Here’s an updated table with example queries that utilize the respective Splunk commands:
| Splunk Command | Description | Example Query (Apache Log) |
|---|---|---|
search | Retrieves events that match specific search criteria. | search index=apache_logs status=200 error |
stats | Calculates aggregate statistics for fields. | stats count by method index=apache_logs |
table | Displays search results in a tabular format. | table method, status, bytes index=apache_logs |
timechart | Generates a chart showing values over time. | timechart count by method index=apache_logs |
where | Filters events based on specified conditions. | where status=200 index=apache_logs |
eval | Creates new fields or modifies existing ones. | eval response_time=duration/1000 index=apache_logs |
rex | Extracts fields from event data using regular expressions. | rex field=request "(?<page>[^/]+)$" index=apache_logs |
top | Displays the top values for a specified field. | top clientip limit=10 index=apache_logs |
dedup | Removes duplicate events based on specified fields. | dedup clientip index=apache_logs |
transaction | Groups events together based on a common field value. | transaction clientip maxspan=1h index=apache_logs |
rename | Renames fields in search results. | rename status AS response_code index=apache_logs |
sort | Sorts events based on specified fields. | sort -bytes index=apache_logs |
chart | Generates various types of charts based on search results. | chart count by method index=apache_logs |
spath | Extracts structured fields from event data. | spath input=_raw path=request.url index=apache_logs |
makemv | Converts a delimited field into a multivalue field. | makemv delim="," user_agents index=apache_logs |
fillnull | Replaces null or missing values with specified default values. | fillnull value="N/A" index=apache_logs |
geostats | Generates geospatial statistics and visualizations. | geostats count by clientip index=apache_logs |
append | Combines the results of multiple searches into a single result set. | append [search index=other_logs] index=apache_logs |
| … | … | … |
| Splunk Command | Description |
|---|---|
addcoltotals | Adds a row at the bottom of the search results table with totals for numerical fields. |
addinfo | Adds information about search performance and resource usage to the search results. |
addtotals | Adds a row at the bottom of the search results table with totals for specified fields. |
anomalies | Detects anomalies or unusual patterns in time series data. |
anomalousvalue | Detects anomalies or unusual patterns in a specific field. |
append | Combines the results of multiple searches into a single result set. |
appendcols | Combines fields from multiple searches into a single result set. |
audit | Tracks access to search results and other Splunk platform features. |
bin | Bins numerical values into specific ranges or intervals. |
bucket | Groups events based on time intervals. |
chart | Generates various types of charts based on search results. |
cluster | Groups events based on similarity and identifies outliers. |
collect | Sends search results to a summary index. |
colortest | Displays a color test chart. |
concurrency | Measures the concurrency of events over time. |
contingency | Calculates the contingency table for two fields. |
convert | Converts field values from one data type to another. |
corr | Calculates the correlation coefficient between two fields. |
dbinspect | Inspects the structure and content of a database. |
dbxquery | Executes an SQL query against a database. |
dedup | Removes duplicate events based on specified fields. |
delete | Deletes events from a search index. |
delta | Calculates the difference between consecutive events. |
diff | Compares events between two searches and displays the differences. |
erex | Extracts fields using a custom regular expression. |
erowcol | Performs a rolling calculation on a field based on a sliding window. |
eventcount | Counts events based on specified conditions. |
eventstats | Calculates statistics on all events and adds them to each event. |
extract | Extracts fields from event data using delimiters or regular expressions. |
fieldformat | Formats the display of field values. |
fields | Selects specific fields to display in search results. |
filldown | Copies the value from the previous non-null event into subsequent events. |
fillnull | Replaces null or missing values with specified default values. |
fileboost | Adjusts the search ranking for events in specific files. |
filesmeta | Provides metadata information about files. |
fingerprint | Generates a unique identifier for each event based on specified fields. |
format | Formats the display of search results. |
from | Specifies the source index or source search for a subsearch. |
geodistance | Calculates the distance between geographical coordinates. |
geostats | Generates geospatial statistics and visualizations. |
head | Retrieves the first N events from search results. |
highlight | Applies syntax highlighting to search results. |
history | Displays search command history. |
iconify | Converts field values into icons based on conditions. |
inputcsv | Reads |
This topic links to the Splunk Enterprise Search Reference for each search command.
