Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to document a Splunk query

sonam
Explorer
‎08-08-2011 11:22 PM

I am writing a Splunk query to search logs generated by a middleware system for anything 'exceptional'. Basically, the approach I'm taking is filtering out entries for 'known issues'. Anything left behind is then an 'unknown issue' by definition (and worthy of attention). The Splunk query examines the previous day's logs each night and emails results for review in the morning.

The query looks like this... as you can see, it just a large set of 'NOT' terms: 

index=middleware
NOT SalesForce* 
NOT SSL_DEBUG
NOT "Cache cleared for service *" 
NOT "Service Thread Pool" 
...
(20 more exclusions and growing)
...

My questions :

  1. How can I document this query?
    Specifically, I'd like to explain each 'NOT' exclusion above.

  2. Is this a reasonable approach for reviewing logfiles?
    My Splunk admin is concerned about the performance impact of 'NOT' terms.
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎08-09-2011 08:15 AM

You could add it into savedsearches.conf, and then just add the comments in above that, specifying they are comments by beginning each comment line with a # symbol. In terms of a query expense, your returning the entire set of results, and then filtering based on that. It is better if you can specify a time frame, and the results that you'd like to see being as specific as possible prior to filtering out events.

0 Karma
Reply

sonam
Explorer
‎09-07-2011 12:12 AM

My impression is there is no functionality available to a Splunk end-user, to document Splunk artifacts in Splunk.

The only option seems to be to copy/paste the saved searches/events, etc... from Splunk into a Wiki or Word files or whatever knowledgebase you use, and document it there.

0 Karma
Reply

sonam
Explorer
‎08-12-2011 12:00 AM

Hmm. Thanks for that. You mentioned a configuration file (savedsearches.conf). However, I'm just a poor user, not a Splunk sysadmin so I don't have access to this file. (Am I wrong?) I can only save searches and event.

0 Karma
Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...