The Results set of commands is used to manage the output of the search results. This set of commands can be used to filter the events, reformat the events, group them, reorder them, and read and write on the results.
The fields
command is used to keep (+
) or remove (-
) fields from the search results. If +
is used, then only the field list
followed by +
will be displayed, and if –
is used, then the field list
followed by –
will be removed from the current result set.
The syntax for the fields
command is as follows:
… | fields +/- field_list
Refer to the following example for better clarity:
index=_internal | top component cumulative_hits executes | fields – percent
In the preceding screenshot, we have used the top
command. The top
command returns the count and percentage of the specified fields. So, we have used fields – percent
, which shows all the fields, except percent. Similarly, the fields
command can be used to get the desired output.
The
searchtxn
command of Splunk is a useful command to get events that match the specific text and transaction type. This command can be used to find a transaction that satisfies a certain set of conditions. Let's say the user is interested in finding out all the login failed attempts due to an incorrect password. In this case, the searchtxn
command can be used.
The syntax for the searchtxn
command is as follows:
| searchtxn transaction-name search_query
Refer to the following for parameter descriptions:
transaction-name
: Name of the transaction as defined in the transactiontypes.conf
filesearch_query
: The search string for which the transactions are neededRefer to the following example for better clarity:
| searchtxn webmaillogin="failed"login_error="Password Incorrect"
The preceding query will return all the search transactions of the webmail that has login as failed
and a login error as Password Incorrect
.
The
head
Splunk command is used to fetch the first n number of specified results, and the tail
command is used to fetch the last n number of specified results from the result set.
The syntax for the commands is as follows:
… | head n | Expression … | tail n
The parameter description for the preceding query is as follows:
The example of the head
…tail
commands is mentioned with the explanation, as follows:
… | head 10 … | tail 10
In the preceding search query, the head 10
will list out first 10 events, and the tail 10
will return the last 10 events in the search results.
The
inputcsv
command of Splunk is a generating command and can be used to load search results directly from the specified .csv
file located in $SPLUNK_HOME/var/run/splunk
. The inputcsv
command does not upload the data on Splunk; it fetches it directly from the .csv
file and loads the result.
Following is the syntax for the inputcsv
command:
|inputcsv dispatch=true / false append=true / false events=true / false filename
A parameter description of the preceding query is as follows:
dispatch
: If the dispatch
parameter is set to true
, then Splunk looks for the .csv
file in the dispatch
directory, that is, $SPLUNK_HOME/var/run/splunk/dispatch/<job id>/
. The default value for the dispatch
parameter is false
.append
: The append
parameter, if set to true
, appends the data from the .csv
file to the current result set. The default value for this parameter is false
.events
: If the events
parameter is set to true
, then the content loaded from the .csv
file is available as events in Splunk where timeline, fields, and so on will be visible as if the file is uploaded on Splunk. Generally, for the CSV file to get loaded as events, a timestamp is required in the file.filename
: The name of the CSV file. Splunk first searches for the filename. If it does not exist, it searches for the .csv
filename. So, this means if the file exists but does not have a .csv
extension, that file will still get loaded using the inputcsv
command.An inputcsv
query looks like the one shown following:
|inputcsv TestCSV
As shown in the preceding screenshot, the TestCSV
file gets loaded into Splunk using the inputcsv
command from $SPLUNK_HOME/var/run/splunk
as the dispatch
parameter is not set and by default it is false
.
The outputcsv
command of Splunk works exactly opposite to the inputcsv
command. This command exports the results into a .csv
file at $SPLUNK_HOME/var/run/splunk
.
The syntax for the outputcsv
command is as follows:
Outputcsv append=true / false create_empty=true / false dispatch=true / false singlefile=true / false filename
The parameter description for the ouputcsv
command is as follows:
append
: If append
is set to true
, then the results are appended to the file if it exists or a new file is created. If there is a pre-existing file and it has headers, then headers are omitted during appending. The default value for this parameter is false
.create_empty
: In a scenario when there is no result and this parameter is set to true
, then Splunk creates an empty file with the name specified. If append
and create_empty
are set to false
and there is no result, then in this case, any pre-existing files will be deleted.dispatch
: If set to true
, then the output will be saved in the dispatch
directory, that is, $SPLUNK_HOME/var/run/splunk/dispatch/<job id>/
.singlefile
: If this parameter is set to true
and the result is in multiple files, then Splunk collapses the output in one single file.filename
: Name of the file in which the result is to be stored.Refer to the following example of the outputcsv
command:
index=_internal | top component cumulative_hits | outputcsv ResultCSV
The preceding Splunk query will output the result of the query in to a filename, ResultCSV
, which will be stored at $SPLUNK_HOME/var/run/splunk
.
3.144.39.16