Last active
June 21, 2018 16:28
-
-
Save IngmarBoddington/ad6468ed9396109960b890834b5172db to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SPL = Splunk Processing Language | |
| host="<host>" | |
| source="<source>" | |
| sourcetype="<sourcetype>" | |
| * can be used as a wildcard | |
| | used to chain filtering / commands / searches | |
| Full Search Reference: http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/WhatsInThisManual | |
| dedup <field> | |
| Deduplicate by <field> values | |
| head <number> | |
| Show first <number> results | |
| tail <number> | |
| Show last <number> results | |
| reverse | |
| Reverse results | |
| search <search> | |
| Search results | |
| sort <field> | |
| Sort by <field> ascending | |
| sort -<field> | |
| Sort by <field> descending | |
| top [<count>] <field> | |
| Show event counts by <field> | |
| timechart <field> [BY <field>] | |
| Show agrregate graph | |
| eval can be used in order to create variables and do calculations | |
| e.g. eval var=10/5 | search secs | |
| Allows you to add a generated / calculated field | |
| stats can be used for generating statistics based on the results (which will be shown in the statistics tab) | |
| Lots of funcs here http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/CommonStatsFunctions | |
| e.g. distinct_count(<field>) | |
| rex can be used for regular expressions | |
| rex [field=<field>] ( <regex-expression> [max_match=<int>] [offset_field=<string>] ) | (mode=sed <sed-expression>) | |
| e.g. rex mode="sed" field=uri "s/=[\d\w]+\&/=NULLED\&/g" | |
| Note: Ampersand represents full captured string in replace (so escape it) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment