Splunk search command examples

Splunk search command examples DEFAULT

eval command examples

The following are examples for using the SPL2 command. To learn more about the command, see How the eval command works.

Many of these examples use the evaluation functions. See Eval functions Quick Reference.

1. Create a new field that contains the result of a calculation

Create a new field called in each event. Calculate the speed by dividing the values in the field by the values in the field.

2. Use the if function to analyze field values

Create a new field called in each event. Using the function, set the value in the field to OK if the value is 200. Otherwise set the field value to Problem.

3. Convert values to lowercase

Create a new field in each event called . Using the function, populate the field with the lowercase version of the values in the field.

4. Specify field names that contain dashes or other characters

When a field name contains anything other than a-z, A-Z, 0-9, or the underscore ( _ ) character, you must enclose the name in single quotation marks. This includes the wildcard ( * ) character.

This example shows how to specify a field name that includes a dash. The function is used to populate the field with the lowercase version of the values in the field.

5. Calculate the sum of the areas of two circles

This example uses the and functions to calculate the area of two circles. A new field called is created to store the sum of the areas of the two circles.

6. Return a string value based on the value of a field

This example uses the function to evaluate the value of the HTTP error codes in the field. Based on the HTTP error codes, a text interpretation of the HTTP error codes is stored in a new field called . .

7. Concatenate values from two fields

Use the plus ( + ) sign to concatenate the values in field with the values in the field. Use quotation marks to insert a space character between the two names. When concatenating, the values are read as strings, regardless of the actual value.

The concatenation operator accepts both strings and numbers. Numbers are concatenated as strings and produces a string.

8. Separate multiple eval operations with a comma

You can specify multiple eval operations by using a comma to separate the operations. In the following search the evaluation uses the plus ( + ) sign to concatenate the values in the field with the values in the field. In this example, there is a comma and space between the field and the field. The evaluation uses the function to convert the evaluation into lowercase.

9. Convert a numeric field value to a string and include commas in the output

Convert a numeric field value to a string. Specify that the string value display with commas. In this example replaces the values in an existing field instead of creating a new field for the converted values. If the original value of x is 1000000, this search returns x as 1,000,000.

10. Include a currency symbol when you convert a numeric field value to a string

Using the previous example, you can include a currency symbol at the beginning of the string. Instead of returning x as 1,000,000, the search returns x as $1,000,000.

See also

eval command
eval command overview
eval command syntax details
eval command usage
Sours: https://docs.splunk.com/Documentation/SCS/current/SearchReference/EvalCommandExamples

search

Description

Use the command to retrieve events from indexes or filter the results of a previous search command in the pipeline. You can retrieve events from your indexes, using keywords, quoted phrases, wildcards, and field-value expressions. The command is implied at the beginning of any search. You do not need to specify the command at the beginning of your search criteria.

You can also use the command later in the search pipeline to filter the results from the previous command in the pipeline.

The search command can also be used in a subsearch. See about subsearches in the Search Manual.

After you retrieve events, you can apply commands to transform, filter, and report on the events. Use the vertical bar ( | ) , or pipe character, to apply a command to the retrieved events.

Syntax

search <logical-expression>

Required arguments

<expression>
Syntax: <logical-expression> | <time-opts> | <search-modifier> | NOT <logical-expression> | <index-expression> | <comparison-expression> | <logical-expression> [OR] <logical-expression>
Description: Includes all keywords or field-value pairs used to describe the events to retrieve from the index. Include parenthesis as necessary. Use Boolean expressions, comparison operators, time modifiers, search modifiers, or combinations of expressions for this argument.
The AND operator is always implied between terms and expressions. For example, is the same as . Specifying is the same as . So unless you want to include it for clarity reasons, you do not need to specify the AND operator.

Logical expression options

<comparison-expression>
Syntax: <field><comparison-operator><value> | <field> IN (<value-list>)
Description: Compare a field to a literal value or provide a list of values that can appear in the field.
<index-expression>
Syntax: "<string>" | <term> | <search-modifier>
Description: Describe the events you want to retrieve from the index using literal strings and search modifiers.
<time-opts>
Syntax: [<timeformat>] (<time-modifier>)...
Description: Describe the format of the starttime and endtime terms of the search. See Time options.

Comparison expression options

<comparison-operator>
Syntax: = |  != | < | <= | > | >=
Description: You can use comparison operators when searching field/value pairs. Comparison expressions with the or operator compare string values. For example, "1" does not match "1.0". Comparison expressions with greater than or less than operators numerically compare two numbers and lexicographically compare other values. See Usage.
<field>
Syntax: <string>
Description: The name of a field.
<value>
Syntax: <literal-value>
Description: In comparison-expressions, the literal number or string value of a field.
<value-list>
Syntax: (<literal-value>, <literal-value>, ...)
Description: Used with the IN operator to specify two or more values. For example use instead of

