Splunk UsefullFunctions

November 18, 2023

Get a relative time :

index=web
| eval timefield=relative_time(now(), "-30d)
| table timefield
| convert ctime(timefield)

Upper Lower : upper(…) lower(…)

stats/eventstats

Sort / group by

index=web
| stats list(clientip) list(action) list(categoryid) by host

This group results by clearly separating the hosts.

index=web
| stats count(bytes) as TotalBytes by host
| eval is_it_high=if(TotalBytes >13000, "high", "low")
| eval TotalBytes=printf("%'d", TotalBytes)
| eventstats count by TotalBytes host
| fields host TotalBytes, is_it_high

eventstats used without parameters will show all the stats computed by the command

iplocation -> shows location of Ip addresses

bin -> kind of group function ex : | bin _time span=1d -> to group by day ex : to add a line with the sum of all results per day :

index=web
| bin _time span=1d
| stats count by _time, action
| appendpipe
    [stats sum(count) as count by _time 
    |eval action="Total Action Performed"]
| sort _time

Course 3 - Indexes -> Acceleration section

Sparkline (shows like an heartbeat diagram)

| tsstats count from datamodel=Authentication by _time Authentication.user
| stats sparkline(sum(count)) by Authentication.user