Splunk ~ commands made easy

Some nice features I use alot that are really useful.

Read more about big data here: Monitoring with Big Data ~ Splunk

When trying to rename a field:

rename fieldA AS newname, fieldB AS b | table newname, b


 Search & Replace

# Search for "DEBUG: and remove everything after in field error
rex mode=sed field=error "s/DEBUG%3A.*$//"


# Search And Replace encoded characters with sed
rex mode=sed "s/\%20|\%3B|\%23|\%21|\%29|\%28|\%0A|\%09|\%5/ /g"

# Show encoded charaters the proper way within the field error and show it as a new field called error_decoded
eval "error_decoded"=urldecode(error)


Only show up to 150 characters from a field (to increase visibility overall)

| eval error_shortened=substr(error,1,150) |


Splunk Forwarder blacklist regex

blacklist = \.(gz|bz2|z|zip)$ 


Combining a results into one field.

table GameId, GamePlayerId | mvcombine delim="," GamePlayerId

The example above will give you a lise like this

GameId GamePlayerId
RumourHasIt 12334, 54353, 54578, 78453
GamePig 43243, 425634, 3242, 5636
TacticalGear 43255, 3242, 6623, 3332



Rounding Results

transaction sid | chart avg(duration) as AvgDuration | eval AvgDuration=round(AvgDuration,0)


Posted on: Thursday 12 November 2015