Index expression options

<string>
Syntax: "<string>"
Description: Specify keywords or quoted phrases to match. When searching for strings and quoted strings (anything that's not a search modifier), Splunk software searches the field for the matching events or results.
<search-modifier>
Syntax: <sourcetype-specifier> | <host-specifier> | <hosttag-specifier> | <source-specifier> | <savedsplunk-specifier> | <eventtype-specifier> | <eventtypetag-specifier> | <splunk_server-specifier>
Description: Search for events from specified fields or field tags. For example, search for one or a combination of hosts, sources, source types, saved searches, and event types. Also, search for the field tag, with the format: .
<sourcetype-specifier>
Syntax: sourcetype=<string>
Description: Search for events from the specified sourcetype field.
<host-specifier>
Syntax: host=<string>
Description: Search for events from the specified host field.
<hosttag-specifier>
Syntax: hosttag=<string>
Description: Search for events that have hosts that are tagged by the string.
<eventtype-specifier>
Syntax: eventtype=<string>
Description: Search for events that match the specified event type.
<eventtypetag-specifier>
Syntax: eventtypetag=<string>
Description: Search for events that would match all eventtypes tagged by the string.
<savedsplunk-specifier>
Syntax: savedsearch=<string> | savedsplunk=<string>
Description: Search for events that would be found by the specified saved search.
<source-specifier>
Syntax: source=<string>
Description: Search for events from the specified source field.
<splunk_server-specifier>
Syntax: splunk_server=<string>
Description: Search for events from a specific server. Use "local" to refer to the search head.

Time options

For a list of time modifiers, see Time modifiers for search.

<timeformat>
Syntax: timeformat=<string>
Description: Set the time format for starttime and endtime terms.
Default: timeformat=%m/%d/%Y:%H:%M:%S.
<time-modifier>
Syntax: starttime=<string> | endtime=<string> | earliest=<time_modifier> | latest=<time_modifier>
Description: Specify start and end times using relative or absolute time.

You can also use the earliest and latest attributes to specify absolute and relative time ranges for your search. For more about this time modifier syntax, see Specify time modifiers in your search in the Search Manual.

starttime
Syntax: starttime=<string>
Description: Events must be later or equal to this time. Must match .
endtime
Syntax: endtime=<string>
Description: All events must be earlier or equal to this time.

Usage

The command is an event-generating command when it is the first command in the search, before the first pipe. When the command is used further down the pipeline, it is a distributable streaming command. See Command types.

The implied search command

The command is implied at the beginning of every search.

When is the first command in the search, you can use terms such as keywords, phrases, fields, boolean expressions, and comparison expressions to specify exactly which events you want to retrieve from Splunk indexes. If you don't specify a field, the search looks for the terms in the the field.

Some examples of search terms are:

  • keywords: , which is the same as specifying for
  • quoted phrases:
  • boolean operators:
  • wildcards:
  • field-value pairs:

To search field values that are SPL operators or keywords, such as , , , or , you must enclose the operator or keyword in quotation marks. For example: .

See Use the search command in the Search Manual.

Using the search command later in the search pipeline

In addition to the implied command at the beginning of all searches, you can use the command later in the search pipeline. The search terms that you can use depend on which fields are passed into the command.

If the field is passed into the command, you can use the same types of search terms as you can when the command is the first command in a search.

However, if the field is not passed into the command, you must specify field-values pairs that match the fields passed into the command. Transforming commands, such as and , do not pass the field to the next command in the pipeline.

Boolean expressions

The order in which Boolean expressions are evaluated with the is:

  1. Expressions within parentheses
  2. NOT clauses
  3. OR clauses
  4. AND clauses

This evaluation order is different than the order used with the command. The command evaluates AND clauses before OR clauses.

Comparing two fields

To compare two fields, do not specify or with the command. When specifying a comparison_expression, the command expects a <field> compared with a <value>. The command interprets as the value, and not as the name of a field.

Use the command to compare two fields.


For not equal comparisons, you can specify the criteria in several ways.

or


See Difference between NOT and != in the Search Manual.

Multiple field-value comparisons with the IN operator

Use the IN operator when you want to determine if a field contains one of several values.

For example, use this syntax:
Instead of this syntax:

When used with the command, you can use a wildcard character in the list of values for the IN operator. For example:

You can use the NOT operator with the IN operator. For example:

There is also an IN function that you can use with the and commands. Wild card characters are not allowed in the values list when the IN function is used with the and commands. See Comparison and Conditional functions.

Lexicographical order

Lexicographical order sorts items based on the values used to encode the items in computer memory. In Splunk software, this is almost always UTF-8 encoding, which is a superset of ASCII.

  • Numbers are sorted before letters. Numbers are sorted based on the first digit. For example, the numbers 10, 9, 70, 100 are sorted lexicographically as 10, 100, 70, 9.
  • Uppercase letters are sorted before lowercase letters.
  • Symbols are not standard. Some symbols are sorted before numeric values. Other symbols are sorted before or after letters.

You can specify a custom sort order that overrides the lexicographical order. See the blog Order Up! Custom Sort Orders.

Quotes and escaping characters

In general, you need quotation marks around phrases and field values that include white spaces, commas, pipes, quotations, and brackets. Quotation marks must be balanced. An opening quotation must be followed by an unescaped closing quotation. For example:

  • A search such as will find the number of events containing the string error.
  • A search such as would return the raw events containing error, a pipe, stats, and count, in that order.

