre> | |||
Other Examples: "blah" field: | |||
<pre> | |||
logger=* | rex field=queryString "blah=(?<i>.*)&" | top i | |||
</pre> | |||
Latest revision as of 18:37, 11 January 2017
Internal
Metadata Inventory
Settings ->
All Indexes
Searching with Fields
For more details on Splunk Fields fundamentals see Splunk Concepts - Fields.
When searching for a specific field, use the following syntax:
field_name="field value"
Field names are case sensitive. Field values are not case sensitive.
Quotation marks are required when the field values include spaces.
Wildcards can be used in field values:
field_name="prefix*"
Search Syntax
Expression involving fields are explained above in Searching with Fields.
The logical AND is the implicit logical operator between expressions involving fields:
sourcetype=access_* status=200 action=purchase
Not Equals
Use "!=".
Boolean Operators
Parentheses can be used to group parts of the search string.
OR
(error OR fail* OR severe) OR (status=404 OR status=500 OR status=503)
Controlling Time Range
At the right of the search box there's a green dropdown time box.
Sort per Specific Field
ERROR | top logger
where "logger" is a field.
Reverse the Time Order
"Natural order" (from oldest to newest):
... | reverse
What is the Oldest Event I Can See?
Dashboards & View -> Data Retention -> Select Index -> mobileapps_core -> Search
You get "Data Retention by sourcetype" -> Oldest Event.
Extract only a Line Fragment
- rex help http://docs.splunk.com/Documentation/Splunk/6.0.5/SearchReference/Rex
- Regular Expression help http://docs.splunk.com/Documentation/Splunk/6.0.5/Knowledge/AboutSplunkregularexpressions
Use rex with the modifiers field= and mode=sed.
If field= is not specified, it defaults to _raw (everything in that event).
Example:
logger="com.example.SomeClass" | rex mode=sed "s/.*identifer \'(.*)\' in context.*/\1/g"
Or with Perl regex:
logger="com.example.SomeClass" | rex "identifer \'(?<id>.*)\' in context" | top id
The variable is declared with (?<var_name>.*)
Generically:
... | rex "expr_to_match_before0(?<id>.*)expr_to_match_after" | top id
Other Examples: "blah" field:
logger=* | rex field=queryString "blah=(?<i>.*)&" | top i