Splunk Recipes: Difference between revisions
No edit summary |
|||
(8 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
* [[Splunk#Concepts|Splunk]] | * [[Splunk#Concepts|Splunk]] | ||
=Metadata Inventory= | |||
Settings -> | |||
: [[Splunk_Concepts#Event|Event]] Types | |||
: [[Splunk_Concepts#Field|Fields]] | |||
: [[Splunk_Concepts#Tag|Tags]] | |||
==All Indexes== | |||
{{Internal|Splunk_Concepts#All_Indexes|All Indexes}} | |||
=Searching with Fields= | =Searching with Fields= | ||
Line 66: | Line 78: | ||
... | reverse | ... | reverse | ||
</pre> | </pre> | ||
=What is the Oldest Event I Can See?= | =What is the Oldest Event I Can See?= | ||
Line 74: | Line 84: | ||
You get "Data Retention by sourcetype" -> Oldest Event. | You get "Data Retention by sourcetype" -> Oldest Event. | ||
=Extract only a Line Fragment= | |||
* rex help http://docs.splunk.com/Documentation/Splunk/6.0.5/SearchReference/Rex | |||
* Regular Expression help http://docs.splunk.com/Documentation/Splunk/6.0.5/Knowledge/AboutSplunkregularexpressions | |||
Use <tt>rex</tt> with the modifiers <tt>field=<tt> and <tt>mode=sed</tt>. | |||
If <tt>field=</tt> is not specified, it defaults to <tt>_raw</tt> (everything in that event). | |||
Example: | |||
<pre> | |||
logger="com.example.SomeClass" | rex mode=sed "s/.*identifer \'(.*)\' in context.*/\1/g" | |||
</pre> | |||
Or with Perl regex: | |||
<pre> | |||
logger="com.example.SomeClass" | rex "identifer \'(?<id>.*)\' in context" | top id | |||
</pre> | |||
The variable is declared with <tt>(?<var_name>.*)</tt> | |||
Generically: | |||
<pre> | |||
... | rex "expr_to_match_before0(?<id>.*)expr_to_match_after" | top id | |||
</pre> | |||
Other Examples: "blah" field: | |||
<pre> | |||
logger=* | rex field=queryString "blah=(?<i>.*)&" | top i | |||
</pre> |
Latest revision as of 18:37, 11 January 2017
Internal
Metadata Inventory
Settings ->
All Indexes
Searching with Fields
For more details on Splunk Fields fundamentals see Splunk Concepts - Fields.
When searching for a specific field, use the following syntax:
field_name="field value"
Field names are case sensitive. Field values are not case sensitive.
Quotation marks are required when the field values include spaces.
Wildcards can be used in field values:
field_name="prefix*"
Search Syntax
Expression involving fields are explained above in Searching with Fields.
The logical AND is the implicit logical operator between expressions involving fields:
sourcetype=access_* status=200 action=purchase
Not Equals
Use "!=".
Boolean Operators
Parentheses can be used to group parts of the search string.
OR
(error OR fail* OR severe) OR (status=404 OR status=500 OR status=503)
Controlling Time Range
At the right of the search box there's a green dropdown time box.
Sort per Specific Field
ERROR | top logger
where "logger" is a field.
Reverse the Time Order
"Natural order" (from oldest to newest):
... | reverse
What is the Oldest Event I Can See?
Dashboards & View -> Data Retention -> Select Index -> mobileapps_core -> Search
You get "Data Retention by sourcetype" -> Oldest Event.
Extract only a Line Fragment
- rex help http://docs.splunk.com/Documentation/Splunk/6.0.5/SearchReference/Rex
- Regular Expression help http://docs.splunk.com/Documentation/Splunk/6.0.5/Knowledge/AboutSplunkregularexpressions
Use rex with the modifiers field= and mode=sed.
If field= is not specified, it defaults to _raw (everything in that event).
Example:
logger="com.example.SomeClass" | rex mode=sed "s/.*identifer \'(.*)\' in context.*/\1/g"
Or with Perl regex:
logger="com.example.SomeClass" | rex "identifer \'(?<id>.*)\' in context" | top id
The variable is declared with (?<var_name>.*)
Generically:
... | rex "expr_to_match_before0(?<id>.*)expr_to_match_after" | top id
Other Examples: "blah" field:
logger=* | rex field=queryString "blah=(?<i>.*)&" | top i