Splunk Search
Highlighted

Can someone tell me what each part of this search does so I can learn more about the search processing language?

Communicator

Could someone please tell me what this does? I'm in the process of learning Splunk and knowing what each part of this search does would really help me. Thank you so much!

| tstats `summariesonly` count from datamodel=Change_Analysis where nodename=All_Changes.Account_Management All_Changes.result="lockout" by All_Changes.src,All_Changes.Account_Management.src_nt_domain,All_Changes.user | sort 100 - count | `drop_dm_object_name("All_Changes")` |  `drop_dm_object_name("Account_Management")`
Tags (4)
0 Karma
Highlighted

Re: Can someone tell me what each part of this search does so I can learn more about the search processing language?

SplunkTrust
SplunkTrust

Read these

For understanding tstats portion: http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Tstats (also see the section "An accelerated data model object")

For understanding sort : http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Sort

Last two portions of the search are macro calling, so refer below for general search macro help.
http://docs.splunk.com/Documentation/Splunk/6.4.3/Knowledge/Usesearchmacros

For details on your macro, go to your Splunk web Settings->Advanced search -> Search macro, to find the definition of those macros.

View solution in original post

Highlighted

Re: Can someone tell me what each part of this search does so I can learn more about the search processing language?

Communicator

Thank you very much for answering. So from what I understand, is this an accurate description of what that search is doing?:

Search statistics only from tsidx files AND count from ONLY datamodels that are named “ChangeAnalysis” WHERE the object name is EQUAL to AllChanges.AccountManagement. “AllChanges” is EQUAL to the string “lockout”. Then sort this filtered search into the top 100 results. Filter out objects named, “AllChanges”. Filter out objects named, “AccountManagenemnt”. Then display these results.

I'm really sorry for so many questions, it's just that I really need to know what this search is doing. Thank you again for your help.

0 Karma
Highlighted

Re: Can someone tell me what each part of this search does so I can learn more about the search processing language?

SplunkTrust
SplunkTrust

The only thing I would add to description of the first section of the query (before sort) is that it's generating the statistics (count) group by fields mentioned in "by clause" (by AllChanges.src,AllChanges.AccountManagement.srcntdomain,AllChanges.user ).

Based on the name of the macro, it seems like it's doing filtering events, but how and based on which column, can only be known by seeing the macro definition.

Highlighted

Re: Can someone tell me what each part of this search does so I can learn more about the search processing language?

Communicator

Thank you again for helping me. The thing is, I don't think I have access to the macro definitions. I really only have a copy of the search query I posted in the question. Basically what I'm trying to do is translate that search query into an accurate description of what it does so that I can search the log files of my company's customers using the log file search software that my company uses. It has a different syntax, which is why I need to make the translation. So I was given that search query, which does what we want, but that's all we have. It was made some time ago and the person who made it isn't here.

Also, I don't fully understand what you mean regarding adding to the description. What fields are mentioned by the "by clause"? I found the definitions of "AllChanges.src", "AccountManagement.srcntdomain", and "AllChanges.user" but I couldn't find anything for just, "AllChanges". How does the period in "AllChanges.AccountManagement.srcntdomain" affect the search? Also, I tried putting the definitions together but I still can't figure out what that by clause does. Lastly, how do the commas affect that clause?

Any more help would be immensely appreciated.

0 Karma
Highlighted

Re: Can someone tell me what each part of this search does so I can learn more about the search processing language?

SplunkTrust
SplunkTrust

By adding to the description I meant the description of what the search is doing.
The tstats query syntax that you've is like this

 | tstats OPTIONS count from SOURCE where FILTERS by GROUPING_FIELDS

So, The fields mentioned as part of GROUPINGFIELDS (comma separated list of fileds) section are the one by which your statistics are summarized. "AllChanges" should be a Root Object/search within your datamodel=ChangeAnalysis (In Splunk Web-> Settings -> Data Model) . And AccountManagement seems like child object/search within node "All_Changes".

The by clause simply provides a way of grouping the results to provide the aggregation that you requested. So here, your search (first portion before sort) is provide count of events, group by/for each unique combination of fields "AllChanges.src, AllChanges.AccountManagement.srcntdomain, AllChanges.user " , for events which are satisfying your FILTERS condition.

0 Karma
Highlighted

Re: Can someone tell me what each part of this search does so I can learn more about the search processing language?

Communicator

Thank you so much that helped a lot. Last thing (hopefully), so there is no way to know what the macros at the bottom (drop_dm_object_name("All_Changes") | drop_dm_object_name("Account_Management") do? I don't actually have Splunk installed here. Also, if that's the case and we don't know what they do, does that mean we also don't knwo what 'summariesonly' does at the top? Because it is also enclosed by backticks and thus is a macro if I'm not mistaken. Unless my knowledge of macros is incorrect in which case, what would they do? Is dropdm a command or function? And what would dropdmobjectname("All_Changes") do then?

0 Karma
Highlighted

Re: Can someone tell me what each part of this search does so I can learn more about the search processing language?

SplunkTrust
SplunkTrust

You're correct, the option summariesonly is a macro created by your Splunk administrator and my guess will be that it sets the option summariesonly of tstats command to true. (check the tstats link for more details on what this option does).

The macro names are custom (user defined), so drop_dm is just the naming convention following by the creator of the macro. Having a local (on your laptop/desktop/vm) splunk will not help you understand the macros that you see here. You would need to go to the Splunk instance where these exists and check the definition there for it's functionality.

I would ask the person who gave you the splunk search to also provide macro definitions.

0 Karma
Highlighted

Re: Can someone tell me what each part of this search does so I can learn more about the search processing language?

Communicator

So when you save a macro, where is it saved to? Some local file on my computer associated with Splunk? For example, am I the only one that can use macros that I create? Or is it saved online so that if you create a macro I can use it if I know what it's named and what it does?

I will look further into what summariesonly for tstats command does.

I know I'm repeating myself here, but drop_dm is a fuction/command created by someone - the person that gave it to me - and anyone could use that command now that it is created, as long as they know what it does?

Lastly, dropdmobjectname is a command/function and the ("AllChanges") is an argument to that command/function that seems to be searching for the string "AllChanges" for the command/function dropdmobjectname to do whatever it does for every instance of that string, correct?

Thank you again

0 Karma
Highlighted

Re: Can someone tell me what each part of this search does so I can learn more about the search processing language?

SplunkTrust
SplunkTrust

In summariesonly , summaryiesonly is the name of the search macro.
In drop_dm_object_name("All_Changes"), dropdmobjectname is the name of the search macro (it's a name so it could be anything) and string "AllChanges" is the argument.

The macro created is saved on Splunk server where it's created (in configuration files) and whether is available for others to use depends upon what permissions and scope is being set for that macro. As I listed in my answer, you can see the macros in Splunk Web UI in path Settings->Advanced search -> Search macro.

0 Karma