Splunk SPL for Operational Insights

  • host – Host Machine
  • index – Index identifies the index in which the event is located.
  • linecount – Describes the number of lines the event contains
  • timestamp – Event Timestamp
  • splunk_server –
  • source  – Source from where the logs are read. e.g. Linux syslogs, Windows event logs, apache logs, websphere servers, network devices etc.
  • sourcetype – Way to classify and name different sources. e.g Webserver logs can be classified as weblogs as source type.
  • Some of the common SPL Commands are summarized below:

    CategoryDescriptionCommands
    Sorting ResultsOrdering results and (optionally) limiting the number of results.sort
    Filtering ResultsTaking a set of events or results and filtering them into a smaller set of results.search
    where
    dedup
    head
    tail
    Grouping ResultsGrouping events so you can see patterns.transaction
    Reporting ResultsTaking search results and generating a summary for reportingtop/rare
    stats
    chart
    timechart
    Filtering, Modify- ing, and Adding FieldsFiltering out (removing) some fields to focus on the ones you need, or modifying or adding fields to enrich your results or events.fields
    replace
    eval
    rex
    lookup

    Leave a Comment

    Contact Us

    We're not around right now. But you can send us an email and we'll get back to you, asap.

    Not readable? Change text. captcha txt
    Bitnami