Splunk Search Query and Commands
This is theoretical article, you may feel it too much to digest, we will cover all commands in practical session in upcoming articles. For now, just read on for fun.
Search terms contain certain keywords or phrases to help filter out what we want in our results.
Commands — Tell Splunk what we want to do with search results (charts, statistics, formatting).
Commands are certain actions you want to take on the results, such as formatting, filtering, altering, sorting, counting, renaming, or generating commands.
Functions — Explains how we want to chart, computer and evaluate the results.
Functions are used for specifying what sort of computation will be done in certain fields.
Some examples of functions include: avg(), sum(), median(), min(), max(), mean(), var().
Arguments — variables we want to apply to the functions.
Splunk commands have arguments that are either optional or required.
Clauses Explains how we want results to be grouped or defined.
BY, AS, WHERE are examples.
SPL commands consist of required and optional arguments.
Required arguments are shown in angle brackets < >
Optional arguments are enclosed in square brackets [ ]
Consider this command syntax:
replace (<wc-string> WITH <wc-string>)… [IN <field-list>]
The user input arguments are: <wc-string> and <field-list>.
The argument <wc-string> is an abbreviation for <wildcard-string> and indicates that the argument accepts a wildcard character in the string that you provide.
Parenthesis ( ) are used to group arguments.
As you add more search items your search is faster and narrower.
Raw event searches are searches that just retrieve events from an index or indexes and are typically used when you want to analyze a problem. Examples of these searches include checking error codes, correlating events, investigating security issues, and analyzing failures. These searches do not usually include search commands.
Transforming searches are searches that perform some type of statistical calculation against a set of results. These are searches where you first retrieve events from an index and then pass the events into one or more search commands. These searches will always require fields and at least one of a set of statistical commands.
Examples include getting a daily count of error events, counting the number of times a specific user has logged in, or calculating the 95th percentile of field values.
Early filtering and Parallel Processing are in-built optimization techniques.
Early Filtering − These optimizations filter the results very early so that the amount of data getting processed is reduced as early as possible during the search process. This early filter avoids unnecessary lookup and evaluation calculations for events that are not part of final search results.
Parallel Processing − The built-in optimizations can reorder search processing, so that as many commands as possible are run in parallel on the indexers before sending the search results to the search head for final processing.
We can also turn off the in-built optimization and notice the difference in the time taken for the search result.
we use the No Optimization command presented as noop in the search query.
Transforming commands:
A type of search command that orders the results into a data table. Transforming commands “transform” the specified cell values for each event into numerical values that Splunk Enterprise can use for statistical purposes.
Searches that use transforming commands are called transforming searches.
Transforming commands include chart, timechart, stats, top, rare, contingency, and highlight.
Transforming commands are required to transform search result data into the data structures required for visualizations such as column, bar, line, area, and pie charts.
Highlight − To highlight the specific terms in a result.
Chart − To create a chart out of the search result.
Stats − To create statistical summaries from the search result.
A streaming command operates on each event as it is returned by a search. Essentially one event in and one (or no) event out.
For example, the eval command can create a new field, full_name, to contain the concatenation of the value in the first_name field, a space, and the value in the last_name field.
… | eval full_name = first_name.” “.last_name
A non-streaming command will act once all data is fetched on entire dataset. Example Sort.
Distributable Streaming:
Same as Streaming command but order doesn’t matter. It improves Processing time.
you can find the list of Distributable commands here.
If there are any commands that come before the transforming command, they must be distributable streaming commands.
If there are any commands that come after the transforming command, they must be distributable streaming commands or non-streaming commands.
Centralized Streaming:
A centralized streaming command applies a transformation to each event returned by a search. But unlike distributable streaming commands, a centralized streaming command only works on the search head.
Centralized streaming commands include head, streamstats, some modes of dedup, and some modes of cluster.
Generating Command:
Generating commands are either event-generating (distributable or centralized) or report-generating.
Orchestrating Command:
An orchestrating command is a command that controls some aspect of how the search is processed. It does not directly affect the final result set of the search.
Dataset Processing:
There are a handful of commands that require the entire dataset before the command can run. These commands are referred to as dataset processing commands. These commands are not transforming, not distributable, not streaming, and not orchestrating. Some of these commands fit into other types in specific situations or when specific arguments are used.
Examples of data processing commands include sort, eventstats, and some modes of cluster, dedup, and fillnull.
Hope you find this Article interesting for short bits around the technology follow me on LinkedIn at www.linkedin.com/in/anveshsalla
