KEMBAR78
Splunk Query Reference Guide | PDF
Scribd
Upload
335 views4 pages

Splunk Query Reference Guide

This document provides examples of various Splunk search commands and functions for summarizing, filtering, transforming, and analyzing data. It includes examples of conditional logic, conversion, time, math, and multivalue functions that can be used to extract insights from event data in Splunk.

Uploaded by

rahul123
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
335 views4 pages

Splunk Query Reference Guide

This document provides examples of various Splunk search commands and functions for summarizing, filtering, transforming, and analyzing data. It includes examples of conditional logic, conversion, time, math, and multivalue functions that can be used to extract insights from event data in Splunk.

Uploaded by

rahul123
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

splunk>docs

===================================================================================
===================================================================================
==

1. source="*" | stats sum(*) BY EventCode | addtotals row=f col=t


labelfield=EventCode sum(*)
===================================================================================
===================================================================================
==
Comparison and Conditional functions:
-------------------------------------
1. sourcetype=access_* | eval description=case(status == 200, "OK", status ==404,
"Not found", status == 500, "Internal Server Error") | table status description
2. source=all_month.csv | eval Description=case(depth<=70, "Low", depth>70 AND
depth<=300, "Mid", depth>300, "Deep") | stats count min(mag) max(mag) by
Description
3. source=all_month.csv | eval Description=case(depth<=70, "Low", depth>70 AND
depth<=300, "Mid", depth>300, "Deep") | stats count min(mag) max(mag) by
Description | eval sort_field=case(Description="Low", 1, Description="Mid", 2,
Description="Deep",3) | sort sort_field
4. source=all_month.csv | eval isLocal=if(cidrmatch("123.132.32.0/25",ip), "local",
"not local") | stats by isLocal
5. source=all_month.csv | eval ip=coalesce(clientip,ipaddress)
6. source="all_month.csv" | eval err=if(error == 200, "OK", "Error") | table *
7. source="all_month.csv" | eval isLocal=if(cidrmatch("123.132.32.0/25",ip),
"local", "not local")
8. source="all_month.csv" | eval isLocal=if(cidrmatch("123.132.32.0/25",ip),
"local", "not local") | stats
9. source="all_month.csv" | eval isLocal=if(cidrmatch("123.132.32.0/25",ip),
"local", "not local") | stats by isLocal
10. source="all_month.csv" | where in(gap,"71", "72") | table *
11. source="all_month.csv" |where in(date_hour,"5", "13", "16") | where
in(gap,"71", "72") | table *
12. source="all_month.csv" |where in(date_hour,"5", "13", "16") | where
in(gap,"71") | table *
13. source="all_month.csv" | where gap in("72") | where date_hour in("5") | table
*
14. source="all_month.csv" | where gap in("72") | where date_hour in("5", "10") |
table *
15. source="all_month.csv" | where gap in("72", "71") | where date_hour in("5",
"10") | table *
16. source="all_month.csv" | eval new_field=if(in(gap,"71"), "value-
