Getting Data In

i can see only splunk example queries and no example output results. is there a document whcih have both exmple queires and the sample outputs.

gannysplunk
New Member

i can see only splunk example queries and no example output results. is there a document whcih have both exmple queires and the sample outputs. so it will easy easy to understand by seeing the output samples also.

the below is a example for abstract, but no output results provided

http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Abstract

0 Karma

niketn
Legend

@gannysplunk, Splunk Docs provides Example queries with an expectation that you will be providing the main/base search depending on the data that you have indexed which may vary for different Splunk instances.

If you are trying to pick up on Splunk Processing Langugage (Splunk Searching) you can refer to
1) Splunk Documentation for Search Tutorial, which lists out step by step process of adding some sample mock data to Splunk and then creating Splunk Search to analyze data and finally creating Alert/Report/Dashboard depending on the needs.
2) You can attend free e-learning course from Splunk called Splunk Fundamentals 1 which should clear the same process as above with video based e-learning course.
3) For specific query with any SPL, which does not seem clearly explained through the Splunk Documentation, you can search on Splunk Answers as well. Most of the time the community members provide run anywhere examples based on Splunk's _internal index (which Splunk uses to monitor itself). For example here is one of my older post on abstract command usage: https://answers.splunk.com/answers/628510/help-to-build-the-query-using-abstract-command.html

As per your question around the abstract command which returns summary of _raw data instead of complete event data based on maxlines and maxterms. PS: I have also used maxterm argument for abstract command because most of the time _internal logs are single line.

index=_internal sourcetype=splunkd log_level!=INFO
| abstract maxlines=1 maxterms=20

Provided you have the access to search _internal index, the above is a run anywhere example which should give some output. In order to see the difference in _raw Events in the output you can try the same base search without second pipe with abstract i.e.

index=_internal sourcetype=splunkd log_level!=INFO

Please try out and confirm if you need further help!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

gannysplunk
New Member

@niketnilay thanks for answering me. will check with mock data and work with that to practice the queries.
i

0 Karma

niketn
Legend

@gannysplunk for the abstract command you can definitely try the run anywhere search example based on Splunk's _internal index. If it works do accept/up vote the answer to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...