splunk¶
Enterprise log consumption and analysis.
Examples¶
Get a list of indexes¶
Get a list of sourcetypes¶
CFEngine runs per hour by version¶
source="/var/log/messages" OR source="udp:514" "Starting CFEngine" earliest="-1w" | rex "Starting CFEngine (?<version>3.[0-9]+.[0-9]+).*" | timechart span=4h usenull=0 dc(host) by version
Strip domain from hostname for consistent UQDNs¶
Count of records per hour by host¶
Count of records per source by 5m with no limit on list¶
Count of records per source with a given list¶
earliest="-1d" source="/var/log/messages" OR source="udp:10514" OR source="udp:514" | timechart count by source
Count of records per splunk server for a given time period¶
Stupidly, splunk doesn't support ISO date format by default (in the version I'm using).
Order number of hits for a given string by an extracted IP address¶
earliest="7/6/2015:9:30:0" "verifying pingback from" | rex "verifying pingback from (?<pingback_source_ip>[0-9\.]*)\"" | stats count(_raw) as pingback_source_ip_total by pingback_source_ip | sort pingback_source_ip_total desc
Order an RPM report¶
Given a report where RPM fields are exported as field="value", such as:
rpm -qa --queryformat 'report="rpm", name="%{NAME}", release="%{RELEASE}", version="%{VERSION}", packager="%{PACKAGER}", url="%{URL}", installtime="%{INSTALLTIME}"\n'
This search in splunk will show a useful table:
earliest="-1d" report="rpm" | dedup name | eval install_timestamp = strftime(installtime, "%F %T.%3N") | sort installtime desc | table host,name,version,release,install_timestamp
See also:
- http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
- http://answers.splunk.com/answers/140493/timestamp-contain-t-between-date-and-time.html#answer-140495
Count of kernel versions¶
Assuming you have a report that sends kernel_version=$(uname -r):