if_true","value-if-false") | stats by new_field
17. source="all_month.csv" | eval error=if(in(status, "error", "failure",
"severe"),"true","false") | stats by error
18. source="all_month.csv" | eval error=if(in(status,
"404","500","503"),"true","false") | stats count by error
19. source="all_month.csv" | eval error=if(in(status,
"404","500","503"),"true","false") | stats by error
20. source="all_month.csv" | eval is_a_foo=if(like(date_month, "foo%"), "yes a
foo", "not a foo") | table is_a_foo *
21. source="all_month.csv" | eval is_a_foo=if(like(date_hour, "6"), "yes a foo",
"not a foo") | stats by is_a_foo
22. source="all_month.csv" | where like(gap, "72") | stats count by gap
23. source="all_month.csv" | where like(gap, "72") | stats by gap
24. source="all_month.csv" | where like(gap, "72") | table *
25. source="all_month.csv" | eval n=if(match(field,
"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), 1, 0) | stats by n
26. source="all_month.csv" | eval n=if(match(_raw,
"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), 1, 0) | table n *
27. source="all_month.csv" | eval matches = if(match(date_wday,"friday"), 1, 0) |
stats by matches
28. source="all_month.csv" | eval matches = if(match(date_wday,"sunday"), 1, 0) |
stats by matches
29. source="all_month.csv" | eval matches = if(match(date_wday,"friday"), 1, 0) |
stats count by matches
30. source="all_month.csv" | eval n=nullif(gap,count) | table gap count *
31. | makeresults 1 | eval _raw = "x=hi y=bye" | eval x="hi" | eval y="bye" | eval
test=if(searchmatch("x=hi y=no"), "yes", "no") | table _raw test x y
32. | makeresults 1 | eval _raw = "x=hi y=bye" | eval x="hi" | eval y="bye" | eval
test=if(searchmatch("x=hi y=*"), "yes", "no") | table _raw test x y
33. source="all_month.csv" | eval test=if(searchmatch("date_hour=1 date_mday=1"),
"yes", "no") | stats by test
34. source="all_month.csv" | eval test=if(searchmatch("date_hour=6"), "yes", "no")
| table test date_hour date_mday
35. source="all_month.csv" | eval test=if(searchmatch("date_mday=31"), "yes", "no")
| stats by test
36. source="all_month.csv" | eval test=if(searchmatch("date_mday=31 date_hour=6"),
"yes", "no") | stats by test
37. source="all_month.csv" | eval test=if(searchmatch("date_mday=31
date_hour=5,6"), "yes", "no") | table test date_mday date_hour
38. source="all_month.csv" | eval test=if(searchmatch("date_mday=31 date_hour=6
date_minute=49"), "yes", "no") | table test date_mday date_hour date_minute
39. source="all_month.csv" | eval test=if(searchmatch("date_mday=31 date_hour=6
date_minute=49"), "yes", "no") | stats by test
40. sourcetype=access_* | eval description=case(status==200,"OK", status==404, "Not
found", true(), "Other") | table status description
41. source="all_month.csv" | eval n=validate(isint(port), "ERROR: Port is not an
integer", port >= 1 AND port <= 65535, "ERROR: Port is out of range") | stats by n
42. sourcetype=access_* | eval n=validate(isint(port), "ERROR: Port is not an
integer", port >= 1 AND port <= 65535, "ERROR: Port is out of range") | table n
===================================================================================
===================================================================================
====
CONVERSION FUNCTION :=

