Using search commands
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Using search commands
Now you're ready to start typing your own variants on the cool searches you've been seeing Splunk paste into your search box. Try these variants in any order. Just paste these examples into your search box to illustrate the power of Splunk search commands.
timechart
timechart returns statistics bucketed by time and is good for driving line charts. Try these examples.
Count of deny events graphed by time.
index::sampledata deny | timechart count(_raw)Sum of bytes for GET requests by 5 second bucket.
index::sampledata sourcetype::access_common GET | timechart span=5s sum(bytes)Average bytes by method by 10 second bucket.
index::sampledata sourcetype::access_common | timechart span=10s avg(bytes) by methodstats
stats provides summary calculations by any field. Try it with a pie chart.
Total bytes sent by destination.
index::sampledata sourcetype::syslog | stats sum(sent) by dsttop
Let's get the top denied source IPs. This will work best with a bar chart.
index::sampledata netscreen deny | top src(By default top brings back 10 results.)
rare
You can also get the rarest 100 source IPs (by using rare).
index::sampledata netscreen deny | rare 100 srcwhere
Let's go back to our top source IPs and filter for ones with more than 5 denies by using the where command.
index::sampledata netscreen deny | top 100 src | where count > 5fields
Let's display only the src field now (using fields).
index::sampledata netscreen deny | top 100 src | filter count > 5 | fields srcsort
We can sort the results using the sort) command.
index::sampledata netscreen deny | top 100 src | where count > 5 | fields src | sort src(Note this works with individual events in cooked and raw mode too.)
Subsearches
Now we're going to put it all together by doing another search to find which of the actions with more than 2 500 http status codes also had 200 successes (i.e. intermittently failing actions on our application.)
index::sampledata 200 [search index::sampledata 500 | top action
| where count > 2 | fields + action]
diff
Do a search for errors in db2 and diff the first two results. When you use the diff command wiht no arguments, the first two results are compared by default.
index::sampledata error sourcetype::db2_diag | diffCompare the host field of the 3rd and 4th results.
index::sampledata error sourcetype::db2_diag | diff 3 4 Now, find the amount of time between two events by comparing the values of the date_time field.
index::sampledata error sourcetype::db2_diag | diff 3 4 attribute=date_timeset
Return all urls that have 404 errors but no 303 errors (using set).
set diff [search 404 | select url] [search 303 | fields url]regex
The regex command is useful in removing results from your search results. Use a regular expression in regex to remove results that do not match the regular expression. Regex is useful in finding regular expressions in search results.
Note: if you want to use the "or" ("|") command in a regex argument, the whole regex expression must be surrounded by quotes (ie. regex "<expression>").
Try the example below:
sendmail | regex _raw=(?<!\d)10.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)Get sendmail events that contain ip addresses in the non-routable class A (10.0.0.0/8).
Note: Splunk's regex command supports inclusion of PCREs (Perl Compatible Regular Expressions).
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.