Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: What are the functions of commas and periods i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was just wondering if the commas in this search are just to aid readability of the code, or if they are important to the functioning of the search.
All_Changes.src,All_Changes.Account_Management.src_nt_domain,All_Changes.user
Also, what is the function of the period in between "All_Changes" and "Account_Management.src_nt_domain".
Thank you for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The commas are for readability (you can substitute w/space) and the periods could be to represent data hierarchy. So, All_Changes.src could mean the src node under All_Changes. This is applicable when your orginal data is represented either in JSON or XML format
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The commas are for readability (you can substitute w/space) and the periods could be to represent data hierarchy. So, All_Changes.src could mean the src node under All_Changes. This is applicable when your orginal data is represented either in JSON or XML format
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great thank you for your answer!
So All_Changes.src,All_Changes.Account_Management.src_nt_domain,All_Changes.user
is the same as: All_Changes.src All_Changes.Account_Management.src_nt_domain All_Changes.user
So does that mean that there is an implied "AND" where the commas are? I recall learning that there is an implied AND between terms with spaces. Or is that only true regarding functions or commands?
Also, I found a definition on the Splunk website that stated that the definition for: All_Changes.src was: The resource where the change was originated. I'm not really sure what change that is talking about. My original search query was:
| tstats `summariesonly` count from datamodel=Change_Analysis where nodename=All_Changes.Account_Management All_Changes.result="lockout" by All_Changes.src,All_Changes.Account_Management.src_nt_domain,All_Changes.user | sort 100 - count | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Account_Management")`
I think that the line I originally posted summarizes the statistics I'm getting with the tstats function but I'm not sure how it's summarizing the data as I don't have access to Splunk right now.
Thank you for all your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One last thing,
What does the -- All_Changes.result="lockout" -- do?
Thank you so much for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All_Changes.result="lockout" filters all events in the datamodel where the value for result attribute in the datamodel called 'All_Changes" is "lockout"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok great thank you very much.
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