43. sourcetype=access_* | eval n=tonumber("0A5",12) | table n *


44. sourcetype=access_* | eval n=tonumber("0A5",12) | stats by n
45. sourcetype=access_* | eval foo=615 | eval foo2 = tostring(foo, "duration") |
stats by foo, foo2
46. sourcetype=access_* | eval n=sha1(bytes) | table n
47. sourcetype=access_* | eval n=md5(bytes) | table n
48. sourcetype=access_* | eval n=sha256(bytes) | table n
49. sourcetype=access_* | eval n=sha512(bytes) | table n
===================================================================================
===================================================================================
====
TIME AND DATE :=
50. sourcetype=access_* | eval n=relative_time(now(), "+1d") | table n
51. source="all_month.csv" | eval n=relative_time(now(), "-1d@d") | stats by n
52. | makeresults | eval StartTimestamp="1521467703049000000"| eval
starttime=strftime(StartTimestamp/pow(10,9),"%Y-%m-%dT%H:%M:%S.%Q")
53. | makeresults | eval StartTimestamp="1521467703049000000"| eval
hour_min=strftime(_time, "%H:%M")
54. | makeresults
55. | makeresults | eval week=strftime(_time,"%V")
56. | makeresults | eval mytime=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q")
57. | makeresults | eval mytime=strftime(_time,"%a %B %d %Y %H:%M:%S.%N")
58. | makeresults | eval mytime=strftime(_time,"%Y/%m/%d %H:%M:%S.%N")
59. | makeresults | eval n=strptime(timeStr, "%H:%M")
60. | gentimes start=8/13/18 increment=2h | fields starthuman endhuman | eval
startunix=strptime(starthuman,"%a %B %d %H:%M:%S.%N %Y")
61. | gentimes start=8/13/18 increment=6h | fields starttime starthuman | eval
epoch_time=strptime(starttime,"%s") | eval testtime=time()
===================================================================================
===================================================================================
=====
INFORMATIONAL FUNTION :=
62. | gentimes start=8/13/18 increment=6h | eval n=if(isint(2),"int", "not int")
63. | gentimes start=8/13/18 increment=6h | eval n=if(isint(string),"int", "not
int")
64. | gentimes start=8/13/18 increment=6h | where isint(1)
65. | gentimes start=8/13/18 increment=6h | eval
n=if(isnotnull(starttime),"yes","no")
66. | gentimes start=8/13/18 increment=6h | where isnotnull(endtime)
67. | gentimes start=8/13/18 increment=6h | eval n=if(isnull(endtime),"yes","no")
68. | gentimes start=8/13/18 increment=6h | eval n=if(isnull(nofield),"yes","no")
69. | gentimes start=8/13/18 increment=6h | eval n=if(isnull(nofield),"yes","no") |
where isnull(n)
70. | gentimes start=8/13/18 increment=6h | eval n=if(isnum(endtime),"yes","no")
71. | gentimes start=8/13/18 increment=6h | eval n=if(isnum(endtime),"yes","no") |
where isnum(endtime)
72. | gentimes start=8/13/18 increment=6h | eval n=if(isstr(endhuman),"yes","no")
73. | gentimes start=8/13/18 increment=6h | eval n=if(isstr(field),"yes","no")
74. | gentimes start=8/13/18 increment=6h | eval n=if(isstr(endhuman),"yes","no") |
where isstr(n)
75. | gentimes start=8/13/18 increment=6h | where isstr(starttime)
76. | gentimes start=8/13/18 increment=6h | eval n=typeof(12) + typeof("string") +
typeof(1==2) + typeof(badfield)
77. | makeresults | eval t=typeof(_time)
===================================================================================
===================================================================================
====
MATHEMATICAL FUNCTION :=
78. | makeresults | eval absnum=abs(5+5)
79. | makeresults | eval n=ceil(1.1)
80. | makeresults | eval n=exact(3.14 * 6) | eval m=exact(4 * 4)
81. | makeresults | eval n=exact(3.14 * 6) | eval y=exp(3)
82. | makeresults | eval n=floor(6.443)
83. | makeresults | eval lnBytes=ln(4)
84. | makeresults | eval lnBytes=ln(4) | eval num=log(10) | eval num1=log(2, 2)
85. | makeresults | eval lnBytes=ln(4) | eval area_circle=pi()*pow(5,2)
86. | makeresults | eval lnBytes=ln(4) | eval n=round(3.6) | eval m=round(3.4)
87. | makeresults | eval n=round(2.555, 0) | eval m=round(2.555, 1) | eval
l=round(2.555, 2) | eval p=round(2.555, 3) | eval q=round(2.555, 4)
88. | makeresults | eval n=sigfig(1.00*1111) | eval m=sigfig(2.00*1111)
89. | makeresults | eval n=sqrt(9) | eval m=sqrt(10) | eval p=sqrt(1000)
===================================================================================
===================================================================================
===
MULTIVALUE EVAL FUNCTION :=
90. source="all_month.csv" | eval x=commands("search foo | stats count | sort
count") | stats by x
91. source="all_month.csv" | eval fullName=mvappend("123", "middle value", "1000")
| stats by fullName
92. source="all_month.csv" | eval fullName=mvappend("123", "middle value", "1000")
| table fullName *
93. source="all_month.csv" | eval n=mvcount(date_mday) | stats by n | table n *
94. source=WinEventLog* | eval n=if(match(Account_Name, "micro"), 1, 0) | stats by
n

You might also like