Additionally, you want to use quotation marks around keywords and phrases if you do not want to search for their default meaning, such as Boolean operators and field/value pairs. For example:

  • A search for the keyword AND without meaning the Boolean operator:
  • A search for this field/value phrase:


The backslash character ( \ ) is used to escape quotes, pipes, and itself. Backslash escape sequences are still expanded inside quotation marks. For example:

  • The sequence \| as part of a search will send a pipe character to the command, instead of having the pipe split between commands.
  • The sequence \" will send a literal quotation mark to the command, for example for searching for a literal quotation mark or inserting a literal quotation mark into a field using rex.
  • The \\ sequence will be available as a literal backslash in the command.


Unrecognized backslash sequences are not altered:

  • For example \s in a search string will be available as \s to the command, because \s is not a known escape sequence.
  • However, in the search string \\s will be available as \s to the command, because \\ is a known escape sequence that is converted to \.

Search with TERM()

You can use the TERM() directive to force Splunk software to match whatever is inside the parentheses as a single term in the index. TERM is more useful when the term contains minor segmenters, such as periods, and is bounded by major segmenters, such as spaces or commas. In fact, TERM does not work for terms that are not bounded by major breakers.

See Use CASE and TERM to match phrases in the Search Manual.

Search with CASE()

You can use the CASE() directive to search for terms and field values that are case-sensitive.

See Use CASE and TERM to match phrases in the Search Manual.

Examples

These examples demonstrate how to use the command. You can find more examples in the Start Searching topic of the Search Tutorial.

1. Field-value pair matching

This example demonstrates field-value pair matching for specific values of source IP (src) and destination IP (dst).

2. Using boolean and comparison operators

This example demonstrates field-value pair matching with boolean and comparison operators. Search for events with code values of either 10 or 29, and any host that isn't "localhost", and an value that is greater than 5.

In this example you could also use the IN operator since you are specifying two field-value pairs on the same field. The revised search is:

3. Using wildcards

This example demonstrates field-value pair matching with wildcards. Search for events from all the web servers that have an HTTP client or server error status.

In this example you could also use the IN operator since you are specifying two field-value pairs on the same field. The revised search is:

4. Using the IN operator

This example shows how to use the IN operator to specify a list of field-value pair matchings. In the events from an access.log file, search the field for the values or .

5. Specifying a secondary search

This example uses the command twice. The command is implied at the beginning of every search with the criteria . The command is used again later in the search pipeline to filter out the results. This search defines a web session using the command and searches for the user sessions that contain more than three events.

6. Using the NOT or != comparisons

Searching with the boolean "NOT"comparison operator is not the same as using the "!=" comparison.

The following search returns everything except fieldA="value2", including all other fields.

The following search returns events where exists and does not have the value "value2".

If you use a wildcard for the value, returns events where fieldA is null or undefined, and never returns any events.

See Difference between NOT and != in the Search Manual.

Sours: https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Search
  1. Great white shark watercolor
  2. Intel processors future
  3. Cheap houses in santa cruz
  4. Umuc semester dates 2020
  5. Wii u wireless adapter

Basic searches and search results

In this section, you create searches that retrieve events from the index.

The data for this tutorial is for the Buttercup Games online store. The store sells games and other related items, such as t-shirts. In this tutorial, you will primarily search the Apache web access logs, and correlate the access logs with the vendor sales logs.

Prerequisite
Complete the steps, Upload the tutorial data, in Part 2.

Using the Search Assistant

The Search Assistant is a feature in the Search app that appears as you type your search criteria. The Search Assistant is like autocomplete, but so much more.

  1. Click Search in the App bar to start a new search.
  2. Type in the Search bar.
    When you type a few letters into the Search bar, the Search Assistant shows you terms in your data that match the letters that you type in.
  3. Click Search in the App bar to start a new search.
  4. Type in the Search bar. The terms that you see are in the tutorial data.
  5. This screen image shows the words list of terms that appears below the Search bar which start with "catetory".

  6. Select "categoryid=sports" from the Search Assistant list.
  7. Press Enter, or click the Search icon on the right side of the Search bar, to run the search.
  8. This screen image shows a new search with "catetoryId=sports" typed in the Search bar. The Search icon, which is a magnifying glass, is highlighted.

Matching Searches

The Search Assistant also returns matching searches, which are based on the searches that you have recently run. The Matching Searches list is useful when you want to run the same search from yesterday, or a week ago. Your search history is retained when you log out.

The Search Assistant is more useful after you start learning the search language. When you type search commands, the Search Assistant displays command information.

Retrieve events from the index

Let's try to find out how many errors have occurred on the Buttercup Games website.

To retrieve events that mention errors or failures, you type the keywords in your search criteria. If you use multiple keywords, you must specify Boolean operators such as AND, OR, and NOT.

The AND operator is implied when you type in multiple keywords.

For example, typing is the same as typing .

  1. Start a new search.
  2. Change the time range to All time.
  3. To search for the terms error, fail, failure, failed, or severe, in the events that also mention buttercupgames, run the following search.

    Tip: Instead of typing the search string, you can copy and paste the search from this tutorial directly into the Search bar.

  4. Click the Search icon to the right of the time range picker to run the search.

Notice that you must capitalize Boolean operators. The asterisk ( * ) character is used as a wildcard character to match , , , , and so forth.

When evaluating Boolean expressions, precedence is given to terms inside parentheses. NOT clauses are evaluated before OR clauses. AND clauses have the lowest precedence.

This search retrieves 427 matching events.

