Splunk Search

Real time examples

www.about.me/eashwar

error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) ) | timechart count | sort -count

When (date and time ) the occurred.

Sorted in descending order, so that we can find the time when more number of errors occurred

Area chart

source="access_*" | transaction referer | chart count(eval(uri)) AS uri by referer | sort -uri

Refere is the parent url. Transaction is a command to group a equal field/value pairs. Grouping referer

Above is a part of the PIE diagram of this search result(focused to one month).

The referrer has contributed 8 URI visits .

sourcetype=access_* | chart avg(bytes) by _time | sort -_time

sourcetype=access_* | chart avg(bytes) over _time by status

OVER is a new key word i am using.When I user it I get the results in x, and y axis . The results can be differentiated by differentStatus.

sourcetype=access* | chart max(bytes) AS Transfer over clientip by action

If feel more data, and we need little add | head 20 after access* . This will act as a filter function

sourcetype="access_*" | contingency clientip category_id | sort -total