Table of Contents
Splunk’s documentation isn’t great in terms of discoverability. This is a cheatsheet for Splunk’s query language that I’ve found useful and might need again. Some of these examples are from the Splunk docs.
There are at least two ways. Like many other things, multiple terms can be
| where like(host, "foo%")
# Pie charts
...| stats count by source in the query. Checkout the
Another way if you have a computed value…
... | chart avg(bytes) over source
source is the pie slices while the slice size is determined by the percent of
the sum of
# Count based on a computed value
case statements and pipe to
eval to set a variable.
| eval version=if((like(uri_path, "%/v2/%")), "V2", "V1") | stats count by version
With that you can view as pie chart.
... | timechart span=1h count by status
Here is an example of sorting the counts in descending order.
... | stats count by source | sort -count
You can dedup based on one of more columns
... | dedup source
# Using a computed value
... | eval group=if(action="api/wigets#show", -1, random()) | dedup group http_referrer
# Using a time bin
... | bin span=1h _time | dedup source _time