| Command | Description | See also |
|---|---|---|
abstract | Produces a summary of each search result. | highlight |
accum | Keeps a running total of the specified numeric field. | autoregress, delta, trendline, streamstats |
addcoltotals | Computes an event that contains sum of all numeric fields for previous events. | addtotals, stats |
addinfo | Add fields that contain common information about the current search. | search |
addtotals | Computes the sum of all numeric fields for each result. | addcoltotals, stats |
analyzefields | Analyze numerical fields for their ability to predict another discrete field. | anomalousvalue |
anomalies | Computes an “unexpectedness” score for an event. | anomalousvalue, cluster, kmeans, outlier |
anomalousvalue | Finds and summarizes irregular, or uncommon, search results. | analyzefields, anomalies, cluster, kmeans, outlier |
append | Appends subsearch results to current results. | appendcols, appendcsv, join, set |
appendcols | Appends the fields of the subsearch results to current results, first results to first result, second to second, etc. | append, appendcsv, join, set |
appendpipe | Appends the result of the subpipeline applied to the current result set to results. | append, appendcols, join, set |
arules | Finds association rules between field values. | associate, correlate |
associate | Identifies correlations between fields. | correlate, contingency |
audit | Returns audit trail information that is stored in the local audit index. | |
autoregress | Sets up data for calculating the moving average. | accum, autoregress, delta, trendline, streamstats |
bin, discretize | Puts continuous numerical values into discrete sets. | chart, timechart |
bucketdir | Replaces a field value with higher-level grouping, such as replacing filenames with directories. | cluster, dedup |
chart | Returns results in a tabular output for charting. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. | timechart |
cluster | Clusters similar events together. | anomalies, anomalousvalue, cluster, kmeans, outlier |
concurrency | Uses a duration field to find the number of “concurrent” events for each event. | timechart |
contingency, counttable, ctable | Builds a contingency table for two fields. | associate, correlate |
convert | Converts field values into numerical values. | eval |
correlate | Calculates the correlation between different fields. | associate, contingency |
dbinspect | Returns information about the specified index. | |
dedup | Removes subsequent results that match a specified criteria. | uniq |
delta | Computes the difference in field value between nearby results. | accum, autoregress, trendline, streamstats |
diff | Returns the difference between two search results. | |
erex | Allows you to specify example or counter example values to automatically extract fields that have similar values. | extract, kvform, multikv, regex, rex, xmlkv |
eval | Calculates an expression and puts the value into a field. See Functions for eval and where in the Splunk Enterprise Search Reference. | where |
eventcount | Returns the number of events in an index. | dbinspect |
eventstats | Adds summary statistics to all search results. | stats |
extract, kv | Extracts field-value pairs from search results. | kvform, multikv, xmlkv, rex |
fieldformat | Expresses how to render a field at output time without changing the underlying value. | eval, where |
fields | Removes fields from search results. | |
fieldsummary | Generates summary information for all or a subset of the fields. | af, anomalies, anomalousvalue, stats |
filldown | Replaces NULL values with the last non-NULL value. | fillnull |
fillnull | Replaces null values with a specified value. | |
findtypes | Generates a list of suggested event types. | typer |
foreach | Run a templatized streaming subsearch for each field in a wildcarded field list. | eval |
format | Takes the results of a subsearch and formats them into a single result. | |
from | Retrieves data from a dataset, such as a data model dataset, a CSV lookup, a KV Store lookup, a saved search, or a table dataset. | |
gauge | Transforms results into a format suitable for display by the Gauge chart types. | |
gentimes | Generates time-range results. | |
geostats | Generate statistics which are clustered into geographical bins to be rendered on a world map. | stats, xyseries |
head | Returns the first number n of specified results. | reverse, tail |
highlight | Causes Splunk Web to highlight specified terms. | |
history | Returns a history of searches formatted as an events list or as a table. | search |
input | Adds sources to Splunk or disables sources from being processed by Splunk. | |
inputcsv | Loads search results from the specified CSV file. | loadjob, outputcsv |
iplocation | Extracts location information from IP addresses. | |
join | SQL-like joining of results from the main results pipeline with the results from the subpipeline. | selfjoin, appendcols |
kmeans | Performs k-means clustering on selected fields. | anomalies, anomalousvalue, cluster, outlier |
kvform | Extracts values from search results, using a form template. | extract, kvform, multikv, xmlkv, rex |
loadjob | Loads events or results of a previously completed search job. | inputcsv |
localize | Returns a list of the time ranges in which the search results were found. | map, transaction |
makecontinuous | Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart) | chart, timechart |
makemv | Change a specified field into a multivalued field during a search. | mvcombine, mvexpand, nomv |
