Getting Data In

i can see only splunk example queries and no example output results. is there a document whcih have both exmple queires and the sample outputs.

New Member

i can see only splunk example queries and no example output results. is there a document whcih have both exmple queires and the sample outputs. so it will easy easy to understand by seeing the output samples also.

the below is a example for abstract, but no output results provided

http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Abstract

0 Karma

SplunkTrust
SplunkTrust

@gannysplunk, Splunk Docs provides Example queries with an expectation that you will be providing the main/base search depending on the data that you have indexed which may vary for different Splunk instances.

If you are trying to pick up on Splunk Processing Langugage (Splunk Searching) you can refer to
1) Splunk Documentation for Search Tutorial, which lists out step by step process of adding some sample mock data to Splunk and then creating Splunk Search to analyze data and finally creating Alert/Report/Dashboard depending on the needs.
2) You can attend free e-learning course from Splunk called Splunk Fundamentals 1 which should clear the same process as above with video based e-learning course.
3) For specific query with any SPL, which does not seem clearly explained through the Splunk Documentation, you can search on Splunk Answers as well. Most of the time the community members provide run anywhere examples based on Splunk's _internal index (which Splunk uses to monitor itself). For example here is one of my older post on abstract command usage: https://answers.splunk.com/answers/628510/help-to-build-the-query-using-abstract-command.html

As per your question around the abstract command which returns summary of _raw data instead of complete event data based on maxlines and maxterms. PS: I have also used maxterm argument for abstract command because most of the time _internal logs are single line.

index=_internal sourcetype=splunkd log_level!=INFO
| abstract maxlines=1 maxterms=20

Provided you have the access to search _internal index, the above is a run anywhere example which should give some output. In order to see the difference in _raw Events in the output you can try the same base search without second pipe with abstract i.e.

index=_internal sourcetype=splunkd log_level!=INFO

Please try out and confirm if you need further help!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

New Member

@niketnilay thanks for answering me. will check with mock data and work with that to practice the queries.
i

0 Karma

SplunkTrust
SplunkTrust

@gannysplunk for the abstract command you can definitely try the run anywhere search example based on Splunk's _internal index. If it works do accept/up vote the answer to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma