Splunk Recipes: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(9 intermediate revisions by the same user not shown)
Line 2: Line 2:


* [[Splunk#Concepts|Splunk]]
* [[Splunk#Concepts|Splunk]]
=Metadata Inventory=
Settings ->
: [[Splunk_Concepts#Event|Event]] Types
: [[Splunk_Concepts#Field|Fields]]
: [[Splunk_Concepts#Tag|Tags]]
==All Indexes==
{{Internal|Splunk_Concepts#All_Indexes|All Indexes}}


=Searching with Fields=
=Searching with Fields=
Line 50: Line 62:


At the right of the search box there's a green dropdown time box.
At the right of the search box there's a green dropdown time box.
=Sort per Specific Field=
<pre>
ERROR | top logger
</pre>
where "logger" is a field.
=Reverse the Time Order=
"Natural order" (from oldest to newest):
<pre>
... | reverse
</pre>
=What is the Oldest Event I Can See?=
Dashboards & View -> Data Retention -> Select Index -> mobileapps_core -> Search
You get "Data Retention by sourcetype" -> Oldest Event.
=Extract only a Line Fragment=
* rex help http://docs.splunk.com/Documentation/Splunk/6.0.5/SearchReference/Rex
* Regular Expression help http://docs.splunk.com/Documentation/Splunk/6.0.5/Knowledge/AboutSplunkregularexpressions
Use <tt>rex</tt> with the modifiers <tt>field=<tt> and <tt>mode=sed</tt>.
If <tt>field=</tt> is not specified, it defaults to <tt>_raw</tt> (everything in that event).
Example:
<pre>
logger="com.example.SomeClass" | rex mode=sed "s/.*identifer \'(.*)\' in context.*/\1/g"
</pre>
Or with Perl regex:
<pre>
logger="com.example.SomeClass" | rex "identifer \'(?<id>.*)\' in context" | top id
</pre>
The variable is declared with <tt>(?<var_name>.*)</tt>
Generically:
<pre>
... | rex "expr_to_match_before0(?<id>.*)expr_to_match_after" | top id
</pre>
Other Examples: "blah" field:
<pre>
logger=* | rex field=queryString "blah=(?<i>.*)&" | top i
</pre>

Latest revision as of 18:37, 11 January 2017

Internal

Metadata Inventory

Settings ->

Event Types
Fields
Tags

All Indexes

All Indexes

Searching with Fields

For more details on Splunk Fields fundamentals see Splunk Concepts - Fields.

When searching for a specific field, use the following syntax: 

field_name="field value"

Field names are case sensitive. Field values are not case sensitive.

Quotation marks are required when the field values include spaces.

Wildcards can be used in field values: 

field_name="prefix*"

Search Syntax

Expression involving fields are explained above in Searching with Fields.

The logical AND is the implicit logical operator between expressions involving fields: 

sourcetype=access_* status=200 action=purchase

Not Equals

Use "!=".

Boolean Operators

Parentheses can be used to group parts of the search string.

OR

(error OR fail* OR severe) OR (status=404 OR status=500 OR status=503)

Controlling Time Range

At the right of the search box there's a green dropdown time box.

Sort per Specific Field

ERROR | top logger

where "logger" is a field.

Reverse the Time Order

"Natural order" (from oldest to newest): 

... | reverse

What is the Oldest Event I Can See?

Dashboards & View -> Data Retention -> Select Index -> mobileapps_core -> Search

You get "Data Retention by sourcetype" -> Oldest Event.

Extract only a Line Fragment

Use rex with the modifiers field= and mode=sed.

If field= is not specified, it defaults to _raw (everything in that event).

Example: 

logger="com.example.SomeClass" | rex mode=sed "s/.*identifer \'(.*)\' in context.*/\1/g"

Or with Perl regex: 

logger="com.example.SomeClass" | rex "identifer \'(?<id>.*)\' in context" | top id

The variable is declared with (?<var_name>.*)

Generically: 

... | rex "expr_to_match_before0(?<id>.*)expr_to_match_after" | top id

Other Examples: "blah" field: 

logger=* | rex field=queryString "blah=(?<i>.*)&" | top i
Retrieved from "https://kb.novaordis.com/index.php?title=Splunk_Recipes&oldid=16549"