I am using Splunk for first time and have been given following task
Create a document on the different kinds of charts and corresponding regular expressions.
Based on,
1. Month on month
2. Year on year
3. Week over week
4. Day of week
I have no idea, what these charts are and how to create them. There is no one in team, who knows about Splunk. Can someone please throw some light on how to do this ?
I know, how to create Perl regex.
Thanks
You need to use the pipe when you want to transform a result set, by doing stats
, table
, timechart
, or some other transformation. It's not required after your host
or sourcetype
clauses because the time modifiers are terms to filter your initial results. You're not yet transforming the result set.
As for why you don't get results with earliest
, I can't say. The obvious question is, are there actual events on that day? What happens when, instead of adding the earliest
term to your search, you leave it off and instead use the time chooser on the search bar to filter your results?
Thanks for reply. But when i am using this syntax with earliest, it gives "No results found" and when I use without earliest, I am getting plethora of events.
When do I need to use | ? How come is it not required after host OR sourcetype ?
Thanks
For events on other days, do something like this (for September 4, say):
host=e2pswer sourcetype=syslog earliest=9/4/2014:0:0:0 latest=9/5/2014:0:0:0
If you want to include it on the search bar for a search for just today's events, do something like this:
host=e2pswer sourcetype=syslog earliest=+0@d
See http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers for how to add time modifiers to your searches.
As I explained in previous post, how can I get events for today's date ?
How do I provide command for that ?
What I am showing here is what I tried and did not work. Please let me know, how to use cmd to get events for a date.
When I write host=e2pswer sourcetype=syslog | fields-date_hour
search command is implied. So does it mean
does it mean search(host=e2pswer sourcetype=syslog) | fields-date_hour
Thanks
As I explained in previous post, how can I get events for today's date ?
How do I provide command for that ?
What I am showing here is what I tried and did not work. Please let me know, how to use cmd to get events for a date.
Thanks
date_hour
is a value that represents the numerical hour that the event happened in. So stats count by date_hour
would give you a chart where one column has the values 0-23, and the other column would have counts of events from those hours. I don't think that's what you're going for here.
In your first search, you don't really want a pipe there, and you don't want to test an hour value against a date string. (And even if you did, the date string would need to be in quotes.)
For your second search, are you sure you have your date chooser set to "All Time"? What happens when you just do this:
host=e2pswer sourcetype=syslog
Do you get any results? If so, what happens when you change the date chooser to just use September 8, 2014?
If I want to find events for Sept 9, 2014, how do I provide that command ?
I am using host=e2pswer sourcetype=syslog | date_hour=Sep 8 2014
This gives an error message unknown command date
host=e2pswer sourcetype=syslog | stats count by date_hour
This gives "No results found" error
So please guide me how to find events for specified host and sourcetype for a specified date
There is not enough information to be able to help you with an answer.
First, please provide some sample data, and then describe in more detail what information out of it you want to graph. If you "have no idea" what I'm asking, then you should go back to the person who assigned you this task and ask them what it means.
Second, you'll likely be using Splunk's time-related commands and functions to generate charts, not regex. Regex is used in Splunk primarily to extract data into fields.
This might also help:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart
you need to index data first in an index.
then u can write search
index=
see the doc:
for regex
http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Rex
http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/AboutSplunkregularexpressions
for timechart:
http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Timechart
If you are asking questions about things like index, host and sourcetype I would highly recommend going through the tutorial documentation:
http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial
I dont see syntax for index anywhere in manual. So when I write host, sourcetype, does it mean its an index ?
host=e2pswer, is it an index, where host means index and e2pswer means name for this index ?
index=
I am confused with this syntax. Please provide a sample from where I can build.
Thanks