Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- search command to select specific fields
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Caio_Santos
Path Finder
09-15-2010
02:32 PM
What is the search command to search for a disk monitor log such you do in a database. for example, I would like to pick up just the physical reads/sec events.
I just know how to come up with the event count.
Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
southeringtonp
Motivator
09-15-2010
02:50 PM
If the fields are already being extracted, and you're trying to search on a specific value, you can just add that field to your search, e.g., sourcetype=databaselog foo=123. You should also be able to see that field in the field picker at the left side of the screen.
If you don't see the fields you're looking for, they probably are not being extracted yet. Assuming that is the case, then you have a few options:
- Define a new field extraction so that the field is always there.
- Use the `rex` command to do a one-time extraction within your search results.
- If the data is in table form, use `multikv` to split out the events.
Take a look through the User Manual at http://www.splunk.com/base/Documentation/ -- there's a lot of good information there on this sort of thing.
To get you started, try these:
http://www.splunk.com/base/Documentation/4.1.5/SearchReference/Multikv
http://www.splunk.com/base/Documentation/4.1.5/SearchReference/Rex
http://www.splunk.com/base/Documentation/4.1.5/SearchReference/SearchCheatSheet
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Caio_Santos
Path Finder
09-15-2010
04:38 PM
yes. That´s it. Basically, I am trying to create a line chart where I can display... let's say ... when was the pick of disk writting.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ftk
Motivator
09-15-2010
02:55 PM
Not quite clear on what you are trying to do. Are you trying to display a single field in the results?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
southeringtonp
Motivator
09-15-2010
02:50 PM
If the fields are already being extracted, and you're trying to search on a specific value, you can just add that field to your search, e.g., sourcetype=databaselog foo=123. You should also be able to see that field in the field picker at the left side of the screen.
If you don't see the fields you're looking for, they probably are not being extracted yet. Assuming that is the case, then you have a few options:
- Define a new field extraction so that the field is always there.
- Use the `rex` command to do a one-time extraction within your search results.
- If the data is in table form, use `multikv` to split out the events.
Take a look through the User Manual at http://www.splunk.com/base/Documentation/ -- there's a lot of good information there on this sort of thing.
To get you started, try these:
http://www.splunk.com/base/Documentation/4.1.5/SearchReference/Multikv
http://www.splunk.com/base/Documentation/4.1.5/SearchReference/Rex
http://www.splunk.com/base/Documentation/4.1.5/SearchReference/SearchCheatSheet
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
southeringtonp
Motivator
09-15-2010
05:56 PM
Also, I should have thought of it earlier, but is your data in table form (header row plus multiple lines)? If so, you can save a lot of effort by just using the multikv command, also added above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
southeringtonp
Motivator
09-15-2010
05:51 PM
I don't know enough to speak either way about the virtual class, but it might be an option. If you're trying to learn the search language, a good place to start is with the searches that are bundled with Splunk and with various apps. Install a couple of apps and take a look at how they wrote their searches, and maybe that will help you come up with ideas on how to approach different problems. Another great place to start is with the Search Cheat Sheet -- I've edited the post above to add the link.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Caio_Santos
Path Finder
09-15-2010
04:53 PM
Thank you southeringtonp I have already read a some of the documentation, but i still got doubts about the search language. Despite the splunk documantation, the other source to study is the splunk virtual class, right ? Is it really good to start ???
Get Updates on the Splunk Community!
Exciting News: The AppDynamics Community Joins Splunk!
Hello Splunkers,
I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
The All New Performance Insights for Splunk
Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
