how to find what commands in the search language a...

harishsplunk7 · ‎11-06-2023

I want to list what commands in the search language are being used. I think its possible in the same _audit index and I want to be able to do is count the number of times each command is used in search

Example :

stats used 2 time

eval used 5 times

rex used 7 time

timechart used 10 time

richgalloway · ‎11-06-2023

There is a REST endpoint, /services/search/v2/parser, you may be able to use to parse queries into the commands used. It requires the POST method so it will have to be used from a script (not from the UI). See https://docs.splunk.com/Documentation/Splunk/9.1.1/RESTREF/RESTsearch#search.2Fv2.2Fparser

---
If this reply helps you, Karma would be appreciated.

ITWhisperer · ‎11-06-2023

You could start with something like this:

index=_audit
| rex max_match=0 field=search "\|\s*(?<command>\w+)"
| stats count by command

However, you may get some false results if pipes are used in the search where they are not delimiting commands. Also, you may find that macros hide the use of some commands.

harishsplunk7 · ‎11-06-2023

Thank you, I am getting the result but unwanted fields are coming like jira, macro, filename. How to get rid of this from result

ITWhisperer · ‎11-06-2023

| where command!="jira" AND command!="macro" AND command!="filename"

how to find what commands in the search language are being used

chart

count

eval

field extraction

fields

join

lookup

metadata

regex

stats

table

timechart

tstats

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake