#5 Splunk sub(Commands) [sendemail, dedup, eval, concatenate, new_field]

-
SENDEMAIL: This command helps you to send an email straight away from the search head itself. you just need to pass couple of values to it. For instance to whom you want to send the email, if you want to keep anyone in cc/bcc, change the subject line (by default its "Splunk Results"), sendpdf(true or false) i.e. the results, set the priority of the email, give a message i.e. the body(if required).
  • Example: | sendemail to="XYZ@gmail.com" subject="Test Search Results" sendpdf=true priority=highest message="Please find attached latest search result" sendresults=true

DEDUP: This command helps de-duplicate the results based upon specified fields, keeping the most recent match.
  • Example: | dedup txn-id

EVAL: This command helps to evaluate new or existing fields and their values. There are multiple different functions available for eval command.

Lets say you want to add a new field, for doing so you can use something like given below, it command will create a new field based on the IF condition i.e. of the response code is equals to 200 it will mark it as OK otherwise for all other response code it will mark it as Error.
  • Example: | eval http_response=if(RC!=200,"Error","OK")
Lets say you want to create a new filed and concatenate results of multiple field and bring them to your newly created field, below command will create a new filed called "Output" and will have the value of two fields "request" and "RC" in addition to that some normal static text.
  • Example: | eval Output=request." have a response code of ".RC
    • Output will be something like: viewReport have a response code of 200 

Comments

Post a Comment

Popular posts from this blog

#3 Splunk sub(Commands) [eval, round, trim, stats, ceil, exact, floor, tostring]

-
Image
ROUND: Eval with round takes one or two numeric arguments, returning 'first value' rounded to the amount of decimal places specified in 'second value'.  By default it will remove all the decimals. Example: index=idx_messages sourcetype=linux_logs | eval new_rt= trim ( replace (response_time, "ms.", "")) | stats avg (new_rt) as Average | eval Average= round (Average) Remove all the decimal values. Example: | eval Average= round (Average,3) Rounded the value up-to 3 decimal places. Example: | eval Average= ceil (Average) Round the value up-to the next highest integer. Example: | eval Average= exact (Average) Give the output with maximum possible number of decimal values. Example: | eval Average= floor (Average) Round the value down to the nearest whole integer. Apart from this, there are other functions as well which are used by eval command, for instance pi (), sqrt () etc. TOSTRING: Hel...
Read more

#6 Splunk sub(Commands) [fields, rename, replace, table, transaction]

-
FIELDS:  This command helps to keep or remove specified fields from the search results, below command will keep just three fields in your search result. Example: | fields request, rc, pt RENAME:  This command helps to rename field(s), below command will rename a field named as service to serviceType and RC as responseCode Example: | rename service AS serviceType, RC AS responseCode REPLACE:  This command helps to replace the values of fields with another value, below command will replace the values "fetchReport" and "viewReport" as "Report" in "serviceType' field. Example: | replace fetchReport with Report, viewReport with Report in serviceType TABLE: This command helps to format the results into tabular output. Example: | table request, rc, pt TRANSACTION:  This command helps to merge events into a single event based upon a common identifier, below command will create events based on two events i.e. it will fetch the txn-id w...
Read more

#1 Splunk sub(Commands) [top, rare, fields, table, rename, sort]

-
Image
TOP: Will show you top results with respect to your field. Example: index=_internal | top limit=5 component RARE: Will help you to find out least common values of a field, i.e. it is similar to TOP but works in opposite direction. Example: index=_internal | rare limit=5 component FIELDS: Will help you to limit your columns, lets say you want to remove count from above table, fields can help you to achieve that. Though there are other usage of fields as well but you will learn slowly and gradually when you start building some complex queries. Example: index=_internal | top limit=5 component | fields component, percent TABLE: Same thing can be achieved via table as well. Example: index=_internal | top limit=5 component | table component, percent RENAME: Lets say you want to rename a column, for that you can use rename command. Example: index=_internal | top limit=5 component | rename percen...
Read more