Splunk ~ commands made easy
Some nice features I use alot that are really useful.
Read more about big data here: Monitoring with Big Data ~ Splunk
When trying to rename a field:
rename fieldA AS newname, fieldB AS b | table newname, b
Search & Replace
# Search for "DEBUG: and remove everything after in field error
rex mode=sed field=error "s/DEBUG%3A.*$//"
# Search And Replace encoded characters with sed
rex mode=sed "s/\%20|\%3B|\%23|\%21|\%29|\%28|\%0A|\%09|\%5/ /g"
# Show encoded charaters the proper way within the field error and show it as a new field called error_decoded
Only show up to 150 characters from a field (to increase visibility overall)
| eval error_shortened=substr(error,1,150) |
Splunk Forwarder blacklist regex
[monitor:///var/log] blacklist = \.(gz|bz2|z|zip)$
Combining a results into one field.
table GameId, GamePlayerId | mvcombine delim="," GamePlayerId
The example above will give you a lise like this
|RumourHasIt||12334, 54353, 54578, 78453|
|GamePig||43243, 425634, 3242, 5636|
|TacticalGear||43255, 3242, 6623, 3332|
transaction sid | chart avg(duration) as AvgDuration | eval AvgDuration=round(AvgDuration,0)
Posted on: Thursday 12 November 2015