Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What are THE most important SPL commands?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are THE most important SPL commands?
I get asked some form of this question often and I know what my answer is but I am curious about others. What is your opinion of the top 10 most powerful SPL command that every expert splunk user or wannabe should know well and what is on "off the beaten path that you find occasionally invaluable?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not an expert but these commands are my bread and butter to doing things and accomplish the objectives.
stats , timechart, streamstats, tstats,append, map, transpose, rex, bin, transaction
And as a command is very easy to understand but the power that has all the functions of eval is where the magic happens.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is transaction necessary?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to have in one event a succession of events evaluated with a beginning or an end with a defined control of span or limit of times, yes. If not *stats are always better 😄
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
makeresults @ Splunk>Answers
I didn't expect to use that much.
It is convenient to create logs freely.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do not forget about windbag and gentimes!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have never used windbag yet.
gentimes is difficult to use.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agree with the stats family, but not just "use stats" but "how to properly use stats" (to get rid of joins/append and other inefficient statements).
TERM (for faster matching if your data supports it)
IN (reduction of "OR"s and easier readability)
Finally, REX/REGEX. If your data is barely structured (looking at you kubernetes and rancher debug logs) , and you are good at rex/regex, then you can you interrogate the data and bend it to your will.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
*stats!
stats, eventstats, streamstats take Splunk from being just a search engine to a tool for in-depth analysis
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
