Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
18 views6 pages

SPL

The document provides an overview of Splunk's Search Processing Language (SPL) and its usage for analyzing Apache logs. It includes examples of queries for counting requests by URI path, tracking 500 errors over time, and extracting fields, as well as features like dashboards, alerts, and reports. Additionally, it highlights important transforming commands in Splunk for summarizing and aggregating data.

Uploaded by

Sushanth Reddy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
18 views6 pages

SPL

The document provides an overview of Splunk's Search Processing Language (SPL) and its usage for analyzing Apache logs. It includes examples of queries for counting requests by URI path, tracking 500 errors over time, and extracting fields, as well as features like dashboards, alerts, and reports. Additionally, it highlights important transforming commands in Splunk for summarizing and aggregating data.

Uploaded by

Sushanth Reddy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 6

SPL

===========

1)
index=apache_logs uri_path="*.png" | stats count by uri_path

| uri\_path | count |
| ---------------------------- | ----- |
| /images/kibana-search.png | 12 |
| /icons/apache\_logo.png | 8 |
| /static/img/splunk\_logo.png | 5 |
| /assets/img/banner.png | 3 |

🔎 This tells us, for example, that /images/kibana-search.png was requested 12 times
in your logs.

================================================
2)

index=apache_logs | stats count by uri_path

📊 Group the events by each unique uri_path (the path part of the URL requested),
and show how many times each one appeared.

This helps you understand which pages/files were requested most on your server.

🔍 From your apache_logs index, Splunk grouped all log entries by the uri_path
(i.e., the part of the URL requested)
📊 Then it counted how many times each unique uri_path appeared in your logs.

| uri\_path | count |
| ------------------------------------ | ----- |
| `/images/kibana-search.png` | 5 |
| `/plugin/highlight` | 3 |
| `/presentations/logstash-monitorama` | 2 |

This tells you:

The file/image /images/kibana-search.png was accessed 5 times

The path /plugin/highlight was accessed 3 times

The page /presentations/logstash-monitorama was accessed 2 times

So this query answers:


Which pages or assets were requested and how often?

=================

3)

Time-based Chart of 500 Errors

index=apache_logs status=500 | timechart count by clientip


📊 Show how many 500 errors happened over time, and
👤 Which IP addresses caused them.

🔍 Search for all events in the apache_logs index where the HTTP status code is 500
(Internal Server Error),
📊 Then use timechart to plot a time-based chart showing how many 500 errors
occurred, broken down per IP address (clientip) over time.

status=500: Filters only the log events with HTTP 500 errors.

timechart count by clientip: Aggregates the number of events over time, grouped by
each client IP.

📊 Example Output (Visual Time Chart):

| \_time | 192.168.1.10 | 203.0.113.5 |


| ---------------- | ------------ | ----------- |
| 2024-06-21 00:00 | 3 | 0 |
| 2024-06-21 01:00 | 1 | 2 |
| 2024-06-21 02:00 | 0 | 1 |

This shows:

The number of 500 errors per hour

Which IP address was causing or receiving them

It’s perfect for tracking outages, bugs, or malicious behavior.

=================================================
📜 What is SPL (Search Processing Language)?
Splunk uses its own query language called SPL. It helps you search and extract
insights from the logs.

It is the query language used in Splunk.

Similar to SQL, but focused on logs.

You use it to search, filter, sort, group, and visualize data.

🔶 1. What is Splunk? (Recap in Simple Words)


Splunk is a tool that helps you collect, analyze, search, monitor, and visualize
data — mostly log files — from any machine or app, in real-time.

Real-life analogy:
Imagine your mobile phone keeps a record of everything: calls, messages, battery
usage, network drops. Now, imagine a tool that reads all this and tells you what
went wrong and when. Splunk does that for servers, apps, and networks.

1) ✅ This shows all the logs from the apache_logs index you just uploaded.
index=apache_logs

2) Show Top 10 IP Addresses


index=apache_logs | top limit=10 clientip

3) Find All 404 Errors


index=apache_logs status=404

4)Count of Each HTTP Status Code


index=apache_logs | stats count by status

5)How Many Events Per URI Path


index=apache_logs | stats count by uri_path

6) ✅ Most Hit URI Paths

index=apache_logs | stats count by uri_path | sort -count | head 10

✨ 3. Use Time Filters

Last 15 minutes:

index=apache_logs earliest=-15m@m

Last 24 hours:

index=apache_logs earliest=-24h@h

=====================

🔷 1. Field Extraction (Search-Time Fields) 🧪


🔸 Sometimes, Splunk doesn’t auto-recognize all fields in a log.

You can create custom fields using:

Interactive field extractor (point & click)

Or rex command (with regex)

index=apache_logs | rex field=_raw "(?<http_method>GET|POST|PUT|DELETE)"


| stats count by http_method

This extracts the HTTP method from the logs and counts them.

==========================

Learn SPL Filters and Pipelines

index=apache_logs status=200 | stats count by clientip


Breakdown:

index=apache_logs → find logs from that index

status=200 → filter only success logs

| (pipe) → send result to next command

stats count by clientip → group results by client IP

=============================

🔶 8. Dashboards, Alerts, and Reports

| Feature | Purpose
|
| ------------- | ----------------------------------------------------------------
|
| **Dashboard** | Visual panels of data: charts, graphs, tables
|
| **Alert** | Auto-notification based on search condition (e.g., if CPU > 90%)
|
| **Report** | Saved searches, can be scheduled (daily, weekly, etc.)
|

📊 You can create beautiful charts to show:

Top users by login

Errors in last 24h

Memory usage trend

Failed login attempts

=================================

Important Transforming Commands in Splunk

These commands summarize, group, or aggregate data — turning raw logs into useful
insights.

1)

where

Purpose: Filter results based on custom logic (used after eval or stats).
index=apache_logs | where status > 400

2) count + sort

📘 Example (Top 10 most accessed URIs):

index=apache_logs | stats count by uri_path | sort -count | head 10

3)
top / rare
Purpose:

top: Show most frequent values

rare: Show least frequent values

📘 Example (Top 5 visited IPs):

index=apache_logs | top limit=5 clientip

📘 Example (Rare URIs):

index=apache_logs | rare uri_path

4) stats
Purpose: Perform aggregations like count, sum, avg, min, max, grouped by one or
more fields.

📘 Example (Count events per status code):

index=apache_logs | stats count by status

📘 Example (Average bytes sent per IP):

index=apache_logs | stats avg(bytes) by clientip

5)
dedup

Purpose: Show only unique values for a field.

📘 Example (Unique IPs):

index=apache_logs | dedup clientip

6)

eval
Purpose: Create new fields or conditions.

📘 Example (Tag traffic as large/small based on bytes):


index=apache_logs | eval traffic_type=if(bytes > 1000, "Large", "Small") | stats
count by traffic_type

7)

table
Purpose: Format specific fields in table form (for dashboards).

📘 Example (Display selected fields):

index=apache_logs | table _time, clientip, uri_path, status, bytes

8)

🔷 rename Command in Splunk


✅ Purpose:
To rename field names in the search result (for display, reporting, or further
use).

🔹 Rename clientip to IP_Address

index=apache_logs
| stats count by clientip
| rename clientip AS IP_Address

Rename multiple fields

index=apache_logs
| stats count by clientip, status
| rename clientip AS IP, status AS HTTP_Status

You might also like