map | A looping operator, performs a search over each search result. | |
mcollect | Converts search results into metric data and inserts the data into a metric index on the search head. | collect, meventcollect |
metadata | Returns a list of source, sourcetypes, or hosts from a specified index or distributed search peer. | dbinspect |
metasearch | Retrieves event metadata from indexes based on terms in the logical expression. | metadata, search |
meventcollect | Converts search results into metric data and inserts the data into a metric index on the indexers. | collect, mcollect |
mstats | Calculates statistics for the measurement, metric_name, and dimension fields in metric indexes. | stats |
multikv | Extracts field-values from table-formatted events. | |
multisearch | Run multiple streaming searches at the same time. | append, join |
mvcombine | Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field. | mvexpand, makemv, nomv |
mvexpand | Expands the values of a multivalue field into separate events for each value of the multivalue field. | mvcombine, makemv, nomv |
nomv | Changes a specified multivalued field into a single-value field at search time. | makemv, mvcombine, mvexpand |
outlier | Removes outlying numerical values. | anomalies, anomalousvalue, cluster, kmeans |
outputcsv | Outputs search results to a specified CSV file. | inputcsv, outputtext |
outputtext | Ouputs the raw text field (_raw) of results into the _xml field. | outputtext |
predict | Enables you to use time series algorithms to predict future values of fields. | x11 |
rangemap | Sets RANGE field to the name of the ranges that match. | |
rare | Displays the least common values of a field. | stats, top |
regex | Removes results that do not match the specified regular expression. | rex, search |
reltime | Converts the difference between ‘now’ and ‘_time’ to a human-readable value and adds adds this value to the field, ‘reltime’, in your search results. | convert |
rename | Renames a specified field; wildcards can be used to specify multiple fields. | |
replace | Replaces values of specified fields with a specified new value. | |
rest | Access a REST endpoint and display the returned entities as search results. | |
return | Specify the values to return from a subsearch. | format, search |
reverse | Reverses the order of the results. | head, sort, tail |
rex | Specify a Perl regular expression named groups to extract fields while you search. | extract, kvform, multikv, xmlkv, regex |
rtorder | Buffers events from real-time search to emit them in ascending time order when possible. | |
savedsearch | Returns the search results of a saved search. | |
script, run | Runs an external Perl or Python script as part of your search. | |
scrub | Anonymizes the search results. | |
search | Searches Splunk indexes for matching events. | |
searchtxn | Finds transaction events within specified search constraints. | transaction |
selfjoin | Joins results with itself. | join |
sendemail | Emails search results to a specified email address. | |
set | Performs set operations (union, diff, intersect) on subsearches. | append, appendcols, join, diff |
setfields | Sets the field values for all results to a common value. | eval, fillnull, rename |
sort | Sorts search results by the specified fields. | reverse |
spath | Provides a straightforward means for extracting fields from structured data formats, XML and JSON. | xpath |
stats | Provides statistics, grouped optionally by fields. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. | eventstats, top, rare |
strcat | Concatenates string values. | |
streamstats | Adds summary statistics to all search results in a streaming manner. | eventstats, stats |
table | Creates a table using the specified fields. | fields |
tags | Annotates specified fields in your search results with tags. | eval |
tail | Returns the last number n of specified results. | head, reverse |
timechart | Create a time series chart and corresponding table of statistics. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. | chart, bucket |
top | Displays the most common values of a field. | rare, stats |
transaction | Groups search results into transactions. | |
transpose | Reformats rows of search results as columns. | |
trendline | Computes moving averages of fields. | timechart |
typeahead | Returns typeahead information on a specified prefix. | |
typer | Calculates the eventtypes for the search results. | typelearner |
uniq | Removes any search that is an exact duplicate with a previous result. | dedup |
untable | Converts results from a tabular format to a format similar to stats output. Inverse of xyseries and maketable. | |
where | Performs arbitrary filtering on your data. See Functions for eval and where in the Splunk Enterprise Search Reference. | eval |
x11 | Enables you to determine the trend in your data by removing the seasonal pattern. | predict |
xmlkv | Extracts XML key-value pairs. | extract, kvform, multikv, rex |
xmlunescape | Unescapes XML. | |
xpath | Redefines the XML path. | |
xyseries | Converts results into a format suitable for graphing. |
Search commands by category
The search commands that make up the Splunk Light search processing language are a subset of the Splunk Enterprise search commands. The tables below list the commands that make up the Splunk Light search processing language and is categorized by their usage. Some commands fit into more than one category based on the options that you specify.
