Documentation: 3.3.2
Print Version Contents
This page last updated: 07/23/08 01:07pm

More searches

A Splunk search consists of one or more data-generating commands and their arguments, which can include literal keywords, wildcards, Boolean expressions, modifier name and value pairs, and subsearches. The generated data (search results) can then be used as inputs into other search commands in a search pipeline.

Splunk search commands are categorized by the type of operations they perform. You've already seen some examples of data generating commands. There are also commands that allow you to:

  • Evaluate each result.
  • Filter and re-order your results.
  • Summarize large result sets.
  • Add or remove fields in your results.
  • Save data in different output formats.
  • Perform administrative functions.

The following examples will demonstrate some of these capabilities. Refer to Search Commands for the complete list.

Report

Report commands, such as timechart, stats, top, and rare, summarize your results in the report window.

timechart

timechart returns statistics bucketed by time and is good for driving line charts. Try these examples.

Count of deny events graphed by time.

index=sampledata deny | timechart count(_raw)Search

Sum of bytes for GET requests:

index=sampledata sourcetype="access_common" GET | timechart sum(bytes)Search

Average bytes by method:

index=sampledata sourcetype=access_common | timechart avg(bytes) by methodSearch

stats

stats provides summary calculations by any field.

Total bytes sent by destination.

index=sampledata sourcetype=syslog | stats sum(sent) by dstSearch

top

Let's get the top denied source IP addresses. Try it with a column graph.

index=sampledata netscreen deny | top srcSearch

rare

You can also get the 10 least common source IPs (by using rare).

index=sampledata netscreen deny | rare limit=10 srcSearch

Transform

Transform commands, such as transaction and diff , allow you manipulate the fields and values in your search results.

transaction

This search takes events from the access logs and creates a transaction from events that share the same clientip value that occurred within 5 minutes of each other (within a 3 hour time span).

index=sampledata sourcetype=access_combined | transaction fields=clientip maxpause=5m maxspan=3hSearch

diff

Search for errors in syslog and diff the first and third results.

index=sampledata error sourcetype=syslog | diff pos1=1 pos2=3Search

Compare the host field of the last search.

index="sampledata" error sourcetype="syslog" | diff pos1=1 pos2=3 attribute="host"Search

Re-order

You can modify the order of your results based on different fields.

sort

Use the sort command to re-order the top 100 src field values of netscreen deny events.

index="sampledata" netscreen deny | top limit=100 src | sort srcSearch

Filter

You can define constraints to modify your search results.

set

Return all URLs that have 404 errors but no 303 errors (using set).

index=sampledata | set diff [search 404 | fields url] [search 303 | fields url]Search

regex

Use the regex command to filter results out of your search results. Specify a regular expression in regex to remove results that do not match.

Note: if you want to use the "or" ("|") command in a regex argument, the whole regular expression must be surrounded by quotes (ie. regex "<expression>").

The following example gets sendmail events that contain IP addresses in the non-routable class A (10.0.0.0/8).

index=sampledata sendmail | regex _raw=(?<!\d)10.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)Search

Note: The regex command supports inclusion of PCREs (Perl Compatible Regular Expressions).

Evaluate

You can perform operations directly on your data while searching.

fields

Use the fields command to specify the particular fields you want to see in your results. Here we will display only the src and dst fields of the sampledata netscreen deny events.

index="sampledata" netscreen deny | fields src, dstSearch

Add a comparison

Let's go back to our top source IP addresses and filter for ones with more than 5 denies by using a logical comparison in the search command.

index=sampledata netscreen deny AND (count>5) | top limit=100 srcSearch

Refer to the Search Syntax for more information on Comparison Operators.

Use subsearches

Now we're going to put it all together by doing another search to find which of the actions with more than 2 500 http status codes also had 200 successes.

index=sampledata 200 [search index=sampledata 500 AND (count>2) | top action | fields + action]Search

Previous: Reports    |    Next: About inputs

Comments

  1. You almost had it Mike. There's no such term as count>5 in your events, you need to tell Splunk to first calculate the count and then look for when it is > 5. Try COLDSTART | top host | search count>5
    Posted by goldburtd on Nov 14 2008, 11:09am

  2. MikeSainsburys: you can use the stats command to count the number of events by host, then search for only the events that occur more than 5 times:

    COLDSTART | stats count by host | where count>5

    for more information, refer to the stats command docs: http://www.splunk.com/doc/3.3/user/TransformingAndReportingCommands#stats

    if this is not what you're looking for, i recommend sending an email to support@splunk.com.
    Posted by sophy on Nov 14 2008, 10:47am

  3. COLDSTART | top host Gives me chart showing each host that has coldstarted. I can even limit it to X number of hosts. Hurray!

    What I really want is a list of hosts which have coldstarted more than 5 times! I tried this but it doesn't work

    COLDSTART AND (count>5) | top host
    Posted by MikeSainsburys on Nov 14 2008, 10:23am

Log in to comment.