Skip to main content

How to use Splunk SPL commands to write better queries - Part I

Introduction

As a software engineer, we are quite used to deal with logs in our daily lives, but in addition to ensuring that the necessary logs are being sent by the application itself or through a service mesh, we often have to go a little further and interact with some log tool to extract more meaningful data. This post is inspired by a problem I had to solve for a client who uses Splunk as their main data analysis tool and this is the first in a series of articles where we will delve deeper and learn how to use different Splunk commands.

Running Splunk with Docker

To run Splunk with docker, just run the following command:

docker run -d —rm -p 8000:8000 -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_PASSWORD=SOME_PASSWORD --name splunk splunk/splunk:latest

Sample Data

We are going to use the sample data provided by Splunk. You can find more information and download the zip file from their web site.

How does it work?

In order to be able to interact with Splunk to generate better reports and visualizations, we need to know SPL, short for Search Processing Language. The key to understand Splunk queries with SPL is to know that it is based on unix pipeline. So what are unix pipeline and how does it help us to understand how Splunk queries work?

According to a definition from the Wikipedia web site:

In Unix-like computer operating systems, a pipeline is a mechanism for inter-process communication using message passing. A pipeline is a set of processes chained together by their standard streams, so that the output text of each process (stdout) is passed directly as input (stdin) to the next one.

Creating queries with SPL

You can think of each pipe acting as a filter on your search result. Lets take the following query as example:

index=main productId="WC-SH-G04"

As stated in the Splunk docs, it helps to visualize your indexes as if they were regular tables in a database. So the previous query would be something like this in a sql query.

select * from main WHERE productId="WC-SH-G04"

Our query will produce the following result:

Now lets apply another filter to our search result by adding the following to our previous command:

index=main productId="WC-SH-G04" | top limit=3 status

The first search returned us the total number of events where productId="WC-SH-G04", but it is also showing us the result in the Splunk Events default view and we don't want to see our results like that, right? We want to be able to show our query results in a form of table where we can bring to our business some kind of data analysis so we can extract useful information to our business from all the logs we produces. This is where things starts to get interesting. First of all Splunk will start to show our results in a table just by adding the previous command followed by a pipe. Just like unix we pass the result of a previous command to the next one by adding a pipe ( | ) operator between the commands. So the previous command will produce the following result:

Our new command is asking Splunk to get all results from our first command, the command on the left side of our pipe, and transform them by returning us the top 3 results by status type.

Conclusion

While writing Splunk queries it helps to think of them as regular independent sql queries where the result of the first one can be used as an input for the next query. Splunk have a huge number of commands and operators. You can find more information about them on the section below and in the next posts!

Additional Reference

Splunk commands

Working with pipes on the Linux command line

Splunk official Docker image

Labels:

Comments

Post a Comment

Popular posts from this blog

How to become a Blockchain developer and write your first Smart Contract

Introduction This is an introductory article to help you understanding the tools and frameworks needed so that you can know from where and how to start creating your own Smart Contracts. In this post I will give you an overview of the tools, frameworks, libraries and languages used to create a Smart Contract in the Ethereum Blockchain . In the second part of this article, we are going to see how to create a Smart Contracts using Solidity and ee are also going to see how to run a Blockchain locally using Ganache , so that you can deploy, interact and test your Smart Contract in your local development environment. According to a definition from the Wikipedia website: A blockchain is a decentralized, distributed, and often public, digital ledger consisting of records called blocks that are used to record transactions across many computers so that any involved block cannot be altered retroactively, without the alteration of all subsequent blocks.. What do you need to know? T
Post a Comment
Read more

How to run OPA in Docker

From the introduction of the openpolicyagent.org site: OPA generates policy decisions by evaluating the query input against policies and data. In this post i am going to show you an easy and fast way to test your policies by running OPA in Docker. First, make sure you have already installed Docker and have it running: docker ps Inside your choosen directory, create two files. One called input.json file for your system representation and one file called example.rego for your rego policy rules. Add the following content to your json file: Add the following content for the example.rego: Each violation block represents the rule that you want to validate your system against. The first violation block checks if any of the system servers have the http protocol in it. If that is the case, the server id is added to the array. In the same way, the second violation block checks for the servers that have the telnet protocol in it and if it finds a match the server id is also
Post a Comment
Read more