This topic links to the Splunk Enterprise Search Reference for each search command.
Correlation
These commands can be used to build correlation searches.
| Command | Description |
|---|---|
append | Appends subsearch results to current results. |
appendcols | Appends the fields of the subsearch results to current results, first results to first result, second to second, etc. |
appendpipe | Appends the result of the subpipeline applied to the current result set to results. |
arules | Finds association rules between field values. |
associate | Identifies correlations between fields. |
contingency, counttable, ctable | Builds a contingency table for two fields. |
correlate | Calculates the correlation between different fields. |
diff | Returns the difference between two search results. |
join | SQL-like joining of results from the main results pipeline with the results from the subpipeline. |
selfjoin | Joins results with itself. |
set | Performs set operations (union, diff, intersect) on subsearches. |
stats | Provides statistics, grouped optionally by fields. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. |
transaction | Groups search results into transactions. |
Data and indexes
These commands can be used to learn more about your data and manager your data sources.
View data
These commands return information about the data you have in your indexes. They do not modify your data or indexes in any way.
| Command | Description |
|---|---|
audit | Returns audit trail information that is stored in the local audit index. |
dbinspect | Returns information about the specified index. |
eventcount | Returns the number of events in an index. |
metadata | Returns a list of source, sourcetypes, or hosts from a specified index or distributed search peer. |
typeahead | Returns typeahead information on a specified prefix. |
Manage data
These are some commands you can use to add data sources to or delete specific data from your indexes.
| Command | Description |
|---|---|
delete | Delete specific events or search results. |
input | Adds sources to Splunk or disables sources from being processed by Splunk. |
Fields
These are commands you can use to add, extract, and modify fields or field values. The most useful command for manipulating fields is eval and its functions.
Add fields
Use these commands to add new fields.
| Command | Description |
|---|---|
accum | Keeps a running total of the specified numeric field. |
addinfo | Add fields that contain common information about the current search. |
addtotals | Computes the sum of all numeric fields for each result. |
delta | Computes the difference in field value between nearby results. |
eval | Calculates an expression and puts the value into a field. See Functions for eval and where in the Splunk Enterprise Search Reference. |
iplocation | Adds location information, such as city, country, latitude, longitude, and so on, based on IP addresses. |
multikv | Extracts field-values from table-formatted events. |
rangemap | Sets RANGE field to the name of the ranges that match. |
strcat | Concatenates string values and saves the result to a specified field. |
Extract fields
These commands provide different ways to extract new fields from search results.
| Command | Description |
|---|---|
erex | Allows you to specify example or counter example values to automatically extract fields that have similar values. |
extract, kv | Extracts field-value pairs from search results. |
kvform | Extracts values from search results, using a form template. |
rex | Specify a Perl regular expression named groups to extract fields while you search. |
spath | Provides a straightforward means for extracting fields from structured data formats, XML and JSON. |
xmlkv | Extracts XML key-value pairs. |
Modify fields and field values
Use these commands to modify fields or their values.
| Command | Description |
|---|---|
convert | Converts field values into numerical values. |
filldown | Replaces NULL values with the last non-NULL value. |
fillnull | Replaces null values with a specified value. |
makemv | Change a specified field into a multivalued field during a search. |
nomv | Changes a specified multivalued field into a single-value field at search time. |
reltime | Converts the difference between ‘now’ and ‘_time’ to a human-readable value and adds adds this value to the field, ‘reltime’, in your search results. |
rename | Renames a specified field; wildcards can be used to specify multiple fields. |
replace | Replaces values of specified fields with a specified new value. |
Find anomalies
These commands are used to find anomalies in your data. Either search for uncommon or outlying events and fields or cluster similar events together.
