Transcription
QUICK REFERENCE GUIDEThis guide describes key concepts andfeatures, as well as commonly usedcommands and functions for SplunkCloud and Splunk Enterprise.ConceptsEventsAn event is a set of values associated with atimestamp. It is a single entry of data and canhave one or multiple lines. An event can be atext document, a configuration file, an entirestack trace, and so on. This is an example of anevent in a web activity log:173.26.34.223 - - [01/Mar/2021:12:05:27 -0700] “GET /trade/app?action logout HTTP/1.1” 200 2953You can also define transactions to search forand group together events that are conceptuallyrelated but span a duration of time. Transactionscan represent a multistep business-relatedactivity, such as all events related to a singlecustomer session on a retail website.MetricsA metric data point consists of a timestamp andone or more measurements. It can also containdimensions. A measurement is a metric nameand corresponding numeric value. Dimensionsprovide additional information about themeasurements. Sample metric data point:Timestamp: 08-05-2020 16:26:42.025-0700Measurement: metric name:os.cpu.user 42.12, metric name:max.size.kb 345Dimensions: hq us-west-1,group queue, name azdMetric data points and events can besearched and correlated together, but arestored in separate types of indexes.Hos t , Source, and Source TypeA host is the name of the physical or virtualdevice where an event originates. It can be usedto find all data originating from a specific device.A source is the name of the file, directory, datastream, or other input from which a particularevent originates. Sources are classified intosource types, which can be either well knownformats or formats defined by the user. Somecommon source types are HTTP web serverlogs and Windows event logs.Events with the same source types can comefrom different sources. For example, events fromthe file source /var/log/messages and froma syslog input port source UDP:514 often sharethe source type, sourcetype linux syslog.FieldsFields are searchable name and value pairingsthat distinguish one event from another. Notall events have the same fields and field values.Using fields, you can write tailored searchesto retrieve the specific events that you want.When Splunk software processes events atindex-time and search-time, the softwareextracts fields based on configuration filedefinitions and user-defined patterns.Use the Field Extractor tool to automaticallygenerate and validate field extractions at searchtime using regular expressions or delimiters suchas spaces, commas, or other characters.TagsA tag is a knowledge object that enables you tosearch for events that contain particular fieldvalues. You can assign one or more tags to anyfield/value combination, including event types,hosts, sources, and source types. Use tags togroup related field values together, or to trackabstract field values such as IP addresses or IDnumbers by giving them more descriptive names.Index-Time and Search -TimeDuring index-time processing, data is read froma source on a host and is classified into a sourcetype. Timestamps are extracted, and the datais parsed into individual events. Line-breakingrules are applied to segment the events todisplay in the search results. Each event iswritten to an index on disk, where the event islater retrieved with a search request.When a search starts, referred to as search-time,indexed events are retrieved from disk. Fieldsare extracted from the raw text for the event.IndexesWhen data is added, Splunk software parsesthe data into individual events, extracts thetimestamp, applies line-breaking rules, andstores the events in an index. You can create newindexes for different inputs. By default, data isstored in the “main” index. Events are retrievedfrom one or more indexes during a search.Core FeaturesRepor tsSearch is the primary way users navigatedata in Splunk software. You can write asearch to retrieve events from an index, usestatistical commands to calculate metricsand generate reports, search for specificconditions within a rolling time window,identify patterns in your data, predict futuretrends, and so on. You transform the eventsusing the Splunk Search Process Language(SPL ). Searches can be saved as reportsand used to power dashboards.Repor tsReports are saved searches. You can runreports on an ad hoc basis, schedule reportsto run on a regular interval, or set a scheduledreport to generate alerts when the results meetparticular conditions. Reports can be added todashboards as dashboard panels.DashboardsDashboards are made up of panels that containmodules such as search boxes, fields, and datavisualizations. Dashboard panels are usuallyconnected to saved searches. They can displaythe results of completed searches, as well asdata from real-time searches.Aler tsAlerts are triggered when search results meetspecific conditions. You can use alerts onhistorical and real-time searches. Alerts can beconfigured to trigger actions such as sendingalert information to designated email addressesor posting alert information to a web resourceAdditional FeaturesDatasetsSplunk allows you to create and managedifferent kinds of datasets, including lookups,data models, and table datasets. Table datasetsare focused, curated collections of event datathat you design for a specific business purpose.You can define and maintain powerful tabledatasets with Table Views, a tool that translatessophisticated search commands into simple UIeditor interactions. It’s easy to use, even if youhave minimal knowledge of Splunk SPL.Data ModelA data model is a hierarchically-organizedcollection of datasets. You can referenceentire data models or specific datasets withindata models in searches. In addition, you canapply data model acceleration to data models.Accelerated data models offer dramatic gainsin search performance, which is why they areoften used to power dashboard panels andessential on-demand reports.AppsApps are a collection of configurations,knowledge objects, and customer designedviews and dashboards. Apps extend theSplunk environment to fit the specific needs oforganizational teams such as Unix or Windowssystem administrators, network securityspecialists, website managers, businessanalysts, and so on. A single Splunk Enterpriseor Splunk Cloud installation can run multipleapps simultaneously.Dis tributed SearchA distributed search provides a way to scaleyour deployment by separating the searchmanagement and presentation layer from theindexing and search retrieval layer. You usedistribute search to facilitate horizontal scalingfor enhanced performance, to control accessto indexed data, and to manage geographicallydispersed data.System ComponentsFor warder sA Splunk instance that forwards data to anotherSplunk instance is referred to as a forwarder.IndexerAn indexer is the Splunk instance that indexesdata. The indexer transforms the raw data intoevents and stores the events into an index.The indexer also searches the indexed data inresponse to search requests. The search peersare indexers that fulfill search requests from thesearch head.
QUICK REFERENCE GUIDESearch HeadIn a distributed search environment, the searchhead is the Splunk instance that directs searchrequests to a set of search peers and mergesthe results back to the user. If the instancedoes only search and not indexing, it is usuallyreferred to as a dedicated search head.Search ProcessingLanguage (SPL)A Splunk search is a series of commands andarguments. Commands are chained togetherwith a pipe “ ” character to indicate that theoutput of one command feeds into the nextcommand on the right.search command1 arguments1 command2 arguments2 .At the start of the search pipeline, is animplied search command to retrieve eventsfrom the index. Search requests are writtenwith keywords, quoted phrases, Booleanexpressions, wildcards, field name/value pairs,and comparison expressions. The AND operatoris implied between search terms. For example:sourcetype access combined error top 5 uriThis search retrieves indexed web activity eventsthat contain the term “error”. For those events, itreturns the top 5 most common URI values.Search commands are used to filter unwantedevents, extract more information, calculatevalues, transform, and statistically analyzethe indexed data. Think of the search resultsretrieved from the index as a dynamicallycreated table. Each indexed event is a row.The field values are columns. Each searchcommand redefines the shape of that table.For example, search commands that filterevents will remove rows, search commandsthat extract fields will add columns.Time Modif ier sYou can specify a time range to retrieve eventsinline with your search by using the latestand earliest search modifiers. The relativetimes are specified with a string of charactersto indicate the amount of time (integer andunit) and an optional “snap to” time unit.The syntax is:[ -] integer unit @ snap timeunit The search “error earliest -1d@d latest h@h” retrieves events containing “error” thatoccurred yesterday snapping to the beginningof the day (00:00:00) and through to the mostrecent hour of today, snapping on the hour.Common Search CommandsCommandDescriptionchart/timechartReturns results in a tabularoutput for (time-series)charting.dedupRemoves subsequentresults that match aspecified criterion.evalCalculates an expression.See COMMON EVALFUNCTIONS.fieldsRemoves fields fromsearch results.head/tailReturns the first/last Nresults.lookupAdds field values from anexternal source.renameRenames a field. Usewildcards to specifymultiple fields.rexSpecifies regularexpression named groupsto extract fields.searchFilters results to thosethat match the searchexpression.sortSorts the search results bythe specified fields.statsProvides statistics,grouped optionally byfields. See COMMONSTATS FUNCTIONS.Search as specifically as you can. For example,fatal error not *error*mstatsSimilar to stats but used onmetrics instead of events.Use post-processing searches in dashboards.tableSpecifies fields to keep inthe result set. Retains datain tabular format.top/rareDisplays the most/leastcommon values of a field.transactionGroups search results intotransactions.whereFilters search results usingeval expressions. Usedto compare two differentfields.The snap to time unit rounds the time down. Forexample, if it is 11:59:00 and you snap to hours(@h), the time used is 11:00:00 not 12:00:00. Youcan also snap to specific days of the week using@w0 for Sunday, @w1 for Monday, and so on.SubsearchesA subsearch runs its own search and returnsthe results to the parent command as theargument value. The subsearch is run first andis contained in square brackets. For example,the following search uses a subsearch to findall syslog events from the user that had the lastlogin error:sourcetype syslog [ search loginerror return 1 user ]Optimizing SearchesThe key to fast searching is to limit the datathat needs to be pulled off disk to an absoluteminimum. Then filter that data as early aspossible in the search so that processing isdone on the minimum data necessary.Partition data into separate indexes, if you willrarely perform searches across multiple typesof data. For example, put web data in one index,and firewall data in another.Limit the time range to only what is needed. Forexample -1h not -1w, or earliest -1d.Use summary indexing, and report and datamodel acceleration features.Machine Learning CapabilitiesSplunk’s Machine Learning capabilities areintegrated across our portfolio and embeddedin our solutions through offerings such as theSplunk Machine Learning Toolkit, StreamingML framework, and the Splunk MachineLearning Environment.SPL2Several Splunk products use a new versionof SPL, called SPL2, which makes the searchlanguage easier to use, removes infrequentlyused commands, and improves theconsistency of the command syntax.See the SPL2 Search Reference.Explore our full suite of products, or investigate the table below to find the specific starting point for your journey.Or dive right in: Download the free trial and see for yourself what the Splunk platform can do for your data strategy.Learn more: docs.splunk.comSplunk, Splunk , Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States andother countries. All other brand names, product names or trademarks belong to their respective owners. 2021 Splunk Inc. All rights nceGuide-120
QUICK REFERENCE GUIDECommon Eval FunctionsThe eval command calculates an expression and puts the resulting value into a field (e.g. “. evalforce mass * acceleration”). The following table lists some of the functions used with the evalcommand. You can also use basic arithmetic operators ( - * / %), string concatenation (e.g., “. eval name last . “,” . first”), and Boolean operations (AND OR NOT XOR ! LIKE).FunctionDescriptionExamplesabs(X)Returns the absolute value of X.abs(number)case(X,"Y", )Takes pairs of arguments X and Y, where X arguments areBoolean expressions. When evaluated to TRUE, the argumentsreturn the corresponding Y argument.case(error 404, "Not found", error 500,"Internal Server Error", error 200, "OK")ceil(X)Ceiling of a number X.ceil(1.9)Identifies IP addresses that belong to a particular subnet.cidrmatch("123.132.32.0/25",ip)Returns the first value that is not null.cos(X)coalesce(null(), "Returned val", null())Calculates the cosine of X.n cos(0)exact(X)Evaluates an expression X using double precision floating pointarithmetic.exact(3.14*num)exp(X)Returns eX.exp(3)if(X,Y,Z)If X evaluates to TRUE, the result is the second argument Y. If Xevaluates to FALSE, the result evaluates to the third argument Z.if(error 200, "OK", "Error")in(field,valuelist)Returns TRUE if X is Boolean.isbool(field)isbool(X)Returns TRUE if X is Boolean.isbool(field)isint(X)Returns TRUE a value in “val
data in Splunk software. You can write a search to retrieve events from an index, use statistical commands to calculate metrics and generate reports, search for specific conditions within a rolling time window, identify patterns in your data, predict future trends, and so on. You transform the events using the Splunk Search Process Language (SPL ). Searches can be saved as reports
