Skip to main content

How to use Splunk SPL commands to write better queries - Part I

Introduction

As a software engineer, we are quite used to deal with logs in our daily lives, but in addition to ensuring that the necessary logs are being sent by the application itself or through a service mesh, we often have to go a little further and interact with some log tool to extract more meaningful data. This post is inspired by a problem I had to solve for a client who uses Splunk as their main data analysis tool and this is the first in a series of articles where we will delve deeper and learn how to use different Splunk commands.

Running Splunk with Docker

To run Splunk with docker, just run the following command:

docker run -d —rm -p 8000:8000 -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_PASSWORD=SOME_PASSWORD --name splunk splunk/splunk:latest

Sample Data

We are going to use the sample data provided by Splunk. You can find more information and download the zip file from their web site.

How does it work?

In order to be able to interact with Splunk to generate better reports and visualizations, we need to know SPL, short for Search Processing Language. The key to understand Splunk queries with SPL is to know that it is based on unix pipeline. So what are unix pipeline and how does it help us to understand how Splunk queries work?

According to a definition from the Wikipedia web site:

In Unix-like computer operating systems, a pipeline is a mechanism for inter-process communication using message passing. A pipeline is a set of processes chained together by their standard streams, so that the output text of each process (stdout) is passed directly as input (stdin) to the next one.

Creating queries with SPL

You can think of each pipe acting as a filter on your search result. Lets take the following query as example:

index=main productId="WC-SH-G04"

As stated in the Splunk docs, it helps to visualize your indexes as if they were regular tables in a database. So the previous query would be something like this in a sql query.

select * from main WHERE productId="WC-SH-G04"

Our query will produce the following result:

Now lets apply another filter to our search result by adding the following to our previous command:

index=main productId="WC-SH-G04" | top limit=3 status

The first search returned us the total number of events where productId="WC-SH-G04", but it is also showing us the result in the Splunk Events default view and we don't want to see our results like that, right? We want to be able to show our query results in a form of table where we can bring to our business some kind of data analysis so we can extract useful information to our business from all the logs we produces. This is where things starts to get interesting. First of all Splunk will start to show our results in a table just by adding the previous command followed by a pipe. Just like unix we pass the result of a previous command to the next one by adding a pipe ( | ) operator between the commands. So the previous command will produce the following result:

Our new command is asking Splunk to get all results from our first command, the command on the left side of our pipe, and transform them by returning us the top 3 results by status type.

Conclusion

While writing Splunk queries it helps to think of them as regular independent sql queries where the result of the first one can be used as an input for the next query. Splunk have a huge number of commands and operators. You can find more information about them on the section below and in the next posts!

Additional Reference

Splunk commands

Working with pipes on the Linux command line

Splunk official Docker image

Labels:

Comments

Post a Comment

Popular posts from this blog

How to run OPA in Docker

From the introduction of the openpolicyagent.org site: OPA generates policy decisions by evaluating the query input against policies and data. In this post i am going to show you an easy and fast way to test your policies by running OPA in Docker. First, make sure you have already installed Docker and have it running: docker ps Inside your choosen directory, create two files. One called input.json file for your system representation and one file called example.rego for your rego policy rules. Add the following content to your json file: Add the following content for the example.rego: Each violation block represents the rule that you want to validate your system against. The first violation block checks if any of the system servers have the http protocol in it. If that is the case, the server id is added to the array. In the same way, the second violation block checks for the servers that have the telnet protocol in it and if it finds a match the server id is also...
Post a Comment
Read more

API GATEWAY: THE CLOUDFRONT 403 FORBIDDEN ERROR

If you are having a 403 Forbidden error from CloudFront , that means your domain name is not linked to your CloudFront distribution and because CloudFront stays in front of your API GATEWAY you need to create a CNAME record pointing your domain name to your CloudFront target domain name in order for it to work. So, If you need to point your api to a custom domain name, all you have to do is following those 2 easy steps: 1 - CREATING YOUR CUSTOM DOMAIN NAME Go to the API GATEWAY console and click on the Custom Domain Name menu. Click on the Create Custom Domain Name button. Next, assign a certificate matching the same domain name you are creating and map to the root path and destination of your desired api. Lastly, copy the CloudFront Target Domain Name . You will need to paste that in your Route 53 record. 2 - CREATING A CNAME RECORD ON ROUTE 53 Create a CNAME record on Route 53 for the same custom domain name, assigning to it the CloudFront Target Domain. CONCLUSION ...
Post a Comment
Read more