This screen image shows the search and 2 of the 427 events that match the search criteria.

Understanding search results

Below the Search bar are four tabs: Events, Patterns, Statistics, and Visualization.

The type of search commands that you use determines which tab the search results appear on. In the early parts of this tutorial, you will work with the Events tab. Later in this tutorial, you will learn about the other tabs.

The Events tab displays the Timeline of events, the Display options, the Fields sidebar, and the Events viewer.

This screen image shows the results of the search "buttercupgames (error OR fail* OR severe)".  The Events tab shows the Timeline of events, which is a bar chart. Below the Timeline are the Fields sidebar and the Events viewer.  The Fields sidebar is on the left side of the window and has two sections: Selected Fields and Interesting Fields. On the right side of the window is a list of the events that match your search criteria.

By default, the events appear as a list that is ordered starting with the most recent event. In each event, the matching search terms are highlighted. The List display option shows the event information in three columns.

Column Description
iUse the event information column to expand or collapse the display of the event information. By default the display is collapsed. Click the greater than ( > ) symbol to expand the display.
Time The timestamp for the event. When events are indexed, the timestamp in the event is extracted. If the event does not contain a timestamp, the indexing process adds a timestamp that is the date and time the event was indexed.
Event The raw event data. The Selected fields from the Fields sidebar appear at the bottom of each event.

Change the display of the Events viewer

  1. Select the List option and click Table.
    The display changes to show the event information column, the timestamp column, and columns for each of the Selected fields. You will learn more about the Selected fields later in the tutorial.
  2. Change the display back to List.

Timeline of events

The Timeline of events is a visual representation of the number of events that occur at each point in time. As the timeline updates with your search results, there are clusters or patterns of bars. The height of each bar indicates the count of events. Peaks or valleys in the timeline can indicate spikes in activity or server downtime. The timeline highlights patterns of events, or peaks and lows in event activity. The timeline options are located above the timeline. You can zoom in, zoom out, and change the scale of the timeline chart.

When you add data to the Splunk platform the data is indexed. As part of the index process, information is extracted from your data and formatted as name and value pairs, called fields. When you run a search, the fields are identified and listed in the Fields sidebar next to your search results. The fields are divided into two categories.

  • Selected fields are visible in your search results. By default, host, source, and sourcetype appear. You can select other fields to show in your events.
  • Interesting fields are other fields that have been extracted from the events in your search results.

You can hide the fields sidebar to maximize the results area.

Patterns, Statistics, and Visualizations

The Patterns tab displays a list of the most common patterns among the set of events returned by your search. Each of these patterns represents events that share a similar structure.

The Statistics tab populates when you run a search with transforming commands such as , , , and so on. The keyword search for "buttercupgames" does not show results in this tab because the search does not include any transforming commands.

Searches with transforming commands also populate the Visualization tab. The results area of the Visualizations tab includes a chart and the statistics table that is used to generate the chart.

You will learn about transforming commands, and use the Statistics and Visualizations tabs, later in the tutorial.

Next step

Learn to use fields to search your data.

See also

Help building searches using the Search Assistant in the Search Manual

Identify event patterns with the Patterns tab in the Search Manual

Introduction to Pivot in the Pivot Manual

Sours: https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchTutorial/Startsearching
Splunk : Different categories of SPL commands

search command syntax details

Acrobat logo Download topic as PDF

Syntax

The required syntax is in bold.

search <search-expression>

Required arguments

search-expression
Syntax: <literal-expression> | <comparison-expression> | <time-expression> | <index-expression>
Description: The <search-expression> can be a word or phrase, a field-value comparison, a list of values, or a group of search expressions. You can use logical expressions by using IN, AND, OR, or NOT comparisons in your <search-expression>.

You can use Boolean operators to specify more than one <search-expression>. The supported operators are AND, OR, and NOT. Examples of how you can use these operators are:

  • <search-expression> AND <search-expression>
  • <search-expression> OR <search-expression>
  • NOT <search-expression>

Literal expression

literal-expression
Syntax: <literal-value> | "<literal-phrase>")
Description: You can search for string values, number values, or phrases in your data. For example you can specify a word such as , a number such as , or a phrase such as . If the string, number, or phrase contains any characters like periods ( . ) or spaces, you must enclose the word or phrase in double quotation marks.

Comparison expression

comparison-expression
Syntax: (<field><comparison-operator> [<value>| TERM | CASE]) | <field> IN (<value-list>)
Description: You can specify a field name and a comparison operator, such as equal to ( = ) or greater than ( > ), followed by the literal number or string value of a field. You can also specify field name and the IN keyword followed by a list of values enclosed in parentheses. For example, you can specify or or .
You can use comparison operators when searching for field/value pairs. Comparison expressions with the equal ( = ) or not equal ( != ) operator compare string values. For example, "1" does not match "1.0". Comparisons with greater than or less than operators, including and numerically compare two numbers and lexicographically compare other values. Valid comparison operators are: , , , , , and . See search command usage.
You can use the CASE() or TERM() directives to perform an exact match for a term.
field
Syntax: <string>
Description: The name of a field.
value
Syntax: <literal-value>
Description: In comparison-expressions, the literal number or string value of a field.
value-list
Syntax: (<literal-value>, <literal-value>, ...)
Description: Used with the IN operator to specify two or more values. For example use instead of .
CASE
Syntax: CASE(<term>)
Description: By default searches are case-insensitive. If you search for , any case of that term is returned such as , , and . Use the CASE directive to perform case-sensitive matches for terms and field values. will return only that specific case of the term.
TERM
Syntax: TERM(<term>)
Description: When data is indexed, characters such as periods and underscores are recognized as minor segmenters between terms. Use the TERM directive to ignore the minor segmenters and match whatever is inside the parentheses as a single term. The <term> must have been bound by major segmenters, such as spaces or commas, before it was indexed. For example, For example, the IP address contains the period ( . ) minor segmenter. If you search for the IP address using the search is converted into which will return events that contain those numbers anywhere in the event. If you search using the search treats the IP address as a single term, instead of individual numbers.

