https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489604#M194076 <P>I get asked some form of this question often and I know what my answer is but I am curious about others. What is your opinion of the top 10 most powerful SPL command that every expert splunk user or wannabe should know well and what is on "off the beaten path that you find occasionally invaluable?</P> Mon, 25 Nov 2019 01:53:42 GMT woodcock 2019-11-25T01:53:42Z https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489604#M194076 <P>I get asked some form of this question often and I know what my answer is but I am curious about others. What is your opinion of the top 10 most powerful SPL command that every expert splunk user or wannabe should know well and what is on "off the beaten path that you find occasionally invaluable?</P> Mon, 25 Nov 2019 01:53:42 GMT https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489604#M194076 woodcock 2019-11-25T01:53:42Z https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489605#M194077 <P><CODE>*stats</CODE>!</P> <P><CODE>stats</CODE>, <CODE>eventstats</CODE>, <CODE>streamstats</CODE> take Splunk from being just a search engine to a tool for in-depth analysis</P> Mon, 25 Nov 2019 02:32:09 GMT https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489605#M194077 sduff_splunk 2019-11-25T02:32:09Z https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489606#M194078 <P>Agree with the stats family, but not just "use stats" but "how to properly use stats" (to get rid of joins/append and other inefficient statements). </P> <P>TERM (for faster matching if your data supports it)<BR /> IN (reduction of "OR"s and easier readability)</P> <P>Finally, REX/REGEX. If your data is barely structured (looking at you kubernetes and rancher debug logs) , and you are good at rex/regex, then you can you interrogate the data and bend it to your will. </P> Mon, 25 Nov 2019 06:41:44 GMT https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489606#M194078 randy_moore 2019-11-25T06:41:44Z https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489607#M194079 <P><CODE>makeresults</CODE> @ Splunk&gt;Answers</P> <P>I didn't expect to use that much.<BR /> It is convenient to create logs freely.</P> Fri, 29 Nov 2019 11:41:30 GMT https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489607#M194079 to4kawa 2019-11-29T11:41:30Z https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489608#M194080 <P>Do not forget about <CODE>windbag</CODE> and <CODE>gentimes</CODE>!</P> Sun, 01 Dec 2019 01:52:31 GMT https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489608#M194080 woodcock 2019-12-01T01:52:31Z https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489609#M194081 <P>I have never used <CODE>windbag</CODE> yet.<BR /> <CODE>gentimes</CODE> is difficult to use.</P> Sun, 01 Dec 2019 08:24:51 GMT https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489609#M194081 to4kawa 2019-12-01T08:24:51Z https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489610#M194082 <P>I am not an expert but these commands are my bread and butter to doing things and accomplish the objectives.</P> <P><CODE>stats</CODE> , <CODE>timechart</CODE>, <CODE>streamstats</CODE>, <CODE>tstats</CODE>,<CODE>append</CODE>, <CODE>map</CODE>, <CODE>transpose</CODE>, <CODE>rex</CODE>, <CODE>bin</CODE>, <CODE>transaction</CODE></P> <P>And as a command is very easy to understand but the power that has all the functions of <CODE>eval</CODE> is where the magic happens.</P> Wed, 11 Dec 2019 13:18:55 GMT https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489610#M194082 osakachan 2019-12-11T13:18:55Z https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489611#M194083 <P>Is <CODE>transaction</CODE> necessary? </P> Wed, 11 Dec 2019 13:33:48 GMT https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489611#M194083 to4kawa 2019-12-11T13:33:48Z https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489612#M194084 <P>If you want to have in one event a succession of events evaluated with a beginning or an end with a defined control of span or limit of times, yes. If not *stats are always better <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> Wed, 11 Dec 2019 13:47:56 GMT https://community.splunk.com/t5/Splunk-Search/What-are-THE-most-important-SPL-commands/m-p/489612#M194084 osakachan 2019-12-11T13:47:56Z