Splunk Quick Reference Guide

Event

A set of values associated with a timestamp. A single entry of data and can have one or multiple lines.

Examples of Events

Text document, configuration file, entire stack trace, etc

Transaction

Group of related activities

Metric Data Point

consists of a timestamp and one or more measurements. Could also contain dimensions

Measurement

metric name and corresponding numeric value

Host

name of the physical or virtual device where an event originates

Source

name of the file, directory, data stream, or other input from which a particular event originates

Examples of Sources

HTTP web server logs and Windows event logs

T/F Events with the same source can come from different sourcetypes

True: events from the same source can have different sourcetypes

Fields

searchable name and value pairings that distinguish one event from another

T/F: All events have the same fields and field values

False, fields allow for the writing of tailored searches to get specific events that we want

What are the two Splunk software process time events?

Index-time and Search-time

What does the Field Extractor tool do?

allows for the automatic generation and validation of field extractions at search-time using regular expressions or delimiters (spaces, commas, etc)

Tag

knowledge object that enables you to search for events that contain particular field values

Index-time processing - what data is read and where does it go?

data is read from a source on a host and is classified into a source type.

What is extracted in Index-time processing? Where is it written to?

Timestamps and other data is parsed into individual events. It is written to an index on disk, where the event is later retrieved with a search request

What is search-time and when does it occur?

The time it takes for a search event to process. Search starts, indexed events are retrieved from the disk, fields are extracted from the raw text for the event

Index - Process of how indexes are populated

The storage of events that the Splunk software gets from parsing the data into individual events, extracting the timestamp, applying line-breaking rules, and storing the events into the “indexes”

What is the primary way users navigate data in Splunk Software?

Search

What does SPL stand for?

Splunk Process Language

Reports

Saved searches

Different types of Reports

Ad hoc basis, scheduled reports to run on regular interval, or set scheduled report to generate alerts when results meet certain conditions

Can reports be added to dashboards?

Yes, as dashboard panels

Dashboards

panels that contain modules such as search boxes, fields, and data visualizations

Different Types of Datasets

Lookups, data models, table datasets

Table datasets

Focused, curated collections of event data that designed for specific purpose. Uses Table Views, a tool that translates search commands into UI editor interactions

Data Model

hierarchically-organized collection of datasets

Apps

collection of configurations, knowledge objects, and customer designed views and dashboards

Distributed Search

provides a way to scale the deployment by separating the search management and presentation layer from the indexing and search retrieval layer

Forwarders

A Splunk instance that forwards data to another Splunk instance

Indexer

Splunk instance that indexes data. The indexer transforms raw data into events and stores the evens into an index. Also searches indexed data in response to search requests.

Who searches through indexed data during search query?

Indexer

Who gives the search requests?

Search Head

Search Head

Splunk instance that directs search requests to a set of search peers and merges the results back to the user

Dedicated Search Head

Does only search, not indexing

At the start of a search pipeline, there is an implied __________ command to retrieve events from the index

Search

The ________ operator is implied between search terms

AND

What does this SPL command do?: sourcetype=access_combined error | top 5 uri

Retrieves web activity events that contain the term error and returns the top 5 most common URI values

What are the two in-line time modifiers?

Earliest, latest

The snap to time unit rounds _____

Down

@w1 is what snap time?

Snap down to Monday

seconds, minutes, hours, days, weeks, months, quarters, years in time ranges

s, m, h, d, w, mon, q, y (could be more: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Specifytimemodifiersinyoursearch#:~:text=The%20syntax%20for%20the%20snap,not%20after%20the%20specified%20time.)

Current time is 15:45, and we use earliest=-h@h, what time do we snap to?

14:00

Sunday Time modifiers

w0 or w7

earliest=-mon@mon latest=@mon

Starts at beginning of previous month and ends at start of current month

April 28th search is run at 14:05, when do the searches start?:

1. earliest=-2d

2. earliest=-2d@d

1. 14:05 April 26th

2. 0:00 April 26th

What is earliest=1

UNIX epoch time, UTC January 1, 1970 at 12:00:01 AM

Subsearch

Runs its own search and returns the results to the parent command as the argument value

Subsearch special conditions

Is run first, contained in square brackets

Common Optimization Methods

• Limit data needs to be pulled off of disk

• Partition data into separate indexes

• Limit time range to only what is needed

• Search specifically

• Use post-processing searches in dashboards

• Use summary-indexing and report and data model acceleration features

Chart

Returns results in a tabular output (2 inputs valid)

Timechart

A chart (returns results in tabular output) but with time as x-axis (1 input valid)

dedup

removes subsequent results that match a specified criterion

eval

calculates an expression

fields

removes fields from search results (fields -)

head/tail

returns the first/last N results

lookup

adds field values from an external source

rename

renames a field

What is a wildcard?

Allows specification of multiple fields (ex. fail*)

rex

Specifies regular expression named groups to extract fields

search

filters result to those that match the search expression

sort

sorts the search results by specified fields

stats

provides statistics grouped optionally by fields

mstats

stats for metrics instead of events

table

specifies fields to keep in the result set

top/rare

displays the most/least common values of a field

where

filters search results using eval expressions. Used to compare two different fields

case(X, “Y”, …)

takes pair of arguments X and Y, where X arguments are Boolean and if True, returns Y argument

cidrmatch(“X”, Y)

Identifies IP addresses that belong to particular subnet

coalesce(X, …)

returns first values that isn’t NULL

if(X, Y, Z)

If X evaluaes to True, result is Y, if false, result is Z

in(field, value-list)

returns true if a value in value-list matches a value in “field” (must use inside if function

mvcount(X)

returns number of values of X

mvfilter(X)

filters multi-valued field based on Boolean expression X

now()

returns the current time, represented in Unix time

round(X,Y)

returns X rounded to the amount of decimal places specified by Y (default is round to int)

strftime(X,Y)

returns epochtime value X rendered using format given by Y (ex. strftime(_time, “%H:M”))

count vs dc

count returns the number of occurrences of field X.

dc returns the count of distinct values of the field X.

values(X)

returns the list of all distinct values of the field X as a multi-value entry. the order of the values is alphabetical

head/tail X

first/last X values

span=1m/h/etc

spans a timechart

____ by _____

does something based on an event

| fields + host

| fields - host

keep only host field

remove host field from result

%Y or %y

Year (2021) or year without century (21)

%M or %m

Minute or month number (01-12)

%d

day of month (01-31)

Transforming commands

Commands that create statistics and visualizations (eg. top, rare, stats, chart, timechart, trendline)

By default, how long is a search job active?

10 minutes

Shared search job active for how long?

7 days

Can export results in what formats?

Raw, CSV, XML, JSON

Three search modes and their differences

Fast: field discovery off

Smart: toggle behavior based on search

Verbose: all much data as possible

Events in search are returned in what order?

Reverse chronological order

Selected fields

“Selected fields”, normally host, source, and sourcetype

as

stores result AS whatever you want to call it

What fields are extracted at index time?

Index, source, host, sourcetype

Calculated fields are added to data in ______ time

Search

Default top value

10

Interesting fields appear in what percentage of events?

20%

a in fields sidebar versus #

string, numeral

What is case sensitive in searches?

Field names (values are not)