Difference between revisions of "Splunk"
From neil.tappsville.com
Jump to navigationJump to searchm |
m |
||
| Line 14: | Line 14: | ||
host=<host_name> | table _raw | outputcsv rawdump.csv | host=<host_name> | table _raw | outputcsv rawdump.csv | ||
Then download as csv | Then download as csv | ||
| + | |||
| + | ==Transforming Commands== | ||
| + | |||
| + | | top [field field2] limit=0 showperc=False countfield="Renamed something" | ||
| + | | Rate [field field2] limit=0 | ||
| + | useother=True -- use when limit!=0 so 'extras' go into a catchall bucket | ||
| + | |||
| + | Stats - all stats functions must be done together (in the same pipes) | ||
| + | * Count | ||
| + | * Dc (Distinct Count) | ||
| + | * Sum -- stats sum(price) as "Gross Sales" by product_name | ||
| + | * Avg, Min, Max | ||
| + | * List -- stats list(Asset) as "stuff" by Employee | ||
| + | * Value - similar to list but unique. | ||
Revision as of 21:04, 18 May 2020
Training
https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html
Search
Match Value (.*) after "want:" and turn it into a field (field_name)
| rex field=_raw "some text before what we want:(?<field_name>.*)"
Group results into 1 hour chunks
| timechart span=1h count(field_name) by field_name
Export RAW logs
host=<host_name> | table _raw | outputcsv rawdump.csv
Then download as csv
Transforming Commands
| top [field field2] limit=0 showperc=False countfield="Renamed something" | Rate [field field2] limit=0
useother=True -- use when limit!=0 so 'extras' go into a catchall bucket
Stats - all stats functions must be done together (in the same pipes)
- Count
- Dc (Distinct Count)
- Sum -- stats sum(price) as "Gross Sales" by product_name
- Avg, Min, Max
- List -- stats list(Asset) as "stuff" by Employee
- Value - similar to list but unique.
