Splunk Search Cheat Sheet

Posted on |



With some well-developed VI skills, it makes it quite easy to configure or reconfigure your Splunk installs, especially those installs such as the Universal Forwarder, which does not have a Splunk Web UI. So here: is the cheat sheet I use. It’s not an all-inclusive cheat sheet, but it covers about 90% of the commands that are available to you. In a distributed search environment, the search head is the Splunk instance that directs search requests to a set of search peers and merges the results back to the user. If the instance does only search and not indexing, it is usually referred to as a dedicated search head. Search Processing Language (SPL) A Splunk search is a series of.

I really don't like Splunk documentation. Why is it so hard to find out how to do a certain action? So this is a cheatsheet that I constructed to help me quickly gain knowledge that I need.

Analysis

Events over time

OR

Search

Arrays

Does an array contain a specific value?

Extracting values from an array

Strings

String Matching (with whitespace supression)

If you're unable to match field values as you expect, extract the non-whitespace values from the field and compare against that instead.

For example, in the below example, context.messageStatus may contain whitespace, so Splunk won't capture them with a standard =. Instead, we need to do the following:

If you're trying to get multiple matches, use max_match, where max_match=0 finds unlimited matches.

String Replacement

String Concatenation

Substrings

eval

Trying to use a nested value in a dictionary, in an eval statement? Use rename first!

Working with Multiple Queries

Subsearch

This is used for funneling the output of one splunk query, into another query. However, some older splunk versions do not support it. However, there are other ways to formulate your query! See this link for inspiration.

Joins

Common splunk queries

Joins are handy, when they work. This is a semi-complicated example I've used:

When doing this, remember to put search in the subsearch! Otherwise, it won't work at all.

Filtering

NOT v !=

This is so lame, and is such a gotcha. Doctor who torrent. Original source.

Turns out, empty string is considered 'not existing'. Which means, if you have a column of either empty string, or value, and you want to get empty strings only, use NOT rather than !=.

Formatting

I like things looking nice. Often this also means better usability, as it takes less mental energy to parse outputmeant for machines. However, Splunk is a terrible means to nicely format output, especially when trying to sendthis output downstream (like JIRA). Tableau 10.2 keygen.

Search

Through lots of trial and error, I have found these patterns to work nicely:

  • Use rex to extract values

  • Use eval to assign temporary variables

  • Use mvexpand to split multiple results from rex into their own separate rows

  • Use stats list(<field_to_combine>) as <new_name_for_field> by <params_you_want_to_group_together>to combine rows.

  • Use nomv to teach JIRA to recognize multi-value rows, then use rex to replace spaces with new lines.IMPORTANT: Even though Splunk does not show the new lines, it will come out as expeected in JIRA! Lexicon psp 42 crack.

Miscellaneous Gotchas

Splunk Search Cheat Sheet

Splunk Search Cheat Sheet

Splunk Search Cheat Sheet Template

Using rename

For some wacky reason,

is not the same as

Splunk Search Cheat Sheet Pdf

The latter works as expected. I guess learning this method is always better, since it also workswhen trying to count by multiple items.

References

Splunk Search Tips Cheat Sheet

  • Useful other eval functions.