topic Can someone explain the parameters of <search>? in Splunk Search

Can someone explain the parameters of ?

NickGrava — Wed, 21 Sep 2022 18:39:06 GMT

Hi Team!

Someone please explain to me what each parameter is responsible for in such a search tag:

<search>
<query>system="SWAP_total" host = crm.narsdade.com
| bin _time span=1d
| dedup _time
| eval requestLasts = requestLimit - requestCount
| table requestCount, requestLasts
| rename requestCount AS "Requests done", requestLasts AS "Requests to go"
| transpose
| eval foobar_slice = column + " (" + 'row 1'+")"
| fields foobar_slice, "row 1"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>

what is system..host.. and other attributes means for..

Re: Can someone explain the parameters of ?

yuanliu — Wed, 21 Sep 2022 18:47:28 GMT

With the exception of requestLasts and foobar_slice which the programmer defined in the code, the rest are all from your raw data. _time and host are essential fields that all Splunk data must have; _time is obvious, host usually reflects the source from which the event is reported from or for. The rest of fields can only be explained by someone with intimate knowledge about the application that produces these events.

Re: Can someone explain the parameters of ?

richgalloway — Wed, 21 Sep 2022 18:50:21 GMT

You can find all of the elements in the Dashboards and Visualizations manual (https://docs.splunk.com/Documentation/Splunk/9.0.1/Viz/PanelreferenceforSimplifiedXML#search).

The <query> element is the search for Splunk to perform. To learn about what goes here, try the Search Tutorial manual (https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchTutorial/WelcometotheSearchTutorial) or the free training available at https://www.splunk.com/en_us/training/course-catalog.html?sort=Newest&filters=filterGroup1FreeCourses