Time expression

time-expression
Syntax: [<timeformat>] (<time-modifier>)...
Description: Describes the format of the start and end time of the search. Use the <timeformat> to set the time format. The <timeformat> is optional, and if not specified the default format is . Use the <time-modifier> to specify start and end times using absolute or relative times.
  • An absolute time range uses specific dates and times, for example, from 12 A.M. July 1, 2019 to 12 A.M. July 13, 2019.
  • A relative time range is dependent on when the search is run. For example, a relative time range of -60m means 60 minutes ago. If the current time is 3 P.M., the search returns events from the last 60 minutes, or 2 P.M. to 3 P.M. today.


Use the earliest and latest modifiers to specify custom and relative time ranges. You can specify an exact time such as , or a relative time such as or .

Time modifier Description Examples
starttime=<string> Events must be later or equal to this time.

Times must match the <timeformat>.

endtime=<string> All events must be earlier or equal to this time.

Times must match the <timeformat>.

earliest=<time_modifier> Events must be later or equal to this time.

You can specify an absolute or relative time, including a snap-to time.

latest=<time_modifier> All events must be earlier or equal to this time.

You can specify an absolute or relative time, including a snap-to time.

Index expression

index-expression
Syntax: "<string>" | <term> | <search-modifier>
Description: Use to describe the events you want to retrieve from the index using literal strings and search modifiers.
string
Syntax: "<string>"
Description: Specify keywords or quoted phrases to match. When searching for strings and quoted strings, anything that is not a search modifier, the field is searched for the matching events or results.
search-modifier
Syntax: <sourcetype-specifier> | <host-specifier> | <hosttag-specifier> | <source-specifier> | <savedsplunk-specifier> | <eventtype-specifier> | <eventtypetag-specifier> | <splunk_server-specifier>
Description: Search for events from specified fields or field tags. For example, search for one or a combination of hosts, sources, source types, saved searches, and event types. Also, search for the field tag, with the format: tag::<field>=<string>.
sourcetype-specifier
Syntax: sourcetype=<string>
Description: Search for events from the specified sourcetype field.
host-specifier
Syntax: host=<string>
Description: Search for events from the specified host field.
hosttag-specifier
Syntax: hosttag=<string>
Description: Search for events that have hosts that are tagged by the string.
eventtype-specifier
Syntax: eventtype=<string>
Description: Search for events that match the specified event type.
eventtypetag-specifier
Syntax: eventtypetag=<string>
Description: Search for events that would match all eventtypes tagged by the string.
savedsplunk-specifier
Syntax: savedsearch=<string> | savedsplunk=<string>
Description: Search for events that would be found by the specified saved search.
source-specifier
Syntax: source=<string>
Description: Search for events from the specified source field.
splunk_server-specifier
Syntax: splunk_server=<string>
Description: Search for events from a specific server. Use "local" to refer to the search head.

See also

search command
search command overview
search command usage
search command examples

Last modified on 20 August, 2020

This documentation applies to the following versions of Splunk® Cloud Services: current


Sours: https://docs.splunk.com/Documentation/SCS/current/SearchReference/SearchCommandSyntaxDetails

Command splunk examples search

from command examples

The following are examples for using the SPL2 command. To learn more about the command, see How the from command works.

You can specify the clauses in the command in uppercase or lowercase. These examples use uppercase for readability.

Some of these examples start with the SELECT clause and others start with the FROM clause. Both of these clauses are valid syntax for the command.

1. Specify string values in quotations

The following search shows that string values in field-value pairs must be enclosed in double quotation marks.

Because string values must be enclosed in double quotation marks, you can reverse the order of field-value pairs. For example, the previous search can also be specified this way:

2. Search a metric index

The following search looks for data in the index:

To use a wildcard in the WHERE clause, you cannot use the asterisk ( * ) wildcard character. You must use the function. See Comparison and Conditional functions.

3. Search multiple indexes

The following search looks for data in the and indexes:

4. Search using wildcards

You can use a wildcard character ( * ) in the SELECT clause to search for similar field names. You must enclose the wildcard syntax in single quotation marks. For example:


You can use a wildcard to search for only internal fields, which begin with an underscore ( _ ) character . For example:


The WHERE clause does not support the wildcard character ( * ). However you can use the function to perform a wildcard search. For example:

The function supports several syntaxes, see Comparison and Conditional functions.

5. Specify multiple expressions in the WHERE clause

Use the WHERE clause to filter the data by specifying one or more expressions. You need to separate multiple expressions using logical operators, such as AND and OR.