| Command | Description |
|---|---|
analyzefields, af | Analyze numerical fields for their ability to predict another discrete field. |
anomalies | Computes an “unexpectedness” score for an event. |
anomalousvalue | Finds and summarizes irregular, or uncommon, search results. |
cluster | Clusters similar events together. |
kmeans | Performs k-means clustering on selected fields. |
outlier | Removes outlying numerical values. |
rare | Displays the least common values of a field. |
Geoip and location
These commands add geographical information to your search results.
| Command | Description |
|---|---|
iplocation | Returns location information, such as city, country, latitude, longitude, and so on, based on IP addresses. |
geostats | Generate statistics which are clustered into geographical bins to be rendered on a world map. |
Metrics
These commands work with metrics data.
| Command | Description |
|---|---|
mcollect | Converts events into metric data points and inserts the data points into a metric index on the search head. |
meventcollect | Converts events into metric data points and inserts the data points into a metric index on indexer tier. |
mstats | Calculates visualization-ready statistics for the measurement, metric_name, and dimension fields in metric indexes. |
Prediction and trending
These commands predict future values and calculate trendlines that can be used to create visualizations.
| Command | Description |
|---|---|
predict | Enables you to use time series algorithms to predict future values of fields. |
trendline | Computes moving averages of fields. |
x11 | Enables you to determine the trend in your data by removing the seasonal pattern. |
Reports
These commands are used to build transforming searches. These commands return statistical data tables required for charts and other kinds of data visualizations.
| Command | Description |
|---|---|
addtotals | Computes the sum of all numeric fields for each result. |
bin, discretize | Puts continuous numerical values into discrete sets. |
chart | Returns results in a tabular output for charting. See Statistical and charting functions in the Splunk Enterprise Search Reference. |
contingency, counttable, ctable | Builds a contingency table for two fields. |
correlate | Calculates the correlation between different fields. |
eventcount | Returns the number of events in an index. |
eventstats | Adds summary statistics to all search results. |
gauge | Transforms results into a format suitable for display by the Gauge chart types. |
makecontinuous | Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart) |
mstats | Calculates statistics for the measurement, metric_name, and dimension fields in metric indexes. |
outlier | Removes outlying numerical values. |
rare | Displays the least common values of a field. |
stats | Provides statistics, grouped optionally by fields. See Statistical and charting functions in the Splunk Enterprise Search Reference. |
streamstats | Adds summary statistics to all search results in a streaming manner. |
timechart | Create a time series chart and corresponding table of statistics. See Statistical and charting functions in the Splunk Enterprise Search Reference. |
top | Displays the most common values of a field. |
trendline | Computes moving averages of fields. |
untable | Converts results from a tabular format to a format similar to stats output. Inverse of xyseries and maketable. |
xyseries | Converts results into a format suitable for graphing. |
Results
These commands can be used to manage search results. For example, you can append one set of results with another, filter more events from the results, reformat the results, and so on.
Alerting
Use this command to email the results of a search.
| Command | Description |
|---|---|
sendemail | Emails search results, either inline or as an attachment, to one or more specified email addresses. |
Append
Use these commands to append one set of results with another set or to itself.
| Command | Description |
|---|---|
append | Appends subsearch results to current results. |
appendcols | Appends the fields of the subsearch results to current results, first results to first result, second to second, and so on. |
join | SQL-like joining of results from the main results pipeline with the results from the subpipeline. |
selfjoin | Joins results with itself. |
Filter
Use these commands to remove more events or fields from your current results.
| Command | Description |
|---|---|
dedup | Removes subsequent results that match a specified criteria. |
fields | Removes fields from search results. |
mvcombine | Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field. |
regex | Removes results that do not match the specified regular expression. |
searchtxn | Finds transaction events within specified search constraints. |
table | Creates a table using the specified fields. |
uniq | Removes any search that is an exact duplicate with a previous result. |
where | Performs arbitrary filtering on your data. See Evaluation functions in the Splunk Enterprise Search Reference. |
Format
Use these commands to reformat your current results.
