Splunk - Search Language
The Splunk Search Processing Language (SPL) is a language containing many commands, functions and arguments etc. which are written to get the desired results from the datasets. For example, when you get a result set for a search term, you may further want to filter out some more specific terms from the result set for which you will need some additional commands to be added to the existing command. This is achieved by learning the usage of SPL.
The SPL has the following components.
Search Terms – These are the keywords or phrases you are looking for.
Commands – The action you want to take on the result set like format the result or count them.
Functions – What are the computations you are going to apply on the results. Like Sum, Average etc.
Clauses – How to group or rename the fields in the result set.
Search Terms
These are the terms you mention in the search bar to get the specific records from the dataset which meet the search criteria. In the below example we are searching for records which contain the two highlighted terms.
Commands
You can use many in-built commands that SPL provides to simplify the process of analysing the data in the result set. In the below example we use the head command to filter out only the top 3 results from a search operation.
Functions
Along with commands, Splunk also provides many in-built functions which can take input from a field being analysed and give the output after applying the calculations on that field. In the below example, we use the Stats avg() function which calculates the average value of the numeric field being taken as input.
Clauses
When we want to get results grouped by some specific field or we want to rename a field in the output, we use the group by clause and the as clause respectively. In the below example we get the average size of bytes of each file present in the web_application log. As you can see the result shows the name of each file as well as the average bytes for each file.
