If we look at the custom search commands in a Splunk instance, we actually find a trove of utilities. Some of these scripts include such things as streaming search results to a xml file. There are command to do each of the following:
| Produces a summary of each search result. |
| Add fields that contain common information about the current search. |
| Computes the sum of all numeric fields for each result. |
| Computes an "unexpectedness" score for an event. |
| Finds and summarizes irregular |
| Appends subsearch results to current results. |
| Appends the fields of the subsearch results to current results |
| Find association rules between field values |
| Identifies correlations between fields. |
| Returns audit trail information that is stored in the local audit index. |
| Sets up data for calculating the moving average. |
| Analyzes numerical fields for their ability to predict another discrete field. |
| Keeps a running total of a specified numeric field. |
| Computes the difference in field value between nearby results. |
| Puts continuous numerical values into discrete sets. |
| Returns results in a tabular output for charting. |
| Find how many times field1 and field2 values occurred together |
| Builds a contingency table for two fields. |
| Converts field values into numerical values. |
| Crawls the filesystem for files of interest to Splunk |
| Adds the RSS item into the specified RSS feed. |
| Allows user to examine data models and run the search for a datamodel object. |
| Removes the subsequent results that match specified criteria. |
| Returns the difference between two search results. |
| Automatically extracts field values similar to the example values. |
| Calculates an expression and puts the resulting value into a field. |
| Extracts values from search results |
| Extracts field-value pairs from search results. |
| Keeps or removes fields from search results. |
| Generates summary information for all or a subset of the fields. |
| Replace null values with last non-null value |
| Replaces null values with a specified value. |
| Replaces "attr" with higher-level grouping |
| Replaces PATHFIELD with higher-level grouping |
| Run a templatized streaming subsearch for each field in a wildcarded field list |
| Takes the results of a subsearch and formats them into a single result. |
| Transforms results into a format suitable for display by the Gauge chart types. |
| Generates time range results. |
| Generate statistics which are clustered into geographical bins to be rendered on a world map. |
| Returns the first n number of specified results. |
| Returns the last n number of specified results. |
| Returns information about the Splunk index. |
| Adds or disables sources from being processed by Splunk. |
| Loads search results from the specified CSV file. |
| Loads search results from a specified static lookup table. |
| SQL-like joining of results from the main results pipeline with the results from the subpipeline. |
| Joins results with itself. |
| Performs k-means clustering on selected fields. |
| Returns a list of time ranges in which the search results were found. |
| Prevents subsequent commands from being executed on remote peers. |
| Loads events or results of a previously completed search job. |
| Explicitly invokes field value lookups. |
| Looping operator |
| Extracts field-values from table-formatted events. |
| Do multiple searches at the same time |
| Combines events in the search results that have a single differing field value into one result with a multi-value field of the differing field. |
| Expands the values of a multi-value field into separate events for each value of the multi-value field. |
| Changes a specified field into a multi-value field during a search. |
| Changes a specified multi-value field into a single-value field at search time. |
| Removes outlying numerical values. |
| Executes a given search query and export events to a set of chunk files on local disk. |
| Outputs search results to the specified CSV file. |
| Save search results to specified static lookup table. |
| Outputs search results in a simple |
| Outputs the raw text (_raw) of results into the _xml field. |
| Finds events in a summary index that overlap in time or have missed events. |
| Allows user to run pivot searches against a particular datamodel object. |
| Predict future values of fields. |
| See what events from a file will look like when indexed without actually indexing the file. |
| Displays the least common values of a field. |
| Removes results that do not match the specified regular expression. |
| Calculates how well the event matches the query. |
| Renames a specified field (wildcards can be used to specify multiple fields). |
| Replaces values of specified fields with a specified new value. |
| Specifies a Perl regular expression named groups to extract fields while you search. |
| Buffers events from real-time search to emit them in ascending time order when possible |
| The select command is deprecated. If you want to compute aggregate statistics |
| Makes calls to external Perl or Python programs. |
| Returns a random sampling of N search results. |
| Returns the search results of a saved search. |
| Emails search results to specified email addresses. |
| Sets the field values for all results to a common value. |
| Extracts values from structured data (XML or JSON) and stores them in a field or fields. |
| Turns rows into columns. |
| Filters out repeated adjacent results |
| Retrieves event metadata from indexes based on terms in the <logical-expression> |
| Filters results using keywords |
| Performs set operations on subsearches. |
| Clusters similar events together. |
| Produces a symbolic 'shape' attribute describing the shape of a numeric multivalued field |
| Sorts search results by the specified fields. |
| Puts search results into a summary index. |
| Adds summary statistics to all search results in a streaming manner. |
| Adds summary statistics to all search results. |
| Provides statistics |
| Concatenates string values. |
| Summary indexing friendly versions of stats command. |
| Summary indexing friendly versions of top command. |
| Summary indexing friendly versions of rare command. |
| Summary indexing friendly versions of chart command. |
| Summary indexing friendly versions of timechart command. |
| Annotates specified fields in your search results with tags. |
| Computes the moving averages of fields. |
| Creates a time series chart with corresponding table of statistics. |
| Displays the most common values of a field. |
| Writes the result table into *.tsidx files using indexed fields format. |
| Performs statistics on indexed fields in tsidx files |
| Groups events into transactions. |
| Returns typeahead on a specified prefix. |
| Generates suggested eventtypes. Deprecated: preferred command is 'findtypes' |
| Calculates the eventtypes for the search results |
| Runs an eval expression to filter the results. The result of the expression must be Boolean. |
| Causes UI to highlight specified terms. |
| Converts results into a format suitable for graphing. |
| Extracts XML key-value pairs. |
| Un-escapes XML characters. |
| Extracts the xpath value from FIELD and sets the OUTFIELD attribute. |
| Extracts location information from IP addresses using 3rd-party databases. |
| Processes the given file as if it were indexed. |
| Sets RANGE field to the name of the ranges that match. |
| Returns statistics about the raw field. |
| Sets the 'reltime' field to a human readable value of the difference between 'now' and '_time'. |
| Anonymizes the search results. |
| Returns a list of source |
| Performs a debug command. |
| Performs a deletion from the index. |
| Returns the number of events in an index. |
| Generates suggested event types. |
| convenient way to return values up from a subsearch |
| Internal command used to execute scripted alerts |
| finds transaction events given search constraints |
| Runs the search script |
| Remove seasonal fluctuations in fields. |
No comments:
Post a Comment