Splunk Notes

SPL - Search Processing Language

What I explored:

1. splunk web
2. Configure the Search Assistant

Structure of SPL Query
. Key Value Pairs
. Literal Strings
. Commands
. Functions
. Logical Operators
. Comparison Operators
. Clauses
. Pipe

index=main                                                                                       #key value pair
sourcetype=access_combined_wcookie                                     #key value pair
status!=200                                                                                       #comparison operators
timechart span=6h count by categoryId                                      #command #funtion #clause #field

| stats count by sourcetype # to know the different sourcetype

in the practice data of splunk:
access_combined_wcookie
csv
**vendor_sales/vendor_sales
www1/secure

Creating statististics

1. Stats command

2. Eval command

3. Timechart command

4. Transforming commands: The family of commands that convert search results into data tables

5. Stats, chart, timechart, top, rare

Stats command

1. Create statistics
2. Has mathematical functions
   !firefox_JT536O4XMy.png

stats command with eval

| stats count(eval(status = 500)) as "Server Errors"

fieldsummary

eventstat

Fields and Field instruction

1. Field instruction
2. Field Extraction Wizard
3. Using rex command

Fields

1. Searchable Key-value pairs
2. Essential for tailoring searches
3. Can be created during search time or index time
4. Splunk automatically index fields
   !firefox_MCpOhJmiSG.png