Splunk Series: Search Language Syntax

Leave a Comment / Security / By

How is the syntax used in the Search editor

To better explain the syntax of a search is by using the following diagram
splunk-sintax

The components of the Search

  • Search Terms –> What you are looking for
  • Commands –> What do you want to do with the results, chart, statistics, format and so on
  • Functions –> How do you want to chart, compute or evaluate your result, for example, get a sum, get an average or transform the values, amongs many other functions
  • Arguments –> Variables you want to apply to the search, calculate average, transform from milliseconds to seconds and so on
  • Clauses –> How do you want to group or rename the fields in the search result

The Search Pipeline

UntitledImage

Creating Tables

After a search is defined, use (|) to enter into a new line – Create tables based on field values, bring multiple values to create the Table, in this example we are using JSESSIONID, Action and Status.

UntitledImage

Notice that the Fields can be renamed to something more user friendly by using the rename command

THere are multiple ways to present the data, and to provide meaningful information. Here is the Commands by Category reference guide

More examples for Field Commands are:

  • dedup – removes duplicates from results
  • sort – order results in ascending or descending order (+-)

Transforming Commands

  • Top – Retun the most common field values (By default brings 10 results)
  • rare – Return the least common field values
  • Stats – calculate statistics from your search criteria (Combine with count, distinct count, sum, avg, list, values)

To get a better understanding of the Functions of the Stats command –> Common Stats Function

What is Next?

Lookups

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 15 years of experience, Andres is specialized in Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top