When a basic search is executed in Splunk from the search bar, the search results are displayed in a raw event format by default. To many users, this raw event information is not particularly readable, and valuable information is often clouded by other less valuable data within the event. Additionally, if the events span several lines, only a few events can be seen on the screen at any one time.
In this recipe, we will write a Splunk search to demonstrate how we can leverage Splunk commands to make raw event data readable, tabulating events and displaying only the fields we are interested in.
To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with the Splunk search bar and search results area.
Follow the given steps to search and tabulate the selected event data:
index=main sourcetype=access_combined
Then, click on Search or hit Enter.
table
command as follows:index=main sourcetype=access_combined | table _time, referer_domain, method, uri_path, status, JSESSIONID, useragent
cp02_tabulated_webaccess_logs
and click on Save. On the next screen, click on Continue Editing to return to the search.Let's break down the search piece by piece:
Search fragment |
Description |
---|---|
|
All the data in Splunk is held in one or more indexes. While not strictly necessary, it is a good practice to specify the index ( |
|
This tells Splunk to search only the data associated with the |
|
Using the |
In this recipe, you used the table
command. The table
command can have a noticeable performance impact on large searches. It should be used towards the end of a search, once all the other processing on the data by the other Splunk commands has been performed.
The table
command is very useful in situations where we wish to present data in a readable format. Additionally, tabulated data in Splunk can be downloaded as a CSV file, which many users find useful for offline processing in spreadsheet software or for sending to others. There are some other ways we can leverage the table
command to make our raw event data readable.
Often, there are situations where we want to present every event within the data in a tabular format, without having to specify each field one by one. To do this, we simply use a wildcard (*
) character as follows:
index=main sourcetype=access_combined | table *
While tabulating every field using the wildcard (*
) character is useful, you will notice that there are a number of Splunk internal fields, such as _raw
, that appear in the table. We can use the fields
command before the table
command to remove the fields as follows:
index=main sourcetype=access_combined | fields - sourcetype, index, _raw, source date* linecount punct host time* eventtype | table *
If we do not include the minus (-
) character after the fields
command, Splunk will keep the specified fields and remove all the other fields.
3.141.24.134