The WHERE clause uses the function to perform a search with wildcard. The WHERE clause does not support the asterisk ( * ) wildcard character. For more information about the function, see Comparison and Conditional functions.

For more information about logical operators, see Predicate expressions in the SPL2 Search Manual.

6. Search for multiple terms in events

You can search for multiple terms in your events by using a search literal in the WHERE clause. An AND operator is implied between the terms specified in the search literal. To specify a search literal, you enclose the list of terms in backtick characters ( ` ).

The following search looks for the terms AND AND and returns the events that contain all three terms:

For more information, see Search literals in expressions in the SPL2 Search Manual.

7. Specify a single field in the GROUP BY clause

You can specify one or more fields to group by. In this example a single field, , is specified.

When using the command, if the GROUP BY clause is specified, the SELECT clause must also be specified. The SELECT clause must contain either an aggregation or the fields in the GROUP BY clause. In this example, the SELECT clause contains the aggregation :

8. Specify a time span in the GROUP BY clause

You can arrange search results in groups using a time span.

When using the command, if the GROUP BY clause is specified, the SELECT clause must also be specified.

The following search returns web access error information, grouped by in 5 minute time spans.

There are several ways to specify a time span with the GROUP BY clause, see from command syntax details.

9. Sorting search results using the ORDER BY clause

Suppose you use the following search to return count of the actions taken, grouped by the field.

The results look something like this:

productId count(action)
DC-SG-G02 12
FS-SG-G03 10
MB-AG-G07 17
PZ-SG-G05 4
SF-BVS-G01 11
SF-BVS-T01 6
WC-SH-G04 2
WC-SH-T02 15

By default the results are sorted on the GROUP BY field, .

You want to sort the results in descending order based on the count. However, the name of the count field in the output is the name of the aggregation specified in the SELECT clause, . The ORDER BY clause will not sort on a field name that is an aggregation. You must rename the aggregation to sort on that field. Here's the updated search:

The results look something like this:

productId Count
MB-AG-G07 17
WC-SH-T02 15
DC-SG-G02 12
SF-BVS-G01 11
FS-SG-G03 10
SF-BVS-T01 6
PZ-SG-G05 4
WC-SH-G04 2

10. Enrich event data with a lookup dataset using the JOIN clause

Consider the following data from a set of events with login information:

_time action userID host port
2020/11/29 08:00 Failed password patel yangtze.buttercupgames.com 3390
2020/11/29 07:15 Failed password zhang nile.example.net 1851
2020/11/15 21:30 Session opened dubois danube.sample.com 1260
2020/11/14 06:11 Failed password sullivan volga.example.com 2766
2020/11/05 11:20 Failed password martin volga.example.com 3622
2020/10/31 08:13 Failed password mayer ganger.example.com 3658
2020/10/23 23:59 Failed password patel yangtze.buttercupgames.com 1214

You want to enrich the event data with information from the lookup dataset, which contains information about known hosts:

hostname kind status host_contact
mekong.buttercupgames.com internal allowed [email protected]
yangtze.buttercupgames.com internal allowed [email protected]
danube.sample.com supplier allowed [email protected]
ganger.example.com external allowed [email protected]
volga.example.com external banned

Specifically, you want every event that matches the search criteria to appear in the search results. If there is a match between an event and the lookup dataset, you want to display the and from the lookup dataset with each event. This is referred to as a left join, which is shown in the following image.

An image that shows a Left Join using a Venn diagram. The Venn diagram has two intersecting circles, circle A and circle B. Circle A is completely shaded, including the portion of the circle where it overlaps with circle B.

The A circle represents the event dataset and the B circle represents the lookup dataset.

The following example enriches data in the event dataset with data from the lookup dataset, where there is a matching host name. An alias for each dataset is created using the AS clause. The WHERE clause filters out events where the host kind is not . The SELECT clause specifies which fields to return. The results are organized by the field.

When you use the JOIN clause, the aliases you specify in the search are not propagated to the search results. For example, in this search you specified , but the search results display .

The results of this search are shown in the following table. As you can see, the events that have a host with a of , the buttercupgames.com hosts, have been removed. The results also show that there is no host information for the host.

host action userID kind status
danube.sample.com Session opened dubois supplier allowed
ganger.example.com Failed password mayer external allowed
nile.example.net Failed password zhang
volga.example.com Failed password sullivan external banned
volga.example.com Failed password martin external banned

11. Use consecutive JOIN clauses to return data from multiple datasets

You can create a stacked join search that uses multiple JOIN clauses to return data from multiple datasets.

