Scribd
Upload
20 views

Splunk Fundamentals Part1

splunk fundamantals part1

Uploaded by

Manu Tn
Copyright
© © All Rights Reserved
Available Formats
Download as ODT, PDF, TXT or read online on Scribd
20 views

Splunk Fundamentals Part1

splunk fundamantals part1

Uploaded by

Manu Tn
Copyright
© © All Rights Reserved
Available Formats
Download as ODT, PDF, TXT or read online on Scribd
You are on page 1/ 5

SPLUNK FUNDAMENTALS

SUBTITLE
TABLE OF CONTENTS
HTTP Event collector................................................................................................................................................. 3
Overview......................................................................................................................................................... 3
LAB.................................................................................................................................................................. 3
Field Extractions........................................................................................................................................................ 5
Basic extractions using Props.conf....................................................................................................................... 5
Field Extraction using props.conf and transforms.conf........................................................................................6
Search time field extraction.............................................................................................................................7
Index time field extractions............................................................................................................................. 9
Splunk Basic commands.......................................................................................................................................... 12
SPL Categories............................................................................................................................................... 12
Multivalue field commands........................................................................................................................... 12
Time functions.............................................................................................................................................. 14
stats vs eventstats vs streamstats..................................................................................................................15
{} operator..................................................................................................................................................... 16
MULTIVALUE FIELD COMMANDS
Sample databasefirst name,last name,occupation,salary
First_1,last_1,Occu_1,1000
First_2,last_2,Occu_2,2000
First_3,last_3,Occu_3,3000
First_4,last_4,Occu_4,4000
First_5,last_5,Occu_5,5000
First_6,last_6,Occu_6,1000
First_7,last_7,Occu_7,1000
First_8,last_8,Occu_8,1000
First_9,last_9,Occu_9,1000
makemv
Make a multivalue field from a single value field with a seperator
| makeresults
| eval field1 = "1,2,3,4,5"
| makemv delim="," field1
# It removes “,” and create a multivalued field field1
| makeresults
| eval field1 = "[email protected],[email protected],[email protected]"
| makemv tokenizer="([[:alnum:]]+)@" field1
#creates field1= example1 example2 example3
# makemv tokenizer=<regex> <new field>

mvcombine

• Used when one column is different and other columns are similar

| makeresults count=5
| streamstats count as counter
| eval field1 = "col1", field2="col2"
| mvcombine delim=";" counter

nomv
Removes the multivalue field
| makeresults count=5
| streamstats count as counter
| eval field1 = "col1", field2="col2"
| mvcombine delim=";" counter | nomv counter

mvexpand
Expand multivalue field to single value field
| makeresults count=5
| streamstats count as counter
| eval field1 = "col1", field2="col2"
| mvcombine delim=";" counter | mvexpand counter

mvappend
Combine two or more fields or other string to create a mv field
index="main"
| table "first name","last name",occupation,salary
| eval mv_field = mvappend("first name","last name",occupation,salary)

mvcount
Gives the length of array(mv field)
index="main" | table "first name","last name",occupation,salary
| eval mv_field = mvappend("first name","last name",occupation,salary)
| eval count_mv = mvcount(mv_field)
| eval count_normal = mvcount("first name")

mvdedeup
Removes the duplicate value in mv field

| makeresults
| eval field1 = "1,2,2,4,5"
| makemv delim="," field1
| eval dedup_field = mvdedup(field1)

mvfilter
Create new mv field by filtering the exisiting mvfield
| makeresults
| eval field1 = "1,2,3,4,5"
| makemv delim="," field1
| eval filter_field = mvfilter(field1 IN (1,2))
#gives filter_field => 1 2

|makeresults
| eval field1 = "[email protected],[email protected],[email protected]"
| makemv tokenizer="([[:alnum:]]+)@([[:alnum:]]+)\.com" field1
| eval filter_field = mvfilter(match(field1,".+1"))

mvindex(<mv>, <start>, <end>)


Create new mv field by evaluating index from existing mv field
| makeresults
| eval field1 = "[email protected],[email protected],[email protected]"
| makemv tokenizer="([[:alnum:]]+)@([[:alnum:]]+)\.com" field1
| eval index_field = mvindex(field1,0,1)

| makeresults
| eval field1 = "[email protected],[email protected],[email protected]"
| makemv tokenizer="([[:alnum:]]+)@([[:alnum:]]+)\.com" field1
| eval index_field = mvindex(field1,-2,-1)

mvjoin(<mv>,<delim>)
Join two MV field and create new mv field
| makeresults
| eval field1 = "[email protected],[email protected],[email protected]"
| makemv tokenizer="([[:alnum:]]+)@([[:alnum:]]+)\.com" field1
| eval join_field = mvjoin(field1," OR ")

mvrange(<start>, <end>, <step>)


| makeresults
| eval start_date = "09/01/2018", end_date = "09/11/2018"
| eval start_date_epoc = strptime(start_date,"%m/%d/%Y"), end_date_epoc =
strptime(end_date,"%m/%d/%Y")
| eval date_range = mvrange(start_date_epoc,end_date_epoc,"1d")
| eval date_range_readable = strftime(date_range,"%m/%d/%Y")

TIME FUNCTIONS
strftime(<time>,<format>)
• Formatting time
• Convert epoch time to to readable time
| from [{ }]
| eval mytime=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q")

strptime(<str>, <format>)
•Parse time
•Convert readable time to unix time
... | eval n=strptime(timeStr, "%H:%M")

relative_time(<time>,<specifier>)
... | eval n=relative_time(now(), "-1d@d")

Find gap between two dattime


| makeresults count=1
| eval start_date = "01/01/2017"
| eval end_date="01/07/2017"
| rename COMMENT as "above creates fake data, below is your solution"
| eval start_epoch = strptime(start_date, "%d/%m/%Y")
| eval end_epoch = strptime(end_date, "%d/%m/%Y")
| eval gap_in_seconds = end_epoch - start_epoch
| eval gap_in_days = round(gap_in_seconds / 86400)

STATS VS EVENTSTATS VS STREAMSTATS


Streamstats
• Extra column added,but stats calculated at each event wise

Eventstats
• Stats output with extra column added

stats
• Outputs only stat result

You might also like