- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- search command to select specific fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the search command to search for a disk monitor log such you do in a database. for example, I would like to pick up just the physical reads/sec events.
I just know how to come up with the event count.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the fields are already being extracted, and you're trying to search on a specific value, you can just add that field to your search, e.g., sourcetype=databaselog foo=123. You should also be able to see that field in the field picker at the left side of the screen.
If you don't see the fields you're looking for, they probably are not being extracted yet. Assuming that is the case, then you have a few options:
- Define a new field extraction so that the field is always there.
- Use the `rex` command to do a one-time extraction within your search results.
- If the data is in table form, use `multikv` to split out the events.
Take a look through the User Manual at http://www.splunk.com/base/Documentation/ -- there's a lot of good information there on this sort of thing.
To get you started, try these:
http://www.splunk.com/base/Documentation/4.1.5/SearchReference/Multikv
http://www.splunk.com/base/Documentation/4.1.5/SearchReference/Rex
http://www.splunk.com/base/Documentation/4.1.5/SearchReference/SearchCheatSheet
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes. That´s it. Basically, I am trying to create a line chart where I can display... let's say ... when was the pick of disk writting.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not quite clear on what you are trying to do. Are you trying to display a single field in the results?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the fields are already being extracted, and you're trying to search on a specific value, you can just add that field to your search, e.g., sourcetype=databaselog foo=123. You should also be able to see that field in the field picker at the left side of the screen.
If you don't see the fields you're looking for, they probably are not being extracted yet. Assuming that is the case, then you have a few options:
- Define a new field extraction so that the field is always there.
- Use the `rex` command to do a one-time extraction within your search results.
- If the data is in table form, use `multikv` to split out the events.
Take a look through the User Manual at http://www.splunk.com/base/Documentation/ -- there's a lot of good information there on this sort of thing.
To get you started, try these:
http://www.splunk.com/base/Documentation/4.1.5/SearchReference/Multikv
http://www.splunk.com/base/Documentation/4.1.5/SearchReference/Rex
http://www.splunk.com/base/Documentation/4.1.5/SearchReference/SearchCheatSheet
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, I should have thought of it earlier, but is your data in table form (header row plus multiple lines)? If so, you can save a lot of effort by just using the multikv command, also added above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know enough to speak either way about the virtual class, but it might be an option. If you're trying to learn the search language, a good place to start is with the searches that are bundled with Splunk and with various apps. Install a couple of apps and take a look at how they wrote their searches, and maybe that will help you come up with ideas on how to approach different problems. Another great place to start is with the Search Cheat Sheet -- I've edited the post above to add the link.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you southeringtonp I have already read a some of the documentation, but i still got doubts about the search language. Despite the splunk documantation, the other source to study is the splunk virtual class, right ? Is it really good to start ???
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
