You can download a current CSV file from the USGS Earthquake Feeds and upload the file to your Splunk instance if you want follow along with this example. The data is a comma separated ASCII text file that contains magnitude (mag), coordinates (latitude, longitude), region (place), and so forth, for each earthquake recorded. This example uses recent earthquake data downloaded from the USGS Earthquakes website. This example shows you how to use the case function in two different ways, to create categories and to create a custom sort order. The results appear on the Statistics tab and look something like this:įor an example of how to display a default value when that status does not match one of the values specified, see the True function. Sourcetype=access_* | eval description=case(status=200, "OK", status=404, "Not found", status=500, "Internal Server Error") | table status description The following example returns descriptions for the corresponding http status code. Use the time range Yesterday when you run the search. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.īasic example This example uses the sample data from the Search Tutorial, but should work with any format of Apache Web access log. The function defaults to NULL if none of the arguments are true. When the first expression is encountered that evaluates to TRUE, the corresponding argument is returned. The arguments are Boolean expressions that are evaluated from first to last. Returns the first value for which the condition evaluates to TRUE. Also the search clause is added to the subsearch query.Īs we see, the result contains only the events where the file size is equal to the max file size found by considering all the events, and the event day is a Sunday.The following list contains the functions that you can use to compare values or specify conditional statements.įor information about using string and numeric fields in functions, and nesting functions, see Evaluation functions.įor information about Boolean operators, such as AND and OR, see Boolean operators.Īccepts alternating conditions and values. Next, we add the subsearch query to the primary or the outer query by putting the subsearch inside square brackets. The below image shows the search and the result of this subsearch − Adding the Subsearch This identifies the maximum size of the file for the time frame for which the search query is run. We use the function Stat max with the field named bytes as the argument. We first create the subsearch to find the maximum file size. Then we want to find only those events where the file size is equal to the maximum size, and is a Sunday. We consider the case of finding a file from web log which has maximum byte size. Subsearches must be enclosed in square brackets in the primary search. When a search contains a subsearch, the subsearch is run first. In Splunk, the primary query should return one result which can be input to the outer or the secondary query. It is similar to the concept of subquery in case of SQL language. Subsearch is a special case of the regular search when the result of a secondary or inner query is the input to the primary or outer query.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |