Splunk Search

table formation

Explorer

hi guyz,

should i make any a table from log file for searching? as i don't know the field name.. how can i make search which is related to any field?

abhi

Tags (1)
0 Karma

Communicator

Splunk do some excellent training courses, perhaps one of these may help you better than the free online manuals? - http://www.splunk.com/view/education/SP-CAAAAH9

0 Karma

Legend

Well hard to give you specific instructions - like I said to me it seems you haven't grasped the basic concepts yet. Splunk extracts fields mainly at search-time. This can be done in all kinds of ways more or less regardless of how the input data is formatted. You don't need to put your data in any special format, as long as it's possible to formulate rules on how Splunk should make sense of it.

Explorer

dear ayn
this is for the first time , m using splunk.. and try to understand this. and facing some problem what is written in the tutorials when m implementing it.. thatswhy m asking for help..
:)
thanks

0 Karma

Legend

What MHibbin and kristian.kolb said - you should probably start with the Splunk tutorial so you understand the basics of how Splunk works. After you've understood that, you can continue on to solving your problem.

Explorer

1 » 6/22/13
9:33:49.000 AM

2013 Jun 22 09:33:49 tracker1 httpproxy_access[41545]: 172.18.11.208 514 TCP_MISS/200 721POSThttp://www.facebook.com/ajax/like/tooltip.php? - DIRECT/31.13.72.17 application/x-javascript [acl=8] [cat=-] [err=-]host=Monotosh-PC Options| sourcetype=firsttime Options| source=firsttime.log Option

and the question is how many different user to access facebook? and who has access most?

0 Karma

Influencer

You should start with the documentation, very useful...

http://docs.splunk.com/Documentation/Splunk

Specifically, look at field extractions...

http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsatsearchtime

You can format your results in a table from there if you feel it will make the results easier to understand, or you can leave them raw and use your field extractions for searching/filtering. It's really up to you and your business (assuming that's the driver) requirements.

Ultra Champion

You'll need to extract the text in the log file into fields.
This can be done in several ways, sometimes automatically. If you post a few sample events from your log, you will get better help here. Also please describe the kind of output you want.

And don't forget to read the documentation.

http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/WelcometotheSplunkTutorial

Champion

Nope, you can search using where clause and then make a table for a better view of result.

You can also place your keyword in while mentioning the search , which will give you the result where the words are found in the result.

e.g.
index= N sourcetype=S "Keyword"|Table Fields..

OR

index= N sourcetype=S | where field like "%%Keyword%%"|Table Fields..

0 Karma

Legend

Note that the second search would have horrible performance. What it does it it tells Splunk to grab ALL events in the N index with sourcetype S from disk, and AFTER they've been read it starts filtering. There's really no reason to do it this way - the first suggestion is much better.

Explorer

hi ayn
i am asking that for searching, is it necessary to make a table format of the log file? as the attributes like (ip, url...) are required for searching.

abhi

0 Karma

Legend

I think you need to state your question more clearly. What do you want to do, what problems are you currently running into?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!