1.SPL Keywords
By | As | over | where| or |
2.Command chaining
index ="AirBNB" | where Price > 40
index="AirBnB" Neighborhood Queens "Property Type"= Apartment | where Price >70 or Price =65
________________________________________________________________
3.SPL Filtering and Modifying
- Field
- Search
- Rename
Fields : Add/Subtract fields that we want to show in our search
index="AirBnB Neighborhood =Queens "Property Type"= Apartment | field -bed
index="AirBnB Neighborhood =Queens "Property Type"= Apartment | field +bed,price
search : searches for raw text
index="AirBnB Neighborhood =Queens "Property Type"= Apartment | search large
rename : rename a field for raw text
index="AirBnB Neighborhood =Queens "Property Type"= Apartment | search large |rename Price as Cost
________________________________________________________________
Ordering
- Head
- Tail
- sort
- reverse
- Table
Head
index="AirBnB Neighborhood =Queens "Property Type"= Apartment | search large |head 20
Tail
index="AirBnB Neighborhood =Queens "Property Type"= Apartment | search large |tail 30
sort
index="AirBnB Neighborhood =Queens "Property Type"= Apartment | search large |sort Price desc
reverse
index="AirBnB Neighborhood =Queens "Property Type"= Apartment | search large |rename Price as Cost
Table
index="AirBnB Neighborhood =Queens "Property Type"= Apartment | search large |rename Price as Cost
_______________________________________________________________
Transformative commands allow search commands to create data structure from field values.
Top : most frequent values
index=airbnb | top limit 3 beds
Rare: least frequent values
index=airbnb | rare limit 3 beds
Highlight
Contingency
index=airbnb | contingency Neighborhood "Property Type"
Stats commands
Special type of transforming commands used primarily for calculations to for table results
|stats avg([fieldname])
calculate results based on average function
index=airbnb | stats avg(Price)
index=airbnb | stats avg(Price) by Neigbourhood
Find number of listings by neighborhood
|stats count(eval[fieldname]) as new name . : returns timeseries chart over the data element
index=airbnb | stats count
index=airbnb | stats count by Neigbourhood
Find maximum listing by price neighborhood
|stats max(fieldname) : returns maximum value for a specific field index=airbnb | stats max(Price)
index=airbnb | stats mav(Price) by Neighbourhood
Find min of listings by neighborhood
|stats min(fieldname) : returns minimum value for a specific field
index=airbnb | stats min(Price)
index=airbnb | stats min(Price) by Neighbourhood
Find maximum of listings in neighborhood
|stats sum(fieldname) : returns sum value for a specific field
Chart commands
Type of splunk transforming command for presenting data in tables or visualization . Typically include stats commands
|chart somefunction([fieldname]) as new name
|timechart somefunction([fieldname]) as new name
Find the type of property listed by property type
index=airbnb | chart count as types by "Property Type"
host="tvidushi" | timechart count as messages by keywords
What is SPLUNK LOOK UP ?
Top : most frequent values
index=airbnb | top limit 3 beds
Rare: least frequent values
index=airbnb | rare limit 3 beds
Highlight
Contingency
index=airbnb | contingency Neighborhood "Property Type"
Stats commands
Special type of transforming commands used primarily for calculations to for table results
|stats avg([fieldname])
calculate results based on average function
index=airbnb | stats avg(Price)
index=airbnb | stats avg(Price) by Neigbourhood
Find number of listings by neighborhood
|stats count(eval[fieldname]) as new name . : returns timeseries chart over the data element
index=airbnb | stats count
index=airbnb | stats count by Neigbourhood
Find maximum listing by price neighborhood
|stats max(fieldname) : returns maximum value for a specific field index=airbnb | stats max(Price)
index=airbnb | stats mav(Price) by Neighbourhood
Find min of listings by neighborhood
|stats min(fieldname) : returns minimum value for a specific field
index=airbnb | stats min(Price)
index=airbnb | stats min(Price) by Neighbourhood
Find maximum of listings in neighborhood
Chart commands
Type of splunk transforming command for presenting data in tables or visualization . Typically include stats commands
|chart somefunction([fieldname]) as new name
|timechart somefunction([fieldname]) as new name
Find the type of property listed by property type
index=airbnb | chart count as types by "Property Type"
host="tvidushi" | timechart count as messages by keywords
What is SPLUNK LOOK UP ?
Splunk is a software used to search and analyze machine data. It has built-in features to recognize the data types, field separators and optimize the search processes. It also provides data visualization on the search results.
Splunk can read this unstructured, semi-structured or rarely structured data. After reading the data, it allows to search, tag, create reports and dashboards on these data. With the advent of big data, Splunk is now able to ingest big data from various sources, which may or may not be machine data and run analytics on big data.
source type detection
