#2 Splunk sub(Commands) [eval, trim, chart, showperc, stats, avg]

-
TRIM: Basically it helps you to create more meaning full data from existing data i.e. it helps you to remove noise from the results.
  • Example: index=idx_messages sourcetype=linux_logs | eval new_rt=trim(replace(response_time, "ms.", ""))


  • In above example, response_time is an existing field which consists of some unwanted data like "ms." which we don't want. So, by using eval and trim we can remove that unwanted data.
  • If you will notice, above search will create a new field called new_rt which contains our intended results i.e. without "ms."


CHART: It basically results your finished data in a table format, further that data can be used to visualize via different mechanism.
  • Example: index=idx_messages sourcetype=linux_logs | chart count by date client useother=f




  • Honestly the example is not so good but I believe, you are able to reach to the crux of it, i.e. it will show you which client on which date made how many hits?
  • Also it can be helpful to find out, if there are some malicious client which are making hits on daily basis, so that an appropriate action can be taken on them.

SHOWPERC: Helps you to show percentage of your fetched results.
  • Example: index=_internal | top component limit=5 showperc=t





  • PS: Replacing showperc=t to showperc=f will remove the percentage column.

STATS: This commands have many usage, it can help you to calculate average, count, sum etc.  
  • Example: index=idx_messages | stats count as "Total Count of events"
    • Above example helps you to count total number of events based on the time range selected.




  • Example: index=idx_messages | stats count as "Total count of events per day" by date
    • Above example is a extension of query used before, the difference is the statistics are created based on daily basis. 





  • Example: index=idx_messages sourcetype=linux_logs | eval new_rt=trim(replace(response_time, "ms.", "")) | eval new_rt=new_rt/1000 | stats avg(new_rt) AS "Response Time(Secs)" by date
    • Above example is bit of a complex query, firstly with the help of eval trim we are removing some noise from the events (i.e. "ms.") then converting milliseconds into seconds with the help of eval command (since the response time was in milliseconds), then calculating the average of response time on daily basis with the help of stats and avg function.
    • Another point to add, "AS" clause is basically used to rename things, in this example we are renaming "avg(new_rt)" AS "Response Time(Secs)" i.e. to a more understandable name.

Comments

Post a Comment

Popular posts from this blog

#3 Splunk sub(Commands) [eval, round, trim, stats, ceil, exact, floor, tostring]

-
Image
ROUND: Eval with round takes one or two numeric arguments, returning 'first value' rounded to the amount of decimal places specified in 'second value'.  By default it will remove all the decimals. Example: index=idx_messages sourcetype=linux_logs | eval new_rt= trim ( replace (response_time, "ms.", "")) | stats avg (new_rt) as Average | eval Average= round (Average) Remove all the decimal values. Example: | eval Average= round (Average,3) Rounded the value up-to 3 decimal places. Example: | eval Average= ceil (Average) Round the value up-to the next highest integer. Example: | eval Average= exact (Average) Give the output with maximum possible number of decimal values. Example: | eval Average= floor (Average) Round the value down to the nearest whole integer. Apart from this, there are other functions as well which are used by eval command, for instance pi (), sqrt () etc. TOSTRING: Hel
Read more

#6 Splunk sub(Commands) [fields, rename, replace, table, transaction]

-
FIELDS:  This command helps to keep or remove specified fields from the search results, below command will keep just three fields in your search result. Example: | fields request, rc, pt RENAME:  This command helps to rename field(s), below command will rename a field named as service to serviceType and RC as responseCode Example: | rename service AS serviceType, RC AS responseCode REPLACE:  This command helps to replace the values of fields with another value, below command will replace the values "fetchReport" and "viewReport" as "Report" in "serviceType' field. Example: | replace fetchReport with Report, viewReport with Report in serviceType TABLE: This command helps to format the results into tabular output. Example: | table request, rc, pt TRANSACTION:  This command helps to merge events into a single event based upon a common identifier, below command will create events based on two events i.e. it will fetch the txn-id w
Read more