Splunk : queries

1.SPL Keywords 

By | As | over | where|  or |

2.Command chaining

index ="AirBNB" | where Price > 40

index="AirBnB" Neighborhood Queens "Property Type"= Apartment | where Price >70 or Price =65
________________________________________________________________
3.SPL Filtering and Modifying 

• Field
• Search
• Rename

Fields : Add/Subtract fields that we want to show in our search

index="AirBnB Neighborhood =Queens "Property Type"= Apartment | field -bed

index="AirBnB Neighborhood =Queens "Property Type"= Apartment | field +bed,price

search : searches for raw text

index="AirBnB Neighborhood =Queens "Property Type"= Apartment | search large

rename : rename a field for raw text

index="AirBnB Neighborhood =Queens "Property Type"= Apartment | search large |rename Price as Cost

________________________________________________________________

Ordering

1. Head
2. Tail
3. sort
4. reverse
5. Table 

Head

index="AirBnB Neighborhood =Queens "Property Type"= Apartment | search large |head 20

Tail

index="AirBnB Neighborhood =Queens "Property Type"= Apartment | search large |tail 30

sort

index="AirBnB Neighborhood =Queens "Property Type"= Apartment | search large |sort Price desc

reverse

index="AirBnB Neighborhood =Queens "Property Type"= Apartment | search large |rename Price as Cost

Table 

index="AirBnB Neighborhood =Queens "Property Type"= Apartment | search large |rename Price as Cost

_______________________________________________________________

Transformative commands allow search commands to create data structure from field values.

Top : most frequent values
index=airbnb | top limit 3 beds
Rare: least frequent values
index=airbnb | rare limit 3 beds
Highlight
Contingency
index=airbnb | contingency Neighborhood  "Property Type"

Stats commands

Special type of transforming commands used primarily for calculations to for table results

|stats avg([fieldname])
calculate results based on average function
index=airbnb | stats avg(Price)
index=airbnb | stats avg(Price) by Neigbourhood 

Find number of listings by neighborhood
|stats count(eval[fieldname]) as new name . : returns timeseries chart over the data element 
index=airbnb | stats count

index=airbnb | stats count by Neigbourhood 

Find maximum  listing by price neighborhood
|stats max(fieldname) : returns maximum value for a specific field index=airbnb | stats max(Price)
index=airbnb | stats mav(Price) by Neighbourhood


Find min of listings by neighborhood
|stats min(fieldname) : returns minimum value for a specific field
index=airbnb | stats min(Price) 
index=airbnb | stats min(Price) by Neighbourhood

Find maximum of listings in neighborhood

|stats sum(fieldname) : returns sum value for a specific field

Chart commands

Type of splunk transforming command for presenting data in tables or visualization . Typically include stats commands

|chart somefunction([fieldname]) as new name  

|timechart somefunction([fieldname]) as new name 


Find the type of property listed by property type

index=airbnb | chart count as types by "Property Type"

host="tvidushi" | timechart count as messages  by keywords 

What is SPLUNK LOOK UP ?

Splunk is a software used to search and analyze machine data. It has built-in features to recognize the data types, field separators and optimize the search processes. It also provides data visualization on the search results.

Splunk can read this unstructured, semi-structured or rarely structured data. After reading the data, it allows to search, tag, create reports and dashboards on these data. With the advent of big data, Splunk is now able to ingest big data from various sources, which may or may not be machine data and run analytics on big data.

source type detection