Difference between revisions of "Splunk"
From neil.tappsville.com
Jump to navigationJump to searchm (→Search) |
m (→Search) |
||
Line 15: | Line 15: | ||
Group by hour of day | Group by hour of day | ||
− | <pre> | eval eventHour=strftime(_time,"%H") | + | <pre> | eval eventHour=strftime(_time,"%H") | stats count by eventHour |
Export RAW logs | Export RAW logs |
Revision as of 22:26, 28 December 2021
Contents
Training
https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html
Search
Match Value (.*) after "want:" and turn it into a field (field_name)
| rex field=_raw "some text before what we want:(?<field_name>.*)"
Match field is NULL
NOT field=*
Group results into 1 hour chunks
| timechart span=1h count(field_name) by field_name
Group by hour of day
| eval eventHour=strftime(_time,"%H") | stats count by eventHour Export RAW logs host=<host_name> | table _raw | outputcsv rawdump.csv Then download as csvTransforming Commands
| top [field field2] limit=0 showperc=False countfield="Renamed something" | Rate [field field2] limit=0 useother=True -- use when limit!=0 so 'extras' go into a catchall bucket Stats - all stats functions must be done together (in the same pipes) * Count * Dc (Distinct Count) * Sum -- stats sum(price) as "Gross Sales" by product_name * Avg, Min, Max * List -- stats list(Asset) as "stuff" by Employee * Value - similar to list but unique.IP lookup
| lookup dnslookup clientip as source_ip_field OUTPUT clienthost as output_fieldComments
Uses backticks `comment("why did I add this random string to the search again?")`Notify about Disabled Alerts
|REST /services/saved/searches | fields title disabled | where title like "IcareaboutX%" AND disabled=1 https://community.splunk.com/t5/Alerting/Is-there-a-way-to-audit-when-an-alert-is-changed-or-disabled/td-p/424780SNMP Link down
SNMP_TRAP_LINK* NOT"\.0" process=mib2d | table _raw