Searching in Splunk gets really interesting if you know the most commonly used and very useful command sets and tips. This Splunk Cheatsheet will be handy for your daily operations or during troubleshooting a problem. Type these commands in the splunk search bar to see the results you need.
Table of Contents
List all the Index names in your Splunk Instance
| eventcount summarize=false index=* | dedup index | fields indexList all the Index names in your Splunk Instance
| eventcount summarize=false index=* index=_* | dedup index | fields index | rest /services/data/indexes | dedup title | table titleList all hosts that are logging to a particular index. In this example ,we use apachelog as the index.
index=apachelog| table host | dedup hostList all hosts that log to an index with eventcount per host. You can change the key word “host” to use “ip” too, based on your need.
index=apachelog | stats count by hostSort by a field in the event output log
index=apachelog | sort hostPrint the output event log in reverse order (ascending order based on time)
index=apachelog | reversePrint only the first 10 results from the eventlog
index=apachelog | head 10Return only the last 10 results from the eventlog
index=apachelog | tail 10How to search a pattern on multiple splunk indexes in a single query ? Examples :
index=apachelog OR index=jbosslog | stats count by host index=apachelog OR index=jbosslog | search errorHow to search a pattern and sort by count. This query will sort the results based on the output field “count”.
index=apachelog OR index=jbosslog | stats count by host | sort - count | head 15 index=apachelog OR index=jbosslog | top limit=15 host