Searching in Splunk gets really interesting if you know the most commonly used and very useful command sets and tips. This Splunk Cheatsheet will be handy for your daily operations or during troubleshooting a problem. Type these commands in the splunk search bar to see the results you need.

  1. List all the Index names in your Splunk Instance
    | eventcount summarize=false index=* | dedup index | fields index
    1 | eventcount summarize=false index=* | dedup index | fields index
  2. List all the Index names in your Splunk Instance
    | eventcount summarize=false index=* index=_* | dedup index | fields index | rest /services/data/indexes | dedup title | table title
    123 | eventcount summarize=false index=* index=_* | dedup index | fields index | rest /services/data/indexes | dedup title | table title
  3. List all hosts that are logging to a particular index. In this example ,we use apachelog as the index.
    index=apachelog| table host | dedup host
    1 index=apachelog| table host | dedup host
  4. List all hosts that log to an index with eventcount per host. You can change the key word “host” to use “ip” too, based on your need.
    index=apachelog | stats count by host
    1 index=apachelog | stats count by host
  5. Sort by a field in the event ouput log
    index=apachelog | sort host
    1 index=apachelog | sort host
  6. Print the ouput event log in reverse order ( ascending order based on time )
    index=apachelog | reverse
    1 index=apachelog | reverse
  7. Print only the first 10 results from the eventlog
    index=apachelog | head 10
    1 index=apachelog | head 10
  8. Return only the last 10 resutls from the eventlog
    index=apachelog | tail 10
    1 index=apachelog | tail 10
  9. How to search a pattern on multiple splunk indexes in a single query ? Examples :
    index=apachelog OR index=jbosslog | stats count by host index=apachelog OR index=jbosslog | search error
    123 index=apachelog OR index=jbosslog | stats count by host index=apachelog OR index=jbosslog | search error
  10. How to search a pattern and sort by count. This query will sort the results based on the output field “count”.
    index=apachelog OR index=jbosslog | stats count by host | sort – count | head 15 index=apachelog OR index=jbosslog | top limit=15 host
    123 index=apachelog OR index=jbosslog | stats count by host | sort – count | head 15 index=apachelog OR index=jbosslog | top limit=15 host
0 Shares:
Leave a Reply

Your email address will not be published. Required fields are marked *