So far, this book has introduced you to collecting and indexing data with Splunk, which prepares it for searching, and you've seen a few simple search commands too. In this chapter, we will cover more about how to use search and other commands to analyze your data.
In this chapter, we will cover the following topics:
Search processing language (SPL), a special-purpose processing language, was developed to enable fast searching on machine-generated data indexed by Splunk. The language was originally set up to be based on the Unix pipeline and Standard Query Language (SQL). SPL (as opposed to SQL) is a library of all search processing commands and their functions, arguments, and clauses. With a search command, you can group different events, filter data based on a constraint, extract fields using regular expressions, perform statistical calculations, and other tasks.
Let's dissect a search query so that you can understand exactly how it works. This will also help you to understand what pipes are. As you will see, a pipe basically takes the data that has come from an earlier step, and after it has been acted on, filtered, or extracted, it sends it on to the next step...
Every time you execute a search, always be aware that you are running a query against a set of data that is bound by date and time. The time-range picker is on the right side of the search bar. Splunk comes with predetermined time modifiers, as seen in the following screenshot. You can also use the time-range picker to set up a custom date/time-range or other advanced ranges (https://docs.splunk.com/Splexicon:Timerangepicker):
Apart from the All time selection, there are two types of time modifiers that will be used the most: Real-time and Relative. In the preceding screenshot, the predetermined real-time modifiers are in the leftmost column, and the relative time modifiers are in the middle columns.
Real-time modifiers mean that Splunk will run an ongoing, real-time search based on the specified time window. For example, a real-time search that is in a 5 minute...
Splunk is great for searching data. Using search commands, you can filter your results using key phrases just the way you would with a Google search. Here are some examples for you to try out:
SPL> index=main /booking/confirmation
The preceding filters search results from the index main, and only returns those events with the string /booking/confirmation in the _raw data.
You may also add further filters by adding another phrase. It is very important to note, however, that, by default, Splunk will assume that your phrases are logically chained based on an AND operator, for example:
SPL> index=main /booking 200
The preceding line of code is equivalent to the following:
SPL> index=main /booking AND 200
Similarly, you can use the OR operator to find data based on multiple filters. The following command will return all events with /booking or ...
A common use of the stats command is to count events. To see how this works, run the following search query. The SPL will return a single number representing the count of all events in the last 30 minutes. Notice that the pipe that precedes the stats command filters the data that will be included in the final count:
SPL> index=main earliest=-30m latest=now | stats count
Change the time modifier and the number should be reduced:
SPL> index=main earliest=-15m latest=now | stats count
You may be wondering where the count came from. The true format of a stats command is stats function(X). This asks the system to return the result of the function based on the field X. When the count function is used without parentheses, Splunk assumes that you are looking for the count of all events in the given search.
The stats command becomes a very powerful...
A quick way to get a summarized table based on the fields is by using the top and rare commands. Run this search command:
SPL> index=main | top http_uri
Notice that the result automatically grouped the URLs by count, calculated the percentage of each row against the whole data set, and sorted them by count in descending order. You can see a sample result in the following screenshot:
You may further tweak this search command by adding command options such as limit and showperc. Say, for example, you only want to see the top five URLs, but you do not want to see the percent column. This is the SPL to achieve that:
SPL> index=main | top url limit=5 showperc=false
Now try the same commands, but use rare instead of top. The term rare will find those events that are the most unlikely ones. This can be a useful qualifier to use for determining...
The chart command aggregates data, providing output in tabular format which can then be used for a visualization. Visualizing data is critical to end user analysis, which makes chart a very important command. Notice that if you run the following search query, it is identical to the output of the stats command:
SPL> index=main | chart count by http_method
For all basic purposes, you can use stats and chart interchangeably. However, there will be differences in how stats and chart group data together. It will be up to you to determine which one is your intended result. To show the differences, here are some examples:
SPL> index=main | stats count by http_method http_uri
You can see the result in the following screenshot:
Following is another example:
SPL> index=main | chart count by http_method http_uri
You can see the result...
The eval command is perhaps the most advanced and powerful command in SPL. It allows you to store the resulting value of the eval operation in a field. A myriad of functions can be used with eval. Let us try some of the simpler and more common ones.
The simplest type of eval command performs a simple if/then/else condition and stores a value in the newly created field. For example, if you want to create counts of successful and unsuccessful requests, use http_status_code to determine whether the request is successful, and, if it is, count the transaction as successful:
SPL> index=main earliest=-1h latest=now | stats count(eval(if(http_status_code < "400", 1, NULL))) AS successful_requests count(eval(if(http_status_code >= "400", 1, NULL))) AS unsuccessful_requests by http_status_code
There are also countless functions that...
The rex or regular expression command is extremely useful when you need to extract a field during search time that has not already been extracted automatically. The rex command even works in multi-line events. The following sample command will get all versions of the Chrome browser that are defined in the highlighted user agent string part of the raw data. Let's say this is your raw data, and you need to get the highlighted value:
016-07-21 23:58:50:227303,96.32.0.0,GET,/destination/LAX/details,-,80, -,10.2.1.33,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML; like Gecko) Chrome/29.0.1547.76 Safari/537.36,500,0,0,823,3053
You can use this search command to get it:
SPL> index=main | rex field=http_user_agent
"Chrome/(?<Chrome_Version>.+?)?Safari" | top Chrome_Version
The rex command extracted...
In this chapter, we introduced you to SPL. You learned that the search pipeline is crucial in the transformation of data as it is piped between search commands and eventually to the final results table. You were introduced to time modifiers to control the timespan of events that searches will consider, and the more commonly used time-range picker. You learned how to filter search results, which happens in almost every Splunk search you'll ever write. Lastly, you were introduced to multiple search commands that are commonly used.
In Chapter 4, Reporting, Alerts, and Search Optimization, we will go on to use our search processing skills to create useful reports, and learn about developing alerts that will increase organizational efficiency and prevent errors. We will also learn more on how to best optimize our searches.
© 2018 Packt Publishing Limited All Rights Reserved