| Command | Description |
|---|---|
untable | Converts results from a tabular format to a format similar to stats output. Inverse of xyseries and maketable. |
xyseries | Converts results into a format suitable for graphing. |
Generate
Use these commands to generate or return events.
| Command | Description |
|---|---|
gentimes | Returns results that match a time-range. |
loadjob | Loads events or results of a previously completed search job. |
mvexpand | Expands the values of a multivalue field into separate events for each value of the multivalue field. |
savedsearch | Returns the search results of a saved search. |
search | Searches Splunk indexes for matching events. This command is implicit at the start of every search pipeline that does not begin with another generating command. |
Group
Use these commands to group or classify the current results.
| Command | Description |
|---|---|
cluster | Clusters similar events together. |
kmeans | Performs k-means clustering on selected fields. |
mvexpand | Expands the values of a multivalue field into separate events for each value of the multivalue field. |
transaction | Groups search results into transactions. |
typer | Calculates the eventtypes for the search results. |
Reorder
Use these commands to change the order of the current search results.
| Command | Description |
|---|---|
head | Returns the first number n of specified results. |
reverse | Reverses the order of the results. |
sort | Sorts search results by the specified fields. |
tail | Returns the last number N of specified results |
Read
Use these commands to read in results from external files or previous searches.
| Command | Description |
|---|---|
inputcsv | Loads search results from the specified CSV file. |
loadjob | Loads events or results of a previously completed search job. |
Write
Use these commands to define how to output current search results.
| Command | Description |
|---|---|
mcollect | Converts events into metric data points and inserts the data points into a metric index on the search head. |
meventcollect | Converts events into metric data points and inserts the data points into a metric index on indexer tier. |
outputcsv | Outputs search results to a specified CSV file. |
outputtext | Ouputs the raw text field (_raw) of results into the _xml field. |
sendemail | Emails search results, either inline or as an attachment, to one or more specified email addresses. |
Search
| Command | Description |
|---|---|
map | A looping operator, performs a search over each search result. |
search | Searches Splunk indexes for matching events. This command is implicit at the start of every search pipeline that does not begin with another generating command. |
sendemail | Emails search results, either inline or as an attachment, to one or more specified email addresses. |
Subsearch
These are commands that you can use with subsearches.
| Command | Description |
|---|---|
append | Appends subsearch results to current results. |
appendcols | Appends the fields of the subsearch results to current results, first results to first result, second to second, and so on. |
appendpipe | Appends the result of the subpipeline applied to the current result set to results. |
format | Takes the results of a subsearch and formats them into a single result. |
join | SQL-like joining of results from the main results pipeline with the results from the subpipeline. |
return | Specify the values to return from a subsearch. |
set | Performs set operations (union, diff, intersect) on subsearches. |
Time
Use these commands to search based on time ranges or add time information to your events.
| Command | Description |
|---|---|
gentimes | Returns results that match a time-range. |
localize | Returns a list of the time ranges in which the search results were found. |
reltime | Converts the difference between ‘now’ and ‘_time’ to a human-readable value and adds adds this value to the field, ‘reltime’, in your search results. |
SPL2 Command Quick Reference
The following commands are supported in SPL2. Use the links in the table to see the command syntax, examples, and usage information.
