Scribd
Upload
20 views

Splunk Fundamentals Part1

splunk fundamantals part1

Uploaded by

Manu Tn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as ODT, PDF, TXT or read online on Scribd
20 views

Splunk Fundamentals Part1

splunk fundamantals part1

Uploaded by

Manu Tn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as ODT, PDF, TXT or read online on Scribd
You are on page 1/ 5

SPLUNK FUNDAMENTALS

SUBTITLE
TABLE OF CONTENTS
HTTP Event collector................................................................................................................................................. 3
Overview......................................................................................................................................................... 3
LAB.................................................................................................................................................................. 3
Field Extractions........................................................................................................................................................ 5
Basic extractions using Props.conf....................................................................................................................... 5
Field Extraction using props.conf and transforms.conf........................................................................................6
Search time field extraction.............................................................................................................................7
Index time field extractions............................................................................................................................. 9
Splunk Basic commands.......................................................................................................................................... 12
SPL Categories............................................................................................................................................... 12
Multivalue field commands........................................................................................................................... 12
Time functions.............................................................................................................................................. 14
stats vs eventstats vs streamstats..................................................................................................................15
{} operator..................................................................................................................................................... 16
MULTIVALUE FIELD COMMANDS
Sample databasefirst name,last name,occupation,salary
First_1,last_1,Occu_1,1000
First_2,last_2,Occu_2,2000
First_3,last_3,Occu_3,3000
First_4,last_4,Occu_4,4000
First_5,last_5,Occu_5,5000
First_6,last_6,Occu_6,1000
First_7,last_7,Occu_7,1000
First_8,last_8,Occu_8,1000
First_9,last_9,Occu_9,1000
makemv
Make a multivalue field from a single value field with a seperator
| makeresults
| eval field1 = "1,2,3,4,5"
| makemv delim="," field1
# It removes “,” and create a multivalued field field1
| makeresults
| eval field1 = "[email protected],[email protected],[email protected]"
| makemv tokenizer="([[:alnum:]]+)@" field1
#creates field1= example1 example2 example3
# makemv tokenizer=<regex> <new field>

mvcombine

• Used when one column is different and other columns are similar

| makeresults count=5
| streamstats count as counter
| eval field1 = "col1", field2="col2"
| mvcombine delim=";" counter

nomv
Removes the multivalue field
| makeresults count=5
| streamstats count as counter
| eval field1 = "col1", field2="col2"
| mvcombine delim=";" counter | nomv counter

mvexpand
Expand multivalue field to single value field
| makeresults count=5
| streamstats count as counter
| eval field1 = "col1", field2="col2"
| mvcombine delim=";" counter | mvexpand counter

mvappend
Combine two or more fields or other string to create a mv field
index="main"
| table "first name","last name",occupation,salary
| eval mv_field = mvappend("first name","last name",occupation,salary)

mvcount
Gives the length of array(mv field)
index="main" | table "first name","last name",occupation,salary
| eval mv_field = mvappend("first name","last name",occupation,salary)
| eval count_mv = mvcount(mv_field)
| eval count_normal = mvcount("first name")

mvdedeup
Removes the duplicate value in mv field

| makeresults
| eval field1 = "1,2,2,4,5"
| makemv delim="," field1
| eval dedup_field = mvdedup(field1)

mvfilter
Create new mv field by filtering the exisiting mvfield
| makeresults
| eval field1 = "1,2,3,4,5"
| makemv delim="," field1
| eval filter_field = mvfilter(field1 IN (1,2))
#gives filter_field => 1 2

|makeresults
| eval field1 = "[email protected],[email protected],[email protected]"
| makemv tokenizer="([[:alnum:]]+)@([[:alnum:]]+)\.com" field1
| eval filter_field = mvfilter(match(field1,".+1"))

mvindex(<mv>, <start>, <end>)


Create new mv field by evaluating index from existing mv field
| makeresults
| eval field1 = "[email protected],[email protected],[email protected]"
| makemv tokenizer="([[:alnum:]]+)@([[:alnum:]]+)\.com" field1
| eval index_field = mvindex(field1,0,1)

| makeresults
| eval field1 = "[email protected],[email protected],[email protected]"
| makemv tokenizer="([[:alnum:]]+)@([[:alnum:]]+)\.com" field1
| eval index_field = mvindex(field1,-2,-1)

mvjoin(<mv>,<delim>)
Join two MV field and create new mv field
| makeresults
| eval field1 = "[email protected],[email protected],[email protected]"
| makemv tokenizer="([[:alnum:]]+)@([[:alnum:]]+)\.com" field1
| eval join_field = mvjoin(field1," OR ")

mvrange(<start>, <end>, <step>)


| makeresults
| eval start_date = "09/01/2018", end_date = "09/11/2018"
| eval start_date_epoc = strptime(start_date,"%m/%d/%Y"), end_date_epoc =
strptime(end_date,"%m/%d/%Y")
| eval date_range = mvrange(start_date_epoc,end_date_epoc,"1d")
| eval date_range_readable = strftime(date_range,"%m/%d/%Y")

TIME FUNCTIONS
strftime(<time>,<format>)
• Formatting time
• Convert epoch time to to readable time
| from [{ }]
| eval mytime=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q")

strptime(<str>, <format>)
•Parse time
•Convert readable time to unix time
... | eval n=strptime(timeStr, "%H:%M")

relative_time(<time>,<specifier>)
... | eval n=relative_time(now(), "-1d@d")

Find gap between two dattime


| makeresults count=1
| eval start_date = "01/01/2017"
| eval end_date="01/07/2017"
| rename COMMENT as "above creates fake data, below is your solution"
| eval start_epoch = strptime(start_date, "%d/%m/%Y")
| eval end_epoch = strptime(end_date, "%d/%m/%Y")
| eval gap_in_seconds = end_epoch - start_epoch
| eval gap_in_days = round(gap_in_seconds / 86400)

STATS VS EVENTSTATS VS STREAMSTATS


Streamstats
• Extra column added,but stats calculated at each event wise

Eventstats
• Stats output with extra column added

stats
• Outputs only stat result

You might also like