Splunk: Difference between revisions
From wikinotes
Line 42: | Line 42: | ||
| dedup id # remove duplicate results | | dedup id # remove duplicate results | ||
| table id colA # select only these fields in result | | table id colA # select only these fields in result | ||
</source> | |||
== Operators == | |||
<source lang="bash"> | |||
users IN(will,alex,maize) # grouped or statements | |||
user=will OR user=alex # statements separated by or (note parentheses inneffective) | |||
</source> | </source> | ||
</blockquote><!-- Query Syntax --> | </blockquote><!-- Query Syntax --> |
Revision as of 17:11, 16 August 2021
Splunk is a log indexing/searching tool.
Documentation
official docs https://docs.splunk.com/Documentation/Splunk search docs https://docs.splunk.com/Documentation/Splunk/8.0.6/Search/GetstartedwithSearch
Query Syntax
Target Hosts
Splunk queries will show up within splunk. Allowlist your host, or denylist splunk hosts.
searchterm host!=host.domain.com
Time Ranges
# earliest/latest can be specified in searchbar # and can use relative time ranges # # DateFmt: %m/%d/%Y:%H:%M:%S # # Timezone of UTC is assumed Error earliest=07/06/2020:17:57:05 latest=+10m earliest=08/26/2020:15:00:00 # like watching logsearchterm earliest=07/06/2020:17:57:05 latest=+10m | rex "id=(<id>\d+)" # regex match, extract 'id' | where status="404" # select by attribute values | dedup id # remove duplicate results | table id colA # select only these fields in resultOperators
users IN(will,alex,maize) # grouped or statements user=will OR user=alex # statements separated by or (note parentheses inneffective)