Splunk Search Guide

Cheat Sheets

BEST

Search Reference: http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/SearchCheatsheet

DRILL DOWN

  1. In the search result, click on any keyword to add it to the search query with AND operator and clk on the same keyword again in the result and it’ll get removed from the query…its like toggle
  2. But Alt + Clk will add the keyword with NOT operator
  3. Splunk looks for Keywords in search fields so add *  to error to search for errors etc. keywords
  4. search is case insensitive wrt VALUE, but not wrt KEY
  5. Splunk normalizes the time from logs belonging to different zones to a common zone
  6. ” abc* tst” for phrase search
  7. Default Timeline chart in all searches at top of results can be used to drill down easily

REPORTS

In search results only, the fieds show up in LHS..

Clk on the one of interest and select “Top values by time” to get this added to query: | timechart count by <field>

When adding Time Picker to Dashboard, all panels must be inline searches,,, but report is not an inline search and so in panel props clone it to inline search

SAVE SEARCH

how to save searches in splunk?

http://docs.splunk.com/Documentation/Storm/Storm/User/Saveasearch

EVERY SEARCH can be saved as

1. Just a search string: Save as EVENT

2. Save as REPORT (which can be scheduled as well)

3. SAVE as DASHBOARD (which is a container of Reports and Events)

Create REPORT using PIVOT

Cllk Pivot on the top Menu

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s