Consider the following data from a set of events in the dataset:

_time clientip action pid quantity
2021/01/20 12:00 192.0.2.0 purchase DC-SG-G02 1
2021/01/20 10:13 203.0.113.255 addtochart MB-AG-G07 3
2021/01/20 9:55 203.0.113.0 purchase WC-SH-A01 1
2021/01/20 9:21 198.51.100.255 changequantity PZ-SG-G05 2
2021/01/20 9:14 192.0.2.0 purchase SF-BVS-01 1
2021/01/20 8:42 198.51.100.0 purchase SF-BVS-G01 1
2021/01/20 8:30 192.0.2.0 purchase WC-SH-T02 2
2021/01/20 7:57 198.51.100.0 purchase PZ-SG-G05 1

You want to enrich the orders event data with information from the lookup dataset, which contains product and price information. Here is an example of the data in the dataset:

productId product_name price sale_price supplierId
DC-SG-G02 Dream Crusher 39.99 24.99 1238
FS-SG-G03 Final Sequel 24.99 16.99 5017
WC-SH-G04 World of Cheese 24.99 19.99 7024
WC-SH-T02 World of Cheese Tee 19.99 16.99 7024
PZ-SG-G05 Puppies vs. Zombies 4.99 3.99 7045
MB-AG-G07 Manganiello Bros. 38.99 27.99 4111
SF-BVS-G01 Grand Theft Scooter 26.99
Sours: https://docs.splunk.com/Documentation/SCS/current/SearchReference/FromCommandExamples
Splunk search language syntax - splunk tutorial

List of search commands

Command Description See also Produces a summary of each search result. Keeps a running total of the specified numeric field. Computes an event that contains sum of all numeric fields for previous events. , Add fields that contain common information about the current search. Computes the sum of all numeric fields for each result. , Analyze numerical fields for their ability to predict another discrete field. Computes an "unexpectedness" score for an event. Finds and summarizes irregular, or uncommon, search results. Appends subsearch results to current results. Appends the fields of the subsearch results to current results, first results to first result, second to second, etc. Appends the result of the subpipeline applied to the current result set to results. , , , Finds association rules between field values. Identifies correlations between fields. Returns audit trail information that is stored in the local audit index. Sets up data for calculating the moving average. Puts continuous numerical values into discrete sets. Replaces a field value with higher-level grouping, such as replacing filenames with directories. Returns results in a tabular output for charting. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. Clusters similar events together. Uses a duration field to find the number of "concurrent" events for each event. Builds a contingency table for two fields. Converts field values into numerical values. Calculates the correlation between different fields. Returns information about the specified index. Removes subsequent results that match a specified criteria. Computes the difference in field value between nearby results. Returns the difference between two search results. Allows you to specify example or counter example values to automatically extract fields that have similar values. , , , , , Calculates an expression and puts the value into a field. See Functions for eval and where in the Splunk Enterprise Search Reference.Returns the number of events in an index. Adds summary statistics to all search results. Extracts field-value pairs from search results. Expresses how to render a field at output time without changing the underlying value. Removes fields from search results. Generates summary information for all or a subset of the fields. Replaces NULL values with the last non-NULL value. Replaces null values with a specified value. Generates a list of suggested event types. Run a templatized streaming subsearch for each field in a wildcarded field list. Takes the results of a subsearch and formats them into a single result. Retrieves data from a dataset, such as a data model dataset, a CSV lookup, a KV Store lookup, a saved search, or a table dataset. Transforms results into a format suitable for display by the Gauge chart types. Generates time-range results. Generate statistics which are clustered into geographical bins to be rendered on a world map. Returns the first number n of specified results. Causes Splunk Web to highlight specified terms. Returns a history of searches formatted as an events list or as a table. Adds sources to Splunk or disables sources from being processed by Splunk. Loads search results from the specified CSV file. Extracts location information from IP addresses. SQL-like joining of results from the main results pipeline with the results from the subpipeline. Performs k-means clustering on selected fields. Extracts values from search results, using a form template. Loads events or results of a previously completed search job. Returns a list of the time ranges in which the search results were found. Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart) Change a specified field into a multivalued field during a search. A looping operator, performs a search over each search result. Converts search results into metric data and inserts the data into a metric index on the search head. , Returns a list of source, sourcetypes, or hosts from a specified index or distributed search peer. Retrieves event metadata from indexes based on terms in the logical expression. , Converts search results into metric data and inserts the data into a metric index on the indexers. , Calculates statistics for the measurement, metric_name, and dimension fields in metric indexes. Extracts field-values from table-formatted events. Run multiple streaming searches at the same time. Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field. Expands the values of a multivalue field into separate events for each value of the multivalue field. Changes a specified multivalued field into a single-value field at search time. Removes outlying numerical values. Outputs search results to a specified CSV file. Ouputs the raw text field () of results into the field. Enables you to use time series algorithms to predict future values of fields. Sets RANGE field to the name of the ranges that match. Displays the least common values of a field. Removes results that do not match the specified regular expression. , Converts the difference between 'now' and '_time' to a human-readable value and adds adds this value to the field, 'reltime', in your search results. Renames a specified field; wildcards can be used to specify multiple fields. Replaces values of specified fields with a specified new value. Access a REST endpoint and display the returned entities as search results. Specify the values to return from a subsearch. Reverses the order of the results. Specify a Perl regular expression named groups to extract fields while you search. Buffers events from real-time search to emit them in ascending time order when possible. Returns the search results of a saved search. Runs an external Perl or Python script as part of your search. Anonymizes the search results. Searches Splunk indexes for matching events. Finds transaction events within specified search constraints. Joins results with itself. Emails search results to a specified email address. Performs set operations (union, diff, intersect) on subsearches. Sets the field values for all results to a common value. , , Sorts search results by the specified fields. Provides a straightforward means for extracting fields from structured data formats, XML and JSON. Provides statistics, grouped optionally by fields. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. Concatenates string values. Adds summary statistics to all search results in a streaming manner. Creates a table using the specified fields. Annotates specified fields in your search results with tags. Returns the last number n of specified results. Create a time series chart and corresponding table of statistics. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. Displays the most common values of a field. Groups search results into transactions. Reformats rows of search results as columns. Computes moving averages of fields. Returns typeahead information on a specified prefix. Calculates the eventtypes for the search results. Removes any search that is an exact duplicate with a previous result. Converts results from a tabular format to a format similar to output. Inverse of and . Performs arbitrary filtering on your data. See Functions for eval and where in the Splunk Enterprise Search Reference. Enables you to determine the trend in your data by removing the seasonal pattern. Extracts XML key-value pairs. Unescapes XML. Redefines the XML path. Converts results into a format suitable for graphing.
Sours: https://docs.splunk.com/Documentation/SplunkLight/7.3.6/References/Listofsearchcommands