| Command | Description | Example |
|---|---|---|
| bin | Puts continuous numerical values into discrete sets, or bins. | Example: Return the average for a field for a specific time span. Bin the search results using a 5 minute time span on the _time field. Return the average thruput of each host for each 5 minute time span....| bin span=5m _time | stats avg(thruput) by _time, host |
| branch | Processes one set of events or search results, in parallel, in two or more branches. Each branch must end with the into command. | Example: Read the events in the main index dataset into memory one time. Process the events in two branches using subsearches to determine the most popular hosts and sources.| from main | branch [stats count() BY host | where count > 50 select host | into p_hosts], [stats count() BY source | where count > 100 select source | into p_sources] |
| dedup | Removes the events that contain an identical combination of values for the fields that you specify. | Example: Remove duplicates of results with the same host value.... | dedup host |
| eval | Calculates an expression and puts the resulting value into a search results field. | Example: Create a new field that contains the result of a calculation. Create a new field called velocity in each event. Calculate the velocity by dividing the values in the distance field by the values in the time field.... | eval velocity=distance/timeExample: Use the if function to analyze field values. Create a new field called error in each event. Using the if function, set the value in the error field to OK if the status value is 200. Otherwise set the error field value to Problem.... | eval error = if(status == 200, "OK", "Problem") |
| eventstats | Generates summary statistics from fields in your events and saves those statistics into a new field. | Example: Calculate an average for each distinct value of the date_minute field. The new field avgdur is added to each event with the average value based on its particular value of date_minute.... | eventstats avg(duration) AS avgdur BY date_minute |
| expand | Produce a separate result row for each object in an array that is in a field. | Example: Expand the array in the bridges field. Here is the event before the field is expanded:_timebridges5 May 2021 2:29:02 PM[{“name”:”Tower Bridge”,”length”:801},{“name”:”Millennium Bridge”,”length”:1066}]... | expand bridgesHere are the results after the expand command is run:_timebridges5 May 2021 2:29:02 PM{“name”:”Tower Bridge”,”length”:801}5 May 2021 2:29:02 PM{“name”:”Millennium Bridge”,”length”:1066} |
| fields | Keeps or removes fields from search results based on the list of fields that you specify. | Example: Specify a list of fields to include in the search results. Return only the host and src fields from the search results.... | fields host, src |
| fieldsummary | Calculates summary statistics for one or more fields in your events, displayed as a results table. | Example: Return the summary statistics for all incoming fields....| fieldsummaryExample: Return the summary statistics for a specific field. ...| fieldsummary fields=[action] |
| flatten | Converts the key-value pairs in the object into separate fields in an event. Flattens only the first level of an object. | Example: Flattens the values in the bridges object into separate fields.| FROM [{}] SELECT _time, {name: "Tower Bridge", length: 801} as bridges | flatten bridgesThe results look like this:_timebridgeslengthname21 Sep 2022 2:34:17 PM[{“name”:”Tower Bridge”, “length”:801}]801Tower Bridge |
| from | Retrieves data from a dataset, such as an index, metric index, lookup, view, or job.The from command has a flexible syntax, which enables you to start a search with either the FROM clause or the SELECT clause. | Example: Return data from the main index for the last 5 minutes. Group the results by host. Calculate the sum of the bytes field. Return the sum and the host fields where the sum of the bytes is greater than I MB.| FROM main WHERE earliest=-5m@m AND latest=@m GROUP BY host SELECT sum(bytes) AS sum, host HAVING sum > 1024*1024 |
| head | Returns the first N number of specified results in search order. | Example: Stop searching when a null value is encountered. This example returns results while action=purchase or the action field does not exist in the results (null=true). A maximum of 50 results are returned....| head while (action="purchase") null=true 50 |
| into | Sends results to a dataset that is writable, a dataset sink. Appends or replaces the dataset sink in the search data pipeline. | Example: Append the search results to the mytable dataset, which is a lookup kind of dataset.... | into mode=append mytable |
| join | Combines the results from two datasets by using one or more common fields. | Example: Join datasets on fields that have the same name. Combine the results from a search with the vendors dataset. The data is joined on the product_id field, which is common to both datasets.... | join left=L right=R where L.product_id=R.product_id vendors |
| lookup | Invokes field value lookups. | Example: Put corresponding information from a lookup dataset into your events.Append the data returned from your search results with the data in the users lookup dataset using the uid field. For search results that contains a uid field, the value in that field is matched with the uid field in the users lookup dataset. The username and department fields from the users lookup dataset are appended to each search result. If the search results already have the username and department fields, the OUTPUTNEW argument only fills in missing values in those fields.... | lookup users uid OUTPUTNEW username, department |
| mvexpand | Expands the values of a multivalue field into separate events, one event for each value in the multivalue field. | Example: Expand the values in the myfield field.... | mvexpand myfield |
| rename | Renames one or more fields. | Example: Rename a field with special characters. Rename the ip-add field to IPAddress. Field names that contain anything other than a-z, A-Z, 0-9, or “_”, need single-quotation marks.... | rename 'ip-add' AS IPAddress |
| reverse | Reverses the order of the search results. | Example:... | reverse |
| rex | Use to either extract fields using regular expression named groups, or replace or substitute characters in a field using sed expressions. | Example: Extract values from a field using a <regex-expression>. Extract user, app, and SavedSearchName from a field called savedsearch_id in scheduler.log events.... | rex field=savedsearch_id "(?<user>\\w+);(?<app>\\w+);(?<SavedSearchName>\\w+)"If the contents of the field is savedsearch_id=bob;search;my_saved_search then this rex command syntax extracts user=bob, app=search, and SavedSearchName=my_saved_search. |
| search | Retrieve events from indexes or filter the results of a previous search command in the pipeline. | Example: Search for a field-value pair for a specific source IP, src.search src="192.0.2.0"Example: Search for multiple field-value pairs with boolean and comparison operators. This example searches for events with code values of either 10, 29, or 43 and any host that is not “localhost”, and an xqp value that is greater than 5.search (code=10 OR code=29 OR code=43) host!="localhost" xqp>5 |
| select | See the from command. The SELECT clause is part of the from command. | Example: Calculate the sum of the bytes field. Return the sum and the host fields from the main index for the last 5 minutes. Group the results by host.| SELECT sum(bytes) AS sum, host FROM main WHERE earliest=-5m@m GROUP BY host |
| sort | Sorts all of the results by the specified fields. | Example: Sort the results first by the surname field in ascending order and then by the firstname field in descending order.... | sort surname, -firstname |
| spl1 | Embed all or part of an SPL search into an SPL2 search. The spl1 command supports two syntaxes: backtick ( ` ) character syntax and explicit spl1 command syntax. | Example: Consider this SPL search:error OR http_code=404Embed this search into an SPL2 search using the backtick ( ` ) character syntax:`search index=main error OR http_code=404`Example: In this SPL2 search only the portion of the search not supported by SPL2, the addinfo command, uses the backtick ( ` ) character syntax:from sample_data_index | stats sum(bytes) BY host | `addinfo` |
| stats | Calculates aggregate statistics such as average, count, and sum, over the results set. | Example: Take the incoming result set and calculate the sum of the bytes field and groups the sums by the values in the host field.... | stats sum(bytes) BY host |
| streamstats | Adds a cumulative statistical value to each search result as each result is processed. | Example: Use a <by-clause> to add a running count to search results. This search uses the host field to reset the count. For each search result, a new field is appended with a count of the results based on the host value. The count is cumulative and includes the current result.... | streamstats count() BY host |
| thru | Writes data to a writeable dataset and then passes the same data to the next command in the search string. By default, the thru command appends data to the dataset. | Example: Append all the incoming search result set to the actions dataset. Those same search results are also passed into the eval command.... | thru actions | eval field=<expr> |
| timechart | Creates a time series chart with corresponding table of statistics. | Example: For each minute, calculate the average value of the CPU field for each host.... | timechart span=1m avg(CPU) BY host |
| timewrap | Compare data over a specific time period, such as day-over-day or month-over-month, or multiple time periods, such as a two week period over another two week period. | Example: Display a timechart that has a span of 1 day for each count in a week over week comparison table. Each table column, which is the series, is 1 week of time.... | timechart count span=1d | timewrap 1week |
| union | Merges the results from two or more datasets into one dataset. One dataset can be piped into the union command and merged with a second dataset. | Example: Merge events from the customers, orders, and vendors datasets. You must separate the dataset names with a comma.| union customers, orders, vendorsExample: Append the current results of the main search with the tabular results of errors from the subsearch. ... | stats count() BY category1 | union [search error | stats count() BY category2] |
| where | Filters search results based on the outcome of a Boolean expression. | Example: Use the like comparison operator with the percent symbol ( % ) as a wildcard. This example returns all results where the ipaddress field contains values that start with “192.”.... | where ipaddress like "192.%"Example: Compare one field to another field. ... | where ipaddress=clientipExample: Filter using a field-value pair. ... | where host="www1" |
Mentor for DevOps - DevSecOps - SRE - Cloud - Container & Micorservices at Software AG
Join my following certification courses...
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/
My Linkedin - https://www.linkedin.com/in/rajeshkumarin
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/
My Linkedin - https://www.linkedin.com/in/rajeshkumarin
Latest posts by Rajesh Kumar (see all)
- Best AI tools for Software Engineers - November 4, 2024
- Installing Jupyter: Get up and running on your computer - November 2, 2024
- An Introduction of SymOps by SymOps.com - October 30, 2024
