Topics

| pdf version

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

More searches

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13

More searches

A Splunk search consists of one or more data-generating commands and their arguments, which can include literal keywords, wildcards, Boolean expressions, modifier name and value pairs, and subsearches. The generated data (search results) can then be used as inputs into other search commands in a search pipeline.

Splunk search commands are categorized by the type of operations they perform. You've already seen some examples of data generating commands. There are also commands that allow you to:

  • Evaluate each result.
  • Filter and re-order your results.
  • Summarize large result sets.
  • Add or remove fields in your results.
  • Save data in different output formats.
  • Perform administrative functions.

The following examples will demonstrate some of these capabilities. Refer to Search Commands for the complete list.

Summarize your results

Commands such as timechart, stats, top, and rare, summarize your results in the report window.

timechart

timechart returns statistics bucketed by time and is good for driving line charts. Try these examples.

Count of deny events graphed by time.

index=sampledata deny | timechart count(_raw)Search

Sum of bytes for GET requests.

index=sampledata sourcetype="access_common" GET | timechart sum(bytes)Search

Average bytes by method.

index=sampledata sourcetype=access_common | timechart avg(bytes) by methodSearch

Report on top 20 hosts. By default, Splunk reports on the top 10. The default can be overridden using the following example.

index=sampledata | timechart count by host where sum in top20Search

stats

stats provides summary calculations by any field.

Total bytes sent by destination.

index=sampledata sourcetype=syslog | stats sum(sent) by dstSearch

top

Let's get the top denied source IP addresses. Try it with a column graph.

index=sampledata netscreen deny | top srcSearch

rare

You can also get the 10 least common source IPs (by using rare).

index=sampledata netscreen deny | rare limit=10 srcSearch

Transform your results with transaction and diff

Transform commands, such as transaction and diff , allow you manipulate the fields and values in your search results.

transaction

This search takes events from the access logs and creates a transaction from events that share the same clientip value that occurred within 5 minutes of each other (within a 3 hour time span).

index=sampledata sourcetype=access_combined | transaction fields=clientip maxpause=5m maxspan=3hSearch

diff

Search for errors in syslog and diff the first and third results.

index=sampledata error sourcetype=syslog | diff pos1=1 pos2=3Search

Compare the host field of the last search.

index="sampledata" error sourcetype="syslog" | diff pos1=1 pos2=3 attribute="host"Search

Re-order your results with sort

You can modify the order of your results based on different fields. Use the sort command to re-order the top 100 src field values of netscreen deny events.

index="sampledata" netscreen deny | top limit=100 src | sort srcSearch

Filter your results with fields, regex, and set

You can define constraints to modify your search results.

fields

Use the fields command to specify the particular fields you want to see in your results. Here we will display only the src and dst fields of the sampledata netscreen deny events.

index="sampledata" netscreen deny | fields src, dstSearch

regex

Use the regex command to filter results out of your search results. Specify a regular expression in regex to remove results that do not match.

Note: if you want to use the "or" ("|") command in a regex argument, the whole regular expression must be surrounded by quotes (ie. regex "<expression>").

The following example gets sendmail events that contain IP addresses in the non-routable class A (10.0.0.0/8).

index=sampledata sendmail | regex _raw=(?&lt;!\d)10.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)Search

Note: The regex command supports inclusion of PCREs (Perl Compatible Regular Expressions).

set

Return all URLs that have 404 errors but no 303 errors (using set).

index=sampledata | set diff [search 404 | fields url] [search 303 | fields url]Search

Use comparisons to filter your search

Let's go back to our top source IP addresses and filter for ones with more than 5 denies by using a logical comparison in the search command.

index=sampledata netscreen deny AND (count>5) | top limit=100 src Search

Refer to the Search Syntax for more information on Comparison Operators.

Use subsearches

Now we're going to put it all together by doing another search to find which of the actions with more than 2 500 http status codes also had 200 successes.

index=sampledata 200 [search index=sampledata 500 AND (count>2) | top action | fields + action]Search
Retrieved from "http://www.splunk.com/base/Documentation/3.3.3/User/MoreSearches"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.