Splunk Search

Creating charts and Regex

jigneshjsoni71
New Member

I am using Splunk for first time and have been given following task

Create a document on the different kinds of charts and corresponding regular expressions.

Based on,

1. Month on month

2. Year on year

3. Week over week

4. Day of week

I have no idea, what these charts are and how to create them. There is no one in team, who knows about Splunk. Can someone please throw some light on how to do this ?

I know, how to create Perl regex.

Thanks

Tags (1)
0 Karma

aweitzman
Motivator

You need to use the pipe when you want to transform a result set, by doing stats, table, timechart, or some other transformation. It's not required after your host or sourcetype clauses because the time modifiers are terms to filter your initial results. You're not yet transforming the result set.

As for why you don't get results with earliest, I can't say. The obvious question is, are there actual events on that day? What happens when, instead of adding the earliest term to your search, you leave it off and instead use the time chooser on the search bar to filter your results?

0 Karma

jigneshjsoni71
New Member

Thanks for reply. But when i am using this syntax with earliest, it gives "No results found" and when I use without earliest, I am getting plethora of events.
When do I need to use | ? How come is it not required after host OR sourcetype ?

Thanks

0 Karma

aweitzman
Motivator

For events on other days, do something like this (for September 4, say):

host=e2pswer sourcetype=syslog earliest=9/4/2014:0:0:0 latest=9/5/2014:0:0:0

0 Karma

aweitzman
Motivator

If you want to include it on the search bar for a search for just today's events, do something like this:

host=e2pswer sourcetype=syslog earliest=+0@d

See http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers for how to add time modifiers to your searches.

0 Karma

jigneshjsoni71
New Member

As I explained in previous post, how can I get events for today's date ?

How do I provide command for that ?

What I am showing here is what I tried and did not work. Please let me know, how to use cmd to get events for a date.

When I write host=e2pswer sourcetype=syslog | fields-date_hour

search command is implied. So does it mean

does it mean search(host=e2pswer sourcetype=syslog) | fields-date_hour

Thanks

0 Karma

jigneshjsoni71
New Member

As I explained in previous post, how can I get events for today's date ?

How do I provide command for that ?

What I am showing here is what I tried and did not work. Please let me know, how to use cmd to get events for a date.
Thanks

0 Karma

aweitzman
Motivator

date_hour is a value that represents the numerical hour that the event happened in. So stats count by date_hour would give you a chart where one column has the values 0-23, and the other column would have counts of events from those hours. I don't think that's what you're going for here.

0 Karma

aweitzman
Motivator

In your first search, you don't really want a pipe there, and you don't want to test an hour value against a date string. (And even if you did, the date string would need to be in quotes.)

For your second search, are you sure you have your date chooser set to "All Time"? What happens when you just do this:

host=e2pswer sourcetype=syslog

Do you get any results? If so, what happens when you change the date chooser to just use September 8, 2014?

0 Karma

jigneshjsoni71
New Member

If I want to find events for Sept 9, 2014, how do I provide that command ?

I am using host=e2pswer sourcetype=syslog | date_hour=Sep 8 2014

This gives an error message unknown command date

host=e2pswer sourcetype=syslog | stats count by date_hour

This gives "No results found" error

So please guide me how to find events for specified host and sourcetype for a specified date

0 Karma

aweitzman
Motivator

There is not enough information to be able to help you with an answer.

First, please provide some sample data, and then describe in more detail what information out of it you want to graph. If you "have no idea" what I'm asking, then you should go back to the person who assigned you this task and ask them what it means.

Second, you'll likely be using Splunk's time-related commands and functions to generate charts, not regex. Regex is used in Splunk primarily to extract data into fields.

This might also help:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart

0 Karma

kml_uvce
Builder

aweitzman
Motivator

If you are asking questions about things like index, host and sourcetype I would highly recommend going through the tutorial documentation:

http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial

0 Karma

jigneshjsoni71
New Member

I dont see syntax for index anywhere in manual. So when I write host, sourcetype, does it mean its an index ?

host=e2pswer, is it an index, where host means index and e2pswer means name for this index ?

0 Karma

jigneshjsoni71
New Member

index=|| timechart span= by


I am confused with this syntax. Please provide a sample from where I can build.


Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...