kjivan/splunk-ref.md

Last active December 17, 2021 22:40

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/kjivan/567453071653228fa723a0762fec3cdb.js"></script>
Save kjivan/567453071653228fa723a0762fec3cdb to your computer and use it in GitHub Desktop.

Download ZIP

Raw

splunk-ref.md

Splunk Reference

Tips

Check your timeframe
Use an index if possible index=main
Start simple
Test your query after each change
Use shift+enter to add a new line
AND is implied between commands

Filtering

Task	Query
Get everything	`*`
Get “error”	`error`
Get “error” but not "exception"	`error NOT exception`
Get “error” with “bob” (AND)	`error bob`
Get “error” or “exception” (OR)	`error OR exception`
Get “ERROR”	`CASE(ERROR)`
Get IP Addr messages (regex)	`\| regex _raw="(?<!\d)10\.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)"`

Formatting/Organizing

Task	Query
Table time and message (readable)	`\| table _time, _raw`
Sort by time	`\| sort _time`
Descending sort by count	`\| sort -count`

Fields

Task	Query
Limit to time and raw	`\| fields _time, _raw`
Extract a field using regex	`\| rex field=_raw .Code=(?<code>.).\`
Extract fields using examples	`\| erex date examples=“2021-01-01”`
Create a field	`\| eval container=replace(sourcetype, kube, "")`
Rename a field	`\| rename source as container`

Tables/Charts (Group by)

Task	Query
Get counts of errors by message	`error \| stats count by _raw`
Get counts of by status and host	`\| stats count BY status, host`
Get chart by status and host	`\| chart count BY status, host`
Get errors over time	`error \| timechart count by _raw`

Misc

Task	Query
List indicies	`* \| dedup index \| table index`
Get a stack trace	`\| transaction startswith=CASE(ERROR) maxevents=250 mvlist=true`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment