Difference between revisions of "Splunk"
From neil.tappsville.com
Jump to navigationJump to searchm |
m |
||
| Line 1: | Line 1: | ||
| + | |||
| + | ==Training== | ||
| + | https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html | ||
| + | |||
| + | ==Search== | ||
| + | |||
Match Value (.*) after "want:" and turn it into a field (field_name) | Match Value (.*) after "want:" and turn it into a field (field_name) | ||
<pre> | rex field=_raw "some text before what we want:(?<field_name>.*)" </pre> | <pre> | rex field=_raw "some text before what we want:(?<field_name>.*)" </pre> | ||
Revision as of 02:28, 18 May 2020
Training
https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html
Search
Match Value (.*) after "want:" and turn it into a field (field_name)
| rex field=_raw "some text before what we want:(?<field_name>.*)"
Group results into 1 hour chunks
| timechart span=1h count(field_name) by field_name
Export RAW logs
host=<host_name> | table _raw | outputcsv rawdump.csv
Then download as csv
