DEV Community

Maxime Guilbert
Maxime Guilbert

Posted on • Edited on

Useful Splunk search functions

We always are looking for a way to do specific searches, and it seems complicated when we don't know all the possibilities of the Tool.

So here we are to explore some of them!


Stats functions

First

[search] | stats first() by [parameter]

The first() command will retrieve you all the first logs it founds for each value of the parameter.
So if you use "sort time asc", you will find your the earliest log linked to the parameter... If you sort by alphabetical order, you will retrieve the first element of the list.

Exemple

index=info | stats first() by id
Enter fullscreen mode Exit fullscreen mode

Last

[search] | stats last() by [parameter]

Like first, but take the last element of the list.

Exemple

index=info | stats first() by id
Enter fullscreen mode Exit fullscreen mode

Earliest

[search] | stats earliest() by [parameter]

Like first and last, but will always take the earliest log.

Exemple

index=info | stats earliest() by id
Enter fullscreen mode Exit fullscreen mode

Latest

[search] | stats latest() by [parameter]

Like earliest, but take the latest log.

Exemple

index=info | stats latest() by id
Enter fullscreen mode Exit fullscreen mode

Splunk Stats function documentation


Rename

In a lot of moments, it can be really interesting to rename a variable.

A perfect example is after "| stats first() by id". If you check the name of the parameters returned by the function, they all look like "first(xxx)" except id. But keep "first(xxx)" won't help you do other treatments. So you need to rename variables.

[search] | rename [variable to rename] AS [new name]

Exemple

index=info | rename id AS id_element
Enter fullscreen mode Exit fullscreen mode

Splunk documentation


Dedup

Removes the logs that contain an identical combination of values for the fields that you specify.

[search] | dedup [list of fields]

Exemple

index=info | dedup id name
Enter fullscreen mode Exit fullscreen mode

Splunk documentation


Fillnull

Replace null values with the value given in the parameter.

[search] | fillnull value=[new value] [field name]

Exemple

index=info | fillnull value=empty error_code
Enter fullscreen mode Exit fullscreen mode

Splunk documentation


I hope it will help you!

Top comments (0)