Splunk is a powerful tool for analyzing and visualizing machine-generated data. It can be used to monitor and troubleshoot IT infrastructure, security events, and business operations. However, mastering Splunk can be a daunting task, especially for beginners. That’s where a Splunk cheat sheet comes in handy.
This Splunk cheat sheet is a quick reference guide that provides a list of commonly used commands, functions, and syntax for searching, filtering, and manipulating data in Splunk. It can help you save time and improve your productivity by reducing the need to memorize complex commands or search for them in the documentation.
This cheat sheet provides a comprehensive list of Splunk commands and functions that can be used to search, analyze, and visualize data in Splunk.
Search Commands
| Command | Description |
|---|---|
search | Searches for events that match a specified search string. |
where | Filters events based on specified conditions. |
eval | Creates new fields or modifies existing fields based on specified expressions. |
fields | Limits the fields that are returned in search results. |
rename | Renames fields in search results. |
sort | Sorts search results based on specified fields. |
top | Returns the top values for a specified field. |
stats | Calculates statistics for specified fields. |
chart | Creates charts and graphs based on search results. |
timechart | Creates time-based charts and graphs based on search results. |
rex | Extracts fields from events using regular expressions. |
spath | Extracts fields from events using JSONPath expressions. |
transaction | Groups events into transactions based on specified criteria. |
join | Joins events from multiple sources based on specified fields. |
lookup | Adds fields to events based on data in a lookup table. |
inputlookup | Searches a lookup table and returns the results. |
outputlookup | Writes search results to a lookup table. |
inputcsv | Reads data from a CSV file and creates events. |
outputcsv | Writes search results to a CSV file. |
inputxml | Reads data from an XML file and creates events. |
outputxml | Writes search results to an XML file. |
inputjson | Reads data from a JSON file and creates events. |
outputjson | Writes search results to a JSON file. |
Search Functions
| Function | Description |
|---|---|
count | Counts the number of events that match a specified search string. |
sum | Calculates the sum of a specified field. |
avg | Calculates the average of a specified field. |
min | Returns the minimum value of a specified field. |
max | Returns the maximum value of a specified field. |
median | Calculates the median of a specified field. |
mode | Calculates the mode of a specified field. |
percentile | Calculates the percentile of a specified field. |
stddev | Calculates the standard deviation of a specified field. |
var | Calculates the variance of a specified field. |
abs | Returns the absolute value of a specified field. |
ceil | Rounds up a specified field to the nearest integer. |
floor | Rounds down a specified field to the nearest integer. |
round | Rounds a specified field to the nearest integer. |
sqrt | Calculates the square root of a specified field. |
log | Calculates the natural logarithm of a specified field. |
exp | Calculates the exponential value of a specified field. |
sin | Calculates the sine of a specified field. |
cos | Calculates the cosine of a specified field. |
tan | Calculates the tangent of a specified field. |
asin | Calculates the inverse sine of a specified field. |
acos | Calculates the inverse cosine of a specified field. |
atan | Calculates the inverse tangent of a specified field. |
strftime | Formats a specified field as a date and time string. |
strptime | Parses a date and time string and returns a timestamp. |
replace | Replaces a specified string with another string in a specified field. |
substr | Returns a substring of a specified field. |
toupper | Converts a specified field to uppercase. |
tolower | Converts a specified field to lowercase. |
trim | Removes leading and trailing whitespace from a specified field. |
ltrim | Removes leading whitespace from a specified field. |
rtrim | Removes trailing whitespace from a specified field. |
split | Splits a specified field into an array based on a specified delimiter. |
join | Joins an array of values into a string based on a specified delimiter. |
mvindex | Returns a specified element from an array in a specified field. |
mvcount | Counts the number of elements in an array in a specified field. |
mvfilter | Filters an array in a specified field based on specified conditions. |
mvzip | Combines two arrays in a specified field into a single array. |
mvexpand | Expands an array in a specified field into multiple events. |
Conclusion
This Splunk cheat sheet provides a comprehensive list of commands and functions that can be used to search, analyze, and visualize data in Splunk. By using these commands and functions, you can quickly and easily extract insights from your data and gain valuable insights into your business operations.
Reference: