Académique Documents
Professionnel Documents
Culture Documents
SPL Syntax
Basic Searching Concepts
Simple searches look like the following examples. Note that there are literals with and without
quoting and that there are data field as well as date source selections done with an "=":
Filter by fields
source="/var/log/apache/access.log" All lines where the field "status" has value 500 from
status=500 the file /var/log/apache/access.log
Filter by host
host="myblog"
source="/var/log/syslog" Fatal Give me all fatal errors from syslog of the blog host
Selecting an index
index="secretStuff" password Access a specific index and text matching 'password'
Basic Filtering
Two important filters are "rex" and "regex". "rex" is for extraction a pattern and storing it as a
new field. This is why you need to specifiy a named extraction group in Perl like manner "(?…)"
for example
When running above query check the list of "interesting fields" it now should have an entry
"FIELDNAME" listing you the top 10 fatal messages from "some.log" What is the difference to
"regex" now? Well "regex" is like grep. Actually you can rephrase
source="some.log" Fatal
to
and get the same result. The syntax of "regex" is simply "=". Using it makes sense once you
want to filter for a specific field.
Calculations
Determine the size of log events by checking len() of _raw. The p10() and p90() functions are
returning the 10 and 90 percentiles:
Emailing Results
By appending "sendemail" to any query you get the result by mail!
Timecharts
Create a timechart from a single field that should be summed up
... | table _time, <field> | timechart span=1d sum(<field>)
... | table _time, <field>, name | timechart span=1d sum(<field>) by name
Index Statistics
List All Indices
Reload apps
Load base URL with appended
/debug/refresh
Debug Traces
You can enable traces per trace topic listed in splunkd.log. To change permanently edit
/opt/splunk/etc/log.cfg and change the trace level from "INFO" to "DEBUG". Example:
category.TcpInputProc=DEBUG
The same can be achieved non-persistent and on-the-fly in the "System Settings" GUI.
Configuration
To list effective configuration
Inputs
Licenses
User Management
# Older variant
splunk _internal rpc-auth ''
To list