Searching

and Reporting with Splunk

Command
Module 1
fields

Commands Covered

Example

Description
Controls which field extractions are performed

multikv

fields host src_ip

fields - sourcetype
table host src_ip port
rename src_ip as ip
rex field=mailto
"(?<to_user>.*)@(?<to_domain>.*)"
sort host username
sort -count
multikv fielda fieldb

mvcombine

mvcombine mailto

Module 2
stats
top

stats count by host

top mailfrom

rare
eventstats

rare mailfrom
eventstats sum(price) as sales

addtotals
addcoltotals

addtotals fieldname=total_wait cpu_wait io_wait

addcoltotals

Module 3
eval

eval fieldx = fielldy + fieldz

where

where fieldx < fieldy

Module 4
chart

chart count by productId

timechart

timechat sum(price) as Sales

bucket

bucket _time span=1h

bucket qty span=50
rangemap field=count low=0-50 elevated=51-100
default=severe

table
rename
rex
sort

rangemap

Displays the named fields from each event in table format

Renames fields
Creates fields based on the regular expression; these fields exist only in the
context of this search
Sorts the events by the fields named; user - to indicate a descending sort
Used for events that appear in tabular form; parses each line of the table into a
separate event
Combines events that are identical except for the named field; the named field
becomes a multi-valued field
Computes statistics and display in tabular form; see list of stats functions below
Counts the events by the named field; displays the counts for the top 10 field
values
Same as top, but shows the least common values
Creates a new field in each event that contains the calculated statistic; uses the
same functions as stats (see below)
For each event, adds the fields listed and places the sum in the total_wait field
Appends a result at the end of the list by summing all the numeric fields in the
events
Creates a new field (or update the value of an existing field) for each event by
performing a calculation. See the functions for eval and where below.
Evaluates the expression for each event. When true, the event is kept in the result
set. If false, the event is eliminated. See the functions for eval and where below.
Displays a chart where the first field appears on the y-axis and the second field on
the x-axis. The y-axis must be numeric. See the list of stats functions for possible
functions.
Displays a chart where the named field or function appears on the y-axis. Time
always appears on the x-axis. See the list of stats functions
Groups a numeric field into discrete "buckets"
Creates a field named "range" with a value of "low", "elevated" or "severe"
often used for single panel dashboard items

Searching and Reporting with Splunk

Command
Example
Modules 5, 6 and 7
transaction
transaction host src_ip maxspan=1h
maxpause=1m
lookup
lookup http_lookup status OUTPUT status_descr
sistats
sitop
sirare
sichart
sitimechart
overlap

sistats sum(price) as sales by productId

overlap

Commands Covered
Description
Combines events into a single event (transaction) if they have the same field
values and occur in the specified time range
Performs the http_lookup using the status field as input. Retrieves the
status_descr field.. Requires that the lookup table and lookup fields have already
been defined
Used to generate data that will be placed in a summary index.
For each command, creates an event that contains the appropriate intermediate
results, so that the final calculation can be performed.
Finds any overlapping events in a summary index

Functions for stats, chart and timechart

Function
count()
distinct_count() or dc()
sum()
avg()
min()
max()
list()
values()

Description
Counts the number of events that have the field named; if no field named, counts all the events
Counts the number of unique values for the field named
Sums the values of the field named
Averages the values of the field named; avg(field) = sum(field) / count(field)
Returns the lowest value of the field across all the events
Returns the highest value of the field across all the events
Lists the value of the field for every event
Lists the unique values of the field across all the events

Functions for eval and where

Function
abs()
cidrmatch()
if()
match()
round()
tostring()

Description
Returns the absolute value of the field
cidrmatch("123.128.32.0/25",ip) Returns true if the second argument is an ip address in the subnet defined by the first
argument
if(status == 200, "OK", "Error") Evaluates the first argument as a Boolean expression. If true, returns the second
argument. If false, returns the third argument.
match(field, regex) Returns true if the value of the field matches the regular expression; otherwise returns false
round(field, n) rounds the value of field to n decimal points
tostring(field,"commas") Rounds the value of the field to 2 decimal points and inserts commas, e.g. 99,999.99

Note: This is not a complete list of commands or functions! For the complete list, see the Splunk Search Reference Manual at
http://www.splunk.com/base/Documentation/latest/SearchReference