Splunk basics

Splunk basics

Tearms

Boolearns are casesensitive(upper case)

  • AND, OR, NOT

Constructing

Search Terms: host=hoe, error=500, user=*
Commands: table, rename, eval, chart/timechart, sort, stats

1
host=hoe error=500 | table _time user | rename _time AS Time user AS UserName

Timestamp

A Splunk generated default filed that represents time.
Format time

1
2
| eval time=strftime(\_time, "%H:%M")
==> 16:34

Generate table

1
host=hoe user=* | table _time user

DEMO chart for error 500:

1
host=* errorCode=500 level=ERROR environment!=prod | chart count(host) by environment | sort environment

DEMO chart for error 500

DEMO stats and table for error 500

1
host=* errorCode=500 level=ERROR environment!=prod | stats count as error by environment | table environment error | sort environment

DEMO stats and table for error 500

Add Comment to query

1
comment("THIS IS A COMMENT")

References

https://docs.splunk.com/Documentation
https://www.udemy.com/course/splunker/