Scribd Logo
Upload

Welcome to Scribd!

  • Splunk Development Day 5: - Vikram Yadav (VY)

    Uploaded by

    Loga K
    20 views29 pages

    Original Title

    Day5

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    20 views29 pages

    Splunk Development Day 5: - Vikram Yadav (VY)

    Uploaded by

    Loga K

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 29

    Splunk

    Development
    Day 5
    - Vikram Yadav (VY)

    Your attendance & progress of the course will be calculated based


    on the completion of the assignments and quiz.
    Agenda – Day 5
    • Splunk Search Commands
    • Fields
    • Table
    • Rename
    • Replace
    • Append
    • Join
    • Reporting Commands
    • Top
    • Rare
    • Stats
    • Addcoltotals
    • Addtotals
    Basic Search Review
    Best Practices
    Syntax
    Syntax
    Table Command
    • table command returns a table formed by only fields in the argument
    list
    • Columns are displayed in the order given in command
    • Column header are field name
    • Each row is an event
    • Row are field values
    • Example: sourcetype="superstore" | table City, "Ship Mode",
    "Product Name"
    Rename Command
    • rename is use to change name of fields
    • Useful for giving field more meaningful name
    • When including space or special characters in field name use double
    straight quotes
    • rename productid as ProductID
    • rename action as “Customer Action”
    • Example: sourcetype="superstore" | table City, "Ship Mode", "Product
    Name" | rename "Ship Mode" as "Shipment Mode"
    Fields Command
    • fields command allow you to include or exclude specific fields in your
    search or report
    • To include use fields +()
    • Occurs before field extraction
    • Improve performance
    • To exclude use fields –()
    • Occurs after fields extraction
    • No performance benefits
    Dedup Command
    • Use dedup to remove duplicates from your results

    • Example: sourcetype="superstore" | dedup City | Table City


    Replace Command
    • replaces use to replace single occurrence of the first string with
    another string in the specified fields.

    • replace <search string> WITH <to be replace string> IN <Field Name>

    • Example: sourcetype="superstore" | replace Miami WITH "Florida


    City" IN City | dedup City | table City
    Append Command
    • Append use to append results of a subsearch to the current results
    • Runs only over historical data 
    • Example:
    sourcetype="superstore" | stats dc("Ship Mode"), count by City|
    append [search sourcetype="superstore" | top 1 "Ship Mode" by City ]
    Join Command
    • Use the join command to combine the results of a subsearch with the
    results of a main search
    • Similar to SQL
    • Example:
    sourcetype="prodcode" | table Code, Price, Product_Name| join Code
    [search sourcetype="vendor_data_information" | table Code,
    Product_Name ]
    Sort Command
    • Use sort to order your result in (+)ascending (default) or (-)descending
    order
    • To limit the returned result you can use limit option
    • Example:
    sourcetype="prodcode" | sort limit=10 -Price | table Price,
    Product_Name
    sourcetype="prodcode" | sort limit=10 Price | table Price,
    Product_Name
    Top Command
    • Top command finds most common values of a given field in the result
    set
    • By default returns 10 results
    • Limit=# return that many results
    • Example : sourcetype="superstore" | top City
    sourcetype="superstore" | top limit=15 City
    Top and Visualization
    Rare Command
    • The rare command return least common field values of a given field in
    results
    • Limit can be use to fetch number of results
    • By defaults is 10
    • Example: sourcetype="superstore" | rare limit=15 City
    Stats Command
    • stats command allow you to perform statistical calculations
    • Common function includes:
    • count
    • sum
    • avg
    • distinct_count OR dc
    • list
    • values
    stats count(field)
    • count returns number of matching event based on current serach
    criteria
    • Use as clause to rename the count field
    • Example:
    sourcetype="superstore" "Ship Mode" = First* | stats count as "Fisrt
    Class User"
    stats command by field
    • By clause returns count of each value of name field or set of fields
    • Example:
    sourcetype="superstore" "Ship Mode" = First* | stats count as "City
    wise Fisrt Class User" by City
    stats dc(field)
    • Distinct_count() or dc() provide how many unique field values there in
    result
    • Example:
    sourcetype="superstore" | stats dc(City) as "Total City"
    stats sum(field)
    • Fields with a numeric value can sum actual value of field
    • Single stats command can have multiple function
    • Example:
    sourcetype="superstore" | stats count(Sales) as "Unit Sold" sum(Sales)
    as "Total Sales" by City | sort -"Total Sales"
    stats avg(field)
    • avg function provides average numeric value of field
    • You can only use avg on Numeric Field
    • Example:
    sourcetype="superstore" | stats avg(Sales) as "Avg Sales" by City
    stats list(field)
    • List function lists all field values for given field
    • Example : sourcetype="superstore" | stats list(City) as "City List"
    stats values(field)
    • values function list unique values for specified field
    • Example: sourcetype="superstore" | stats values(City) as "City List"
    Addtotals
    • Row=t (default) count row fields in each row under column
    • Col=t counts fields in each row

    • Example: sourcetype="superstore" |chart count over "Ship Mode" by


    "Segment" |addtotals fieldname="Total Products" col=t
    labelfield="Total Segmnet count"
    addcoltotals
    • The addcoltotals command appends a new result to the end of the
    search result set.
    • sourcetype="superstore" |stats count(Profit) by "Ship Mode" |
    addcoltotals labelfield="Ship Mode" label="Total Profit"
    LAB
    • Create a Table of Given Data Set
    • Remove some columns using field command
    • Rename fieldname
    • Replace some values
    • Use Append for subsearches
    • Use Join command
    • Try Addcoltotals & Addtotals command

    Please submit an email with a screenshot of the assignment before the commencement of the next class, Also in order to
    move forward with the course, it is important to complete this assignment. If you are unable to complete the assignment or
    need any assistance regarding the same, please email me at vikram@avotrix.com
    Question & Answer.....

    You might also like