Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to document a Splunk query

sonam
Explorer
‎08-08-2011 11:22 PM

I am writing a Splunk query to search logs generated by a middleware system for anything 'exceptional'. Basically, the approach I'm taking is filtering out entries for 'known issues'. Anything left behind is then an 'unknown issue' by definition (and worthy of attention). The Splunk query examines the previous day's logs each night and emails results for review in the morning.

The query looks like this... as you can see, it just a large set of 'NOT' terms: 

index=middleware
NOT SalesForce* 
NOT SSL_DEBUG
NOT "Cache cleared for service *" 
NOT "Service Thread Pool" 
...
(20 more exclusions and growing)
...

My questions :

  1. How can I document this query?
    Specifically, I'd like to explain each 'NOT' exclusion above.

  2. Is this a reasonable approach for reviewing logfiles?
    My Splunk admin is concerned about the performance impact of 'NOT' terms.
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎08-09-2011 08:15 AM

You could add it into savedsearches.conf, and then just add the comments in above that, specifying they are comments by beginning each comment line with a # symbol. In terms of a query expense, your returning the entire set of results, and then filtering based on that. It is better if you can specify a time frame, and the results that you'd like to see being as specific as possible prior to filtering out events.

0 Karma
Reply

sonam
Explorer
‎09-07-2011 12:12 AM

My impression is there is no functionality available to a Splunk end-user, to document Splunk artifacts in Splunk.

The only option seems to be to copy/paste the saved searches/events, etc... from Splunk into a Wiki or Word files or whatever knowledgebase you use, and document it there.

0 Karma
Reply

sonam
Explorer
‎08-12-2011 12:00 AM

Hmm. Thanks for that. You mentioned a configuration file (savedsearches.conf). However, I'm just a poor user, not a Splunk sysadmin so I don't have access to this file. (Am I wrong?) I can only save searches and event.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...