Difference between revisions of "Splunk"
m |
m |
||
Line 16: | Line 16: | ||
Fill nulls with zero | Fill nulls with zero | ||
<pre>index=main startdaysago=10 | timechart span=1d count |fillnull</pre> | <pre>index=main startdaysago=10 | timechart span=1d count |fillnull</pre> | ||
+ | Note that exporting via the API, if there is no data for a day, instead of getting a zero as you would expect you will get 'None'. To work around this, before doing any last stat option, append the following | ||
+ | <pre> | ||
+ | | append [search index=_telemetry | eval myval="0" | table _time,myval] `comment("fillnull doesnt work on single dates that dont have logs for that day")` | ||
+ | </pre> | ||
+ | Remember to grant the API/users access to the _telemetry table (only chosen as only has one entry per day (Splunk licence usage)). | ||
+ | |||
Group results into 1 hour chunks | Group results into 1 hour chunks |
Latest revision as of 05:25, 22 March 2024
Contents
Training
https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html
Search
Match Value (.*) after "want:" and turn it into a field (field_name)
| rex field=_raw "some text before what we want:(?<field_name>.*)"
Match field is NULL
NOT field=*
Visualizations
blah | timechart count by fieldname
Fill nulls with zero
index=main startdaysago=10 | timechart span=1d count |fillnull
Note that exporting via the API, if there is no data for a day, instead of getting a zero as you would expect you will get 'None'. To work around this, before doing any last stat option, append the following
| append [search index=_telemetry | eval myval="0" | table _time,myval] `comment("fillnull doesnt work on single dates that dont have logs for that day")`
Remember to grant the API/users access to the _telemetry table (only chosen as only has one entry per day (Splunk licence usage)).
Group results into 1 hour chunks
| timechart span=1h count(field_name) by field_name
Group by hour of day
| eval eventHour=strftime(_time,"%H") | stats count by eventHour
Export RAW logs
host=<host_name> | table _raw | outputcsv rawdump.csv
Then download as csv
Count of matching field
host=* inital_serach | stats count(eval(_raw like "%findx%")) as failed, count(eval(_raw like "%findy%")) as success, by ipaddress
Comments
host="*-blah" cmd=login NOT field=192.168.0.0/24 `comment("NOT xyz")` NOT field=192.168.10.0/24 `comment("NOT abc")` | fields field_one, device_ip, field_server | dedup field_one, device_ip, field_server
Transactions
eventtype=jbgp_state_change | transaction host,jbgp_state_instance,jbgp_state_peer startswith=(eventtype=jbgp_state_down) endswith=(eventtype=jbgp_state_up) keepevicted=true
Transforming Commands
| top [field field2] limit=0 showperc=False countfield="Renamed something" | Rate [field field2] limit=0
useother=True -- use when limit!=0 so 'extras' go into a catchall bucket
Stats - all stats functions must be done together (in the same pipes)
- Count
- Dc (Distinct Count)
- Sum -- stats sum(price) as "Gross Sales" by product_name
- Avg, Min, Max
- List -- stats list(Asset) as "stuff" by Employee
- Value - similar to list but unique.
IP lookup
DNSlookup
The key for dnslookup is to put the data into a table before the lookup is called
host=*mgfw* DENY 192.168.0.1 | rex field=_raw "source-address=\"(?<sourceip>.*?)\" " | dedup sourceip | table sourceip | lookup dnslookup clientip AS sourceip == RETURNS == sourceip, clienthost blah | lookup dnslookup clientip OUTPUT clienthost
| lookup dnslookup clientip as source_ip_field OUTPUT clienthost as output_field
Comments
Uses backticks
`comment("why did I add this random string to the search again?")`
Notify about Disabled Alerts
|REST /services/saved/searches | fields title disabled | where title like "IcareaboutX%" AND disabled=1
SNMP Link down
SNMP_TRAP_LINK* NOT"\.0" process=mib2d | table _raw