KEMBAR78
Intermediate Searching: Recall The Search Pipeline | PDF | Information Retrieval | Software Engineering
Scribd
Upload
139 views9 pages

Intermediate Searching: Recall The Search Pipeline

The document discusses intermediate searching techniques in Splunk including commands like top, rare, and stats. Top returns the most common values of a field, rare returns the least common, and stats calculates statistics on fields. Examples are provided for each command.

Uploaded by

Kancharla
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
139 views9 pages

Intermediate Searching: Recall The Search Pipeline

The document discusses intermediate searching techniques in Splunk including commands like top, rare, and stats. Top returns the most common values of a field, rare returns the least common, and stats calculates statistics on fields. Examples are provided for each command.

Uploaded by

Kancharla
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Intermediate Searching >

Recall the search pipeline


Broad search Keywords/booleans/fields Commands Table / Viz
host=myhost fail OR failure count Table
sourcetype=csv locked sum timechart
user=b123 eval

11010101
11010101 1101
00001001 1101
00001001 0101
11011101 0101
11011101 1111
01111010

The data we want


A lot of data
The format we want

© Adam Frisbee, adamfrisbee.com


Intermediate Searching >
Let’s look at some transforming commands

• top
• rare
• stats

© Adam Frisbee, adamfrisbee.com


Intermediate Searching >
Top

• top <field>
• Returns the most common values of a given field
• Defaults to 10 fields
• Can be combined with limit=<number>
• Automatically builds a table with count and percent columns
• Can be used with multiple fields
• “return the top value for a field organized by another field”

© Adam Frisbee, adamfrisbee.com


Intermediate Searching >
| top user

user count percent


gholmes0 43 21%
jruiz1 30 15%
hdean 24 12%
pbishop 23 11.5%
lmendez 23 11.5%
kpuroo14 20 1%
dlamd5t 12 0.06%
wgreene87 9 0.04%
jbruss 9 0.04%
anolowitz2 7 0.03%

© Adam Frisbee, adamfrisbee.com


Intermediate Searching >
Rare

• rare <field>
• Opposite of top
• Returns the least common values of a field
• Options are identical to top

© Adam Frisbee, adamfrisbee.com


Intermediate Searching >
Stats

• stats <function(field)> BY <field(s)>

• Some common functions


• count, avg, max, mean, median, sum, stdev, values, list

© Adam Frisbee, adamfrisbee.com


Intermediate Searching >
| stats avg(kbps) BY host

Avg(kbps) host
654.78 host1.domain.com
852.66 host2.domain.com

| stats count(failed_logins) BY user


Failed_logins user
42 jwebber
16 asloken3

© Adam Frisbee, adamfrisbee.com


Demo: top, rare, & stats
© Adam Frisbee, adamfrisbee.com, image credit: Jack Moreh/Freerange Stock
Thanks, Splunkers!

You might also like