Now discussing:

Syntax for searches in the CLI

If you use Splunk Enterprise, you can issue search commands from the command line using the Splunk CLI. This is a quick discussion of the syntax and options available for using the and commands in the CLI.

The syntax for CLI searches is similar to the syntax for searches you run from Splunk Web except that you can pass parameters outside of the search object to control the time limit of the search, specify the server where the search is to be run, and specify how results are displayed.

Search defaults

By default when you run a search from the CLI, the search is uses All Time as the time range. You can specify time ranges using one of the CLI search parameters, such as , , or .

The first 100 events are returned when you run a historical search using the CLI. Use the search parameter to specify the number of events to return.

Search objects

Search objects are enclosed in single quotes (' ') and can be keywords, expressions, or a series of search commands. On Windows OS use double quotes (" ") to enclose your search object.

  • For more information about searching, see Start searching in the Search Tutorial.
  • For a brief description of every search command, see the Command quick reference in the Search Reference.
  • For a quick reference for Splunk concepts, features, search commands, and functions, see the Quick Reference Guide in the Search Reference.

Search objects can include not only keywords and search commands but also fields and modifiers to specify the events you want to retrieve and the results you want to generate.

Search parameters

Search parameters are options that control the way the search is run or the way the search results are displayed. All of these parameters are optional. Parameters that take Boolean values support as negatives and as positives.

Specify these search parameters at the end of your search, after you have specified all of the commands and command arguments. See Example 4.

Parameter Values Defaults Description
<app_name> search Specify the name of the app in which to run your search.
<bool> F Indicates how to handle updates in preview mode.
<bool> F Triggers an asynchronous search and displays the job ID and TTL for the search.
<time-modifier> The relative time modifier for the start time of the search. This is optional for and required for .
<bool> T Indicates whether to display a header in the table output mode.
<time-modifer> The start time of the search. This can be expressed as an epoch or relative time modifier and uses the same syntax as the "earliest" and "latest" time modifiers for search language. This is optional for both and .
<time-modifer> The end time of the search. This can be expressed as an epoch or relative time modifier and uses the same syntax as the "earliest" and "latest" time modifiers for search language. This is optional for both and .
<time-modifer> The relative time modifer for the end time of search. For , if this is not specified, it defaults to the end of the time (or the time of the last event in the data), so that any "future" events are also included. For , this is a required parameter and the real-time search will not run if it's not specified.
<number> 0 The length of time in seconds that a search job runs before it is finalized. A value of 0 means that there is no time limit.
<number> search, 100

rtsearch, 0

The maximum number of events to return or send to when exporting events. A value of 0 means that it will output an unlimited number of events.
rawdata, table, csv, auto Use for non-transforming searches.

Use for transforming searches.

Indicates how to display the job.
<bool> T Indicates that reporting searches should be previewed (displayed as results are calculated).
<number> 0 The length of time in seconds that a search job is allowed to live after running. A value of 0 means that the job is canceled immediately after it is run.
[http|https]://name_of_server:management_port Specify the server name and management port. can be the fully-resolved domain name or the IP address of the Splunk server.

The default uri value is the value that you defined in the Splunk server's .

For more information, see Access and use the CLI on a remote Splunk Server in the Admin manual.

<bool> T Indicates whether to line wrap for individual lines that are longer than the terminal width.

Examples

You can see more examples in the CLI help information.

1. Retrieve events from yesterday that match root sessions

./splunk search "session root daysago=1"

2. Retrieve events that match web access errors and detach the search

./splunk search 'eventtype=webaccess error' -detach true

3. Run a windowed real-time search

./splunk rtsearch 'index=_internal' -earliest_time 'rt-30s' -latest_time 'rt+30s'

See more examples of Real-time searches and reports in the CLI in the Admin Manual.

4. Return a list of unique hostnames

There are two recommended ways that you can do this. This first is with the stats command:

./splunk search 'index=* | stats count by host | fields - count' -preview true

Alternatively, since you are only interested in the host field, you can use the metadata command:

./splunk search '| metadata type=hosts | fields host' -preview true

Here, the -preview flag is optional and used to view the results as it is returned. In contrast, the table command, unlike the fields command, generally requires all inputs before it can emit any non-preview output. In this case, you would need to use the preview flag to be able to view the results of the search.

5. Return yesterday's internal events

./splunk search 'index=_internal' -index_earliest [email protected] -index_latest @d

Sours: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CLIsearchsyntax


218 219 220 221 222