Splunk® Enterprise

User Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Use Splunk's search language

This topic assumes that you are familiar with running simple searches using keywords and field/value pairs. If you're not sure, go back and read "Use fields to search".

Back at the online Flower & Gift shop Customer Support office, the searches you've run to this point have only retrieved matching events from your Splunk index. For example, in a previous topic, you ran this search for to see the purchases of flowers:

sourcetype=access_* action=purchase category_id=flowers

The search results told you approximately how many flowers were bought. But, this doesn't help you answer questions, such as:

  • What items were purchased most at the online shop?
  • How many customers bought flowers? How many flowers did each customer buy?

To answer these questions, you need to use Splunk's search language, which includes an extensive library of commands, arguments, and functions that enables you to filter, modify, reorder, and group your search results. For this tutorial you'll only use a few of them.

How to construct a search with search assistant

Example 1. What items were purchased most at the online shop?

1. Return to the search dashboard and restrict your search to purchases over Yesterday:

sourcetype=access_* action=purchase

As you type in the search bar, search assistant opens with syntax and usage information for the search command (on the right side). If search assistant doesn't open, click the green arrow under the left side of the search bar.

MoresearchAssist tutorial4.3.png

You've seen before that search assistant displays typeahead for keywords that you type into the search bar. It also explains briefly how to search. We've already gone through retrieving events. Now, let's start using the search commands.

2. Type a pipe character into the search bar.

The pipe indicates to Splunk that you want to take the results of the search to the left of the pipe and use that as the input to the command after the pipe. You can pass the results of one command into another command in a series, or pipeline, of search commands.

Common next commands4.3.png

You want Splunk to give you the most popular items bought at the online store--the top command looks promising.

3. Under common next commands, click top.

Splunk appends the top command to your search string.

MoresearchAssistTop tutorial4.3.png

According to search assistant's description and usage examples, the top command "displays the most common values of a field"--exactly what you wanted.

You wanted to know what types of items were being bought at the online shop, not just flowers. It also shows you interesting fields that you can click on to add to the search.

4. Either click the category_id field in the list or type it into the search bar to complete your search:

sourcetype=access_* action=purchase | top category_id

This gives you a table of the top or most common values of category_id. By default, the top command returns ten values, but you only have five different types of items. So, you should see all five, sorted in descending order by the count of each type:

More search top cat id4.3.png

The top command also returns two new fields: count is the number of times each value of the field occurs, and percent is how large that count is compared to the total count. Read more about the top command in the Search reference manual.

Drill down into search results

The last search returned a table that showed you what items the online shop sells and how many of those items were purchased. But, you want to know more about an individual item, for example, flowers.

Example 2: How many flowers were bought?

1. Click the row in the result table for Flowers.

This kicks off a new search. Splunk updates your search, to include the filter for the field/value pair category=flowers, which was the row item you clicked in the result table from the search in Example 2.

More search drilldown 4.3.png

Splunk's drilldown actions enable you to delve deeper into the details of the information presented to you in the tables and charts that result from your search. Read more about drilldown actions in the User manual.

The number of events returned tells you how many times flowers were purchased, but you want to know how many different customers bought the flowers.

Example 3: How many different customers purchased the flowers?

1. You're looking specifically for the purchase of flowers, so continue with the search from the previous example:

sourcetype=access_* action=purchase category_id=flowers

The customers who access the Flower & Gift shop are distinguished by their IP addresses, which are values of the clientip field.

2. Use the stats command and the distinct_count() or dc() function:

sourcetype=access_* action=purchase category_id=flowers | stats dc(clientip)

You piped the search results into the stats command and used the distinct_count() function to count the number of unique clientip values that it finds in those events. This returns a single value:

More search ex3 4.3.png

This tells you that there were approximately 300 different people who bought flowers from the online shop.

Example: 4 In the last example, you calculated how many different customers bought flowers. How do you find the number of flowers that each customer bought?

1. Use the stats command:

sourcetype=access_* action=purchase category_id=flowers | stats count

The count() function returns a single value, the count of your events. (This should match your result from Example 2.)

Now, break this count down to see how many flowers each customer bought.

2. Add a by clause to the stats command:

sourcetype=access_* action=purchase category_id=flowers | stats count BY clientip

This search gives you a table of the different customers (clientip) and the number of flowers purchased (count).

More search ex4 4.3.png

Reformat the search results

You might know what the header for this table represents, but anyone else wouldn't know at a glance. You want to show off your results to your boss and other members of your team. Let's reformat it a little:

3. First, let's rename the count field:

sourcetype=access_* action=purchase category_id=flowers | stats count AS "# Flowers Purchased" by clientip

The syntax for the stats command enables you to rename the field inline using an "AS" clause. If your new field name is a phrase, use double quotes.

The syntax for the stats command doesn't allow field renaming in the "by" clause.

4. Use the rename command to change the clientip name:

sourcetype=access_* action=purchase category_id=flowers | stats count AS "# Flowers Purchased" by clientip | rename clientip AS Customer

This formats the table to rename the headers, clientip and count, with Customer and # Flowers purchased:

More search ex4c 4.3.png

For more information about the stats command and its usage, arguments, and functions, see the stats command in the Search reference manual and the list of stats functions. For more information about the rename command, see the rename command in the Search reference manual.

In this last search, you found how many flowers each customer to the online shop bought. But what if you were looking for the one customer who buys the most items on any given day? When you're ready, continue on to the next topic to learn another way to search, this time using subsearches.

Save a search
Use a subsearch

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters