Alex's Slip-box

These are my org-mode notes in sort of Zettelkasten style


:ID: 8BC16DA0-AC9B-447E-8BD1-767566E9D84C

Splunk’s documentation isn’t great in terms of discoverability. This is a cheatsheet for Splunk’s query language that I’ve found useful and might need again. Some of these examples are from the Splunk docs.


There are at least two ways. Like many other things, multiple terms can be chained with AND / OR

  1. host=foo*
  2. | where like(host, "foo%")

# Pie charts

Use ...| stats count by source in the query. Checkout the Statistics and Visualization tabs.

Another way if you have a computed value…

... | chart avg(bytes) over source

source is the pie slices while the slice size is determined by the percent of the sum of avg(bytes)

see also

# Count based on a computed value

Use if or case statements and pipe to eval to set a variable.

| eval version=if((like(uri_path, "%/v2/%")), "V2", "V1") | stats count by version

With that you can view as pie chart.

See also

# Timechart

... | timechart span=1h count by status

# Sorting

Here is an example of sorting the counts in descending order. ... | stats count by source | sort -count

# dedup

You can dedup based on one of more columns ... | dedup source

# Using a computed value

... | eval group=if(action="api/wigets#show", -1, random()) | dedup group http_referrer

# Using a time bin

# Math functions

Search Results