Splunk Query Language Cheat Sheet

admin



  • Splunk Tutorial
  • Splunk Useful Resources
  • Selected Reading

These are the commands in Splunk which are used to transform the result of a search into such data structures which will be useful in representing the statistics and data visualizations.

  1. Splunk does not necessarily interpret the transaction defined by multiple fields as conjunction (field1 AND field2 AND field3) or a disjunction (field1 OR field2 OR field3) of those fields. If there is a transitive relationship between the fields in the, the transaction command uses it.
  2. Using the Splunk Search Process Language (SPL™). Searches can be saved as reports and used to power dashboards. Reports Reports are saved searches. You can run reports on an ad hoc basis, schedule reports to run on a regular interval, or set a scheduled.
  3. Regular Expression Cheat-Sheet (c) karunsubramanian.com A short-cut. Regex, while powerful, can be hard to grasp in the beginning. Fortunately, Splunk includes a command called erex which will generate the regex for you. All you have to do is provide samples of data and Splunk will figure out a possible regular expression.

Examples of Transforming Commands

Splunk Query Language Cheat Sheet Pdf

Prescriptive analytics: A cheat sheet. But hopefully it's a good start for anyone who feels overwhelmed by learning a new data query language. Splunk's documentation is very thorough. In Splunk, regex is an operator. In Kusto, it's a relational operator. Searchmatch In Splunk, searchmatch allows searching for the exact string. Random: rand rand(n) Splunk's function returns a number between zero to 2 31-1. Kusto's returns a number between 0.0 and 1.0, or if a parameter is provided, between 0 and n-1. Now: now (1) relativetime: totimespan.

Following are some of the examples of transforming commands −

  • Highlight − To highlight the specific terms in a result.

  • Chart − To create a chart out of the search result.

  • Stats − To create statistical summaries from the search result.

Highlight

This command is used to highlight specific terms in the search result set. It is used by supplying the search terms as arguments to the highlight function. Multiple search terms are supplied by separating them with comma.

Splunk Search Command Cheat Sheet

In the below example, we search for the terms, safari and butter in the result set.

Chart

Splunk Query Language Cheat Sheet

Splunk Query Language Cheat Sheet

The chart command is a transforming command that returns your results in a table format. The results can then be used to display the data as a chart, such as column, line, area, etc. In the below example, we create a horizontal bar chart by plotting the average size of bytes for each file type.

Stats

Splunk Query Language Cheat Sheet

Splunk Query Language Cheat Sheet Download

The Stats command transforms the search result data set into various statistical representations depending on the types of arguments we supply for this command.

Splunk Query Language Cheat Sheet Examples

In the below example, we use the stats command with count function which is then grouped by another field. Here, we are counting the number of file names created on each week day. The result of the search string come out in a tabular from with rows created for each day.