Searching in Splunk

-
  • Searching on Splunk is quite simple.
  • Just login to your Splunk Enterprise installation, navigate to App: Search & Reporting.
  • It will bring you to a new web page which is basically our search head.
  • Type in your query and you are done.
    • All your events which matched your query will be presented on your screen,
  • If you will notice below, the query which I have used have nothing much its just searching all the events from "idx_messages" index < remember we added a monitor on one of our remote host to forward the data to idx_messages index  >.









  • Based on above search it resulted in 1068 events in last 7 days.
  • Field names are case sensitive.
  • Field values are not case sensitive, if used without single quotes.

i.e. below queries with give us same results:
  • index=idx_messages date_wday=monday 
  • index=idx_messages date_wday=MONDAY
  • index=idx_messages date_wday="MONDAY"

    But if I use below query it might not give me intended results:
    • index=idx_messages date_wday='MONDAY'
    Therefore make sure, you are validating the results which you are getting, also never run a search for "All Time" this will greatly use your compute resources. If it is really needed and your project demands for it, than only go for it otherwise avoid this.

    Comments

    Post a Comment

    Popular posts from this blog

    #3 Splunk sub(Commands) [eval, round, trim, stats, ceil, exact, floor, tostring]

    -
    Image
    ROUND: Eval with round takes one or two numeric arguments, returning 'first value' rounded to the amount of decimal places specified in 'second value'.  By default it will remove all the decimals. Example: index=idx_messages sourcetype=linux_logs | eval new_rt= trim ( replace (response_time, "ms.", "")) | stats avg (new_rt) as Average | eval Average= round (Average) Remove all the decimal values. Example: | eval Average= round (Average,3) Rounded the value up-to 3 decimal places. Example: | eval Average= ceil (Average) Round the value up-to the next highest integer. Example: | eval Average= exact (Average) Give the output with maximum possible number of decimal values. Example: | eval Average= floor (Average) Round the value down to the nearest whole integer. Apart from this, there are other functions as well which are used by eval command, for instance pi (), sqrt () etc. TOSTRING: Hel
    Read more

    #6 Splunk sub(Commands) [fields, rename, replace, table, transaction]

    -
    FIELDS:  This command helps to keep or remove specified fields from the search results, below command will keep just three fields in your search result. Example: | fields request, rc, pt RENAME:  This command helps to rename field(s), below command will rename a field named as service to serviceType and RC as responseCode Example: | rename service AS serviceType, RC AS responseCode REPLACE:  This command helps to replace the values of fields with another value, below command will replace the values "fetchReport" and "viewReport" as "Report" in "serviceType' field. Example: | replace fetchReport with Report, viewReport with Report in serviceType TABLE: This command helps to format the results into tabular output. Example: | table request, rc, pt TRANSACTION:  This command helps to merge events into a single event based upon a common identifier, below command will create events based on two events i.e. it will fetch the txn-id w
    Read more

    #2 Splunk sub(Commands) [eval, trim, chart, showperc, stats, avg]

    -
    Image
    TRIM: Basically it helps you to create more meaning full data from existing data i.e. it helps you to remove noise from the results. Example: index=idx_messages sourcetype=linux_logs | eval new_rt= trim (replace( response_time , "ms.", "")) In above example, response_time is an existing field which consists of some unwanted data like "ms." which we don't want. So, by using eval and trim we can remove that unwanted data. If you will notice, above search will create a new field called new_rt which contains our intended results i.e. without "ms." CHART: It basically results your finished data in a table format, further that data can be used to visualize via different mechanism. Example: index=idx_messages sourcetype=linux_logs | chart count by date client useother=f Honestly the example is not so good but I believe, you are able to reach to the crux of it, i.e. it will show you which client on which date made how ma
    Read more