Scribd
Upload
7 views

Splunk_Advanced_Commands_with_Examples

The document provides a comprehensive overview of advanced Splunk commands, including their functions and examples. Key commands include 'search' for finding events, 'stats' for aggregating results, and 'join' for merging datasets. Each command is accompanied by a practical example to illustrate its usage.

Uploaded by

CK
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
7 views

Splunk_Advanced_Commands_with_Examples

The document provides a comprehensive overview of advanced Splunk commands, including their functions and examples. Key commands include 'search' for finding events, 'stats' for aggregating results, and 'join' for merging datasets. Each command is accompanied by a practical example to illustrate its usage.

Uploaded by

CK
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Advanced Splunk Commands with Examples:

search

Find specific events.

Example: index=main error OR failure

fields

Include only selected fields.

Example: ... | fields host, source, sourcetype

table

Display results in a table.

Example: ... | table user, action, status

stats

Aggregate results.

Example: ... | stats count by status

eval

Create a new field.

Example: ... | eval total=price*quantity

where

Filter using expressions.

Example: ... | where duration > 60

sort

Order results.

Example: ... | sort - _time

dedup

Remove duplicates.

Example: ... | dedup user_id

top

Get top N values.

Example: ... | top error_code

rare

Get least common values.


Example: ... | rare ip_address

rex

Extract fields with regex.

Example: ... | rex field=_raw "from:(?<sender>\S+)"

lookup

Enrich data from a lookup.

Example: ... | lookup user_lookup userid OUTPUT fullname

join

Merge two datasets.

Example: ... | join userid [ search index=logs action=login ]

transaction

Group events by a field.

Example: ... | transaction user startswith="login" endswith="logout"

head / tail

Limit results.

Example: ... | head 10

eventstats

Add stats without changing event count.

Example: ... | eventstats avg(duration) as avg_duration

streamstats

Running totals/averages.

Example: ... | streamstats count

coalesce

Pick first non-null field.

Example: ... | eval user=coalesce(username, userid)

isnull

Check if a field is NULL.

Example: ... | where isnull(user)

outputnew

Create field only if it does not exist.


Example: ... | lookup mylookup userid OUTPUTNEW fullname

You might also like