should i make any a table from log file for searching? as i don't know the field name.. how can i make search which is related to any field?
Well hard to give you specific instructions - like I said to me it seems you haven't grasped the basic concepts yet. Splunk extracts fields mainly at search-time. This can be done in all kinds of ways more or less regardless of how the input data is formatted. You don't need to put your data in any special format, as long as it's possible to formulate rules on how Splunk should make sense of it.
this is for the first time , m using splunk.. and try to understand this. and facing some problem what is written in the tutorials when m implementing it.. thatswhy m asking for help..
What MHibbin and kristian.kolb said - you should probably start with the Splunk tutorial so you understand the basics of how Splunk works. After you've understood that, you can continue on to solving your problem.
1 » 6/22/13
and the question is how many different user to access facebook? and who has access most?
You should start with the documentation, very useful...
Specifically, look at field extractions...
You can format your results in a table from there if you feel it will make the results easier to understand, or you can leave them raw and use your field extractions for searching/filtering. It's really up to you and your business (assuming that's the driver) requirements.
You'll need to extract the text in the log file into fields.
This can be done in several ways, sometimes automatically. If you post a few sample events from your log, you will get better help here. Also please describe the kind of output you want.
And don't forget to read the documentation.
Nope, you can search using where clause and then make a table for a better view of result.
You can also place your keyword in while mentioning the search , which will give you the result where the words are found in the result.
index= N sourcetype=S "Keyword"|Table Fields..
index= N sourcetype=S | where field like "%%Keyword%%"|Table Fields..
Note that the second search would have horrible performance. What it does it it tells Splunk to grab ALL events in the N index with sourcetype S from disk, and AFTER they've been read it starts filtering. There's really no reason to do it this way - the first suggestion is much better.