Assumptions:You have already downloaded and installed slunk and you have added log data to splunk.
Where can I practice splunk search commands for free? For newbies splunk has provided splunk free online sandbox where you can try splunk and practice on it.Below is link for splunk online sandbox.You need to register on splunk website for accessing sandbox.You can download our sample logs from link given below and get same results as shown in below screenshots or you can try same commands with your logs added to splunk
Splunk sandbox link:
https://www.splunk.com/getsplunk/cloudtrial&ac=test_modal_onlinesandbox
Redhat sample log file download link:
http://www.filedropper.com/redhatlogs
So lets start with splunk search :)
Splunk search comamnds / Splunk search examples :
After logging into splunk you will see below search window.Just click on them to explore more.
Search box - we usually enter the search keyword i.e. username/error code/event code in search box for which we need logs
Time range picker - Select the time range and select time range for which you need to search logs.Shorter the time range faster will be searching
Data summary -shows statics for searched logs i.e. how many results we found after searching etc.
Global stats- It shows number of logs indexed in splunk overall
Basic splunk search commands
1. simple search command
If you want find out specific information in your environment like common errors,user,problematic host etc just enter the keyword and click on search.You will get specific logs related to that keyword .
Example- if you want to search for errors in your environment just type error in searchbox and hit enter Below is screenshot of sample results you get:
2. Use of AND operator in splunk search
Splunk search supports use of boolean operator in splunk.We can use "AND" operator to search for logs which contains two different keywords.for example i want search for logs which contains errors for database only.So just enter "error" AND "database" and click on search.
Result for "error" "database" and "error" AND "databse" will be same as splunk by default takes AND operator while searching.Boolean operator's use for splunk search is case sensitive.You must type them in capital if you wish to use them
Example:-
3. Use of OR operator in splunk search
We use OR operator when we need to search for logs which contains any one keyword out of entered keywords.For example if we want logs for either system start or system restart then we need to use OR operator.Below is screenshot of result for our search:
Example:
We use OR operator when we need to search for logs which contains any one keyword out of entered keywords.For example if we want logs for either system start or system restart then we need to use OR operator.Below is screenshot of result for our search:
Example:
4. Use of NOT operator in splunk
We use NOT operator when we want logs which contains any one keyword but not other .For example if i want logs for all sessions to the server,but searching with only session will give me results for both open start and end session ,but i need logs for only start session then we need to enter Session NOT end and click on search.Below is the result
Example:
We use NOT operator when we want logs which contains any one keyword but not other .For example if i want logs for all sessions to the server,but searching with only session will give me results for both open start and end session ,but i need logs for only start session then we need to enter Session NOT end and click on search.Below is the result
Example:
5. Splunk Top command
Top command displays the most common values of a field/Keyword.for example if i want find what are top errors in my environment then I will use Top command to get most common values.We need to use |(pipe) operator to existing search to get top results.| will redirect your search result output to top command and top command will anyalize it and will display the result.We can limit number of top error result by specifying top result limit limit.If you want top 10 errors in your environment then just change top limit to 10 in below search query
Example: error | top limit=1 error
Top command displays the most common values of a field/Keyword.for example if i want find what are top errors in my environment then I will use Top command to get most common values.We need to use |(pipe) operator to existing search to get top results.| will redirect your search result output to top command and top command will anyalize it and will display the result.We can limit number of top error result by specifying top result limit limit.If you want top 10 errors in your environment then just change top limit to 10 in below search query
Example: error | top limit=1 error
6. use of wildcards in splunk search
Wildcard is a * sign which is used to find zero or multiple occurrance of a keyword or anything.If we enter only * in splunk search box and hit enter it will pull and display all available logs in result. Splunk is specific about searching logs for search keyword i.e. if i entered search keyword fail in search box it will pull logs which contain keyword fail only,but it will not pull logs which contain keyword like failed,failsafe,failure etc.In this case wildcards come for rescue.If you don't know starting and ending of search keyword then use * instead while searching for them
For example if i searched for keyword 2* it will show me all logs which contains 2 or 200 or 21,207 etc.
7. dedup command
Dedup command removes duplicate values from the result.It will display most recent value/log for particular incident. splunk removes events which contain an identical combination of values for selected fields.The dedup command will return the first key value found for that particular search keyword/field.
For example if i searched for all logs and applied dedup command for user id field i.e. dedup field then it will display only one log for each uid.No log repetition will not be there.
8.head and tail command
Head command in splunk is used to display first top results for the search.By default it will display first 10 results,we can specify number of results to display.
Tail command in splunk is used to display last results for the search.By default it will display first 10 result,we can specify number of results to display.
For example if searched for all errors and pipe it to head it will display first 10 most recent logs for errors and vice versa for tail
error | head or error | head limit=10
9. stats command
stats is one of the splunk cool command.It will give you statics i.e number of occurrence of the event/Filed.It will be more helpful for analysing overall occurrances.For example if you want to find how many errors exists in your environment then you can use stats command to find it out as shown below
Example:= error |stats count by error
10. eval command
Eval command in splunk is a multipurpose command in splunk. Eval modifies or creates new filed.Eval is normally used to evaluate an arbitery expression,perform mathematical operations,renaming fields etc. The eval command requires that you specify a field name that takes the results of the expression you want to evaluate. If this destination field matches a field name that already exists, the values of the field are replaced by the results of the eval expression.
For example :- in below example we are searching for usage of resources and finally replacing daily total field value with b keyword
11. chart and timechart command
Timechart command in splunk is used to plot graph for your searched values.It will display chart against your mentioned field values.In below example we have serched for keyword frequent-static for airline logs.After getting result we are piping result to timechart command which will display graph for your values
Timechart command in splunk is used to plot graph for your searched values.It will display chart against your mentioned field values.In below example we have serched for keyword frequent-static for airline logs.After getting result we are piping result to timechart command which will display graph for your values
12. sort and transaction command
Sort command os used sort your result by particular values.Just pipe sort keyword to to your search keyword
Transaction Command - Use the transaction command to create a single event from a group of events that share the same value in a given field
• Transactions can cross multiple tiers (i.e., web server, application server) using a common fields.
Sort command os used sort your result by particular values.Just pipe sort keyword to to your search keyword
Transaction Command - Use the transaction command to create a single event from a group of events that share the same value in a given field
• Transactions can cross multiple tiers (i.e., web server, application server) using a common fields.