Splunk commands

where

• search command to compare two fields
• Possibility to use functions
  • isnotnull()
  • isnull()
  • like()
  • ….

# compare two field values
index=_index
| where a > b

# search for wildcards
index=perfmon counter=* 
| where counter like “%Disk%”

... | where like(ipaddress, "198.%")

# search for string in field
... | where foo="bar"

Metadata

When you want to know the time data were writen to an Index/sourcetype you can use metadata.

# show the metadata lastTime, firstTime and recentTime for the sourcetype
| metadata type=sourcetypes index=_internal 

# format the output to human readable
| metadata type=sourcetypes index=_internal 
| rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" 
| fieldformat Count=tostring(Count, "commas") 
| fieldformat "First Event"=strftime('First Event', "%c") 
| fieldformat "Last Event"=strftime('Last Event', "%c") 
| fieldformat "Last Update"=strftime('Last Update', "%c")

Splunk Documentation

references

• Splunk Search Command of the Week: Where Command
• SPL2 Search Reference: where command usage

• [Docs Splunk:

  metadata]def3