Created
May 11, 2015 22:41
-
-
Save metasyn/393ada7fe7fb49840488 to your computer and use it in GitHub Desktop.
Hello!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPL General Practices | |
| 1.) Filter by time first. | |
| >“. . . time is the most efficient filter” | |
| 2.) Use host, source, sourcetype | |
| >“After time, the most powerful keywords are host, source, sourcetype” | |
| 3.) Include relevant information | |
| > The more you tell Splunk, the better the chance for good results | |
| – Searching for sourcetype x failure is better than searching for failure | |
| – To make searches more efficient, include as many terms as possible | |
| 4.) Use `fields` | |
| >Use the fields command to extract (discover) only the fields you need | |
| 5.) Careful with wildcards | |
| >• Splunk only searches for whole words, but you can use wildcards | |
| – Only trailing wildcards can make efficient use of the index | |
| - - \*fail or \*fail* scans all events within the time frame specified | |
| - - when possible, use fail* rather than \*fail or \*fail* | |
| – Wildcards are tested after all other term | |
| 6.) Avoid NOT | |
| >“Inclusion is generally better than exclusion” | |
| 7.) Filter before processing | |
| >“Apply power filtering as early as possible” | |
| 8.) Choose relevant search mode | |
| >“Consider search modes” | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment