Splunk is a powerhouse in the realm of data analysis, known for its ability to search, monitor, and analyze machine-generated data. This article will guide you through the essential Splunk commands, categorized by their functionality. Whether you’re performing basic searches, manipulating data, or creating complex visualizations.
All Splunk Commands for Data Analysis and Visualization
| Command Type | Commands |
|---|---|
| Search | search, stats, table, timechart, top, eventstats, tstats, multisearch, metadata, loadjob, eventcount |
| Evaluation | eval, eval if, eval case, eval coalesce, rangemap, foreach, convert, replace |
| Data Manipulation | rename, sort, rex, fields, where, bin, transaction, fillnull, append, appendcols, join, makemv, mvexpand, filldown, makemv, make results |
| Lookups | lookup, inputlookup, outputlookup |
| Data Collection | collect |
| Clustering & Patterns | cluster, anomalies, kmeans |
| Geospatial Analysis | geostats, map |
| Other | spath, outputcsv, searchmatch, predict, outlier, tags |
1. search
The fundamental command in Splunk for retrieving data. search finds events that match specified keywords, fields, or conditions.
Example: search error
2. eval
Used to calculate and create new fields at search time. Often used for operations like eval expressions, which manipulate fields or create calculated fields.
Example: eval total_price = price * quantity
3. stats
Provides aggregate statistics like count, sum, average, min, and max. Commonly used for generating summary statistics.
Example: stats count by status
4. table
Formats search results into a table with specified fields for easy visualization.
Example: table name, age, city
5. timechart
Generates a time-based chart of events, useful for tracking trends over time.
Example: timechart count by status
6. top
Returns the most common values for a specific field.
Example: top host
7. dedup
Removes duplicate events based on specified fields.
Example: dedup user_id
8. rename
Changes field names in the output.
Example: rename username as user
9. sort
Sorts search results in ascending or descending order by specified fields.
Example: sort - total_price
10. rex
Extracts fields using regular expressions, allowing for custom parsing of complex data formats.
Example: rex field=_raw "(?P<status>\d{3})"
11. fields
Includes or excludes fields from the search results, making it easier to limit the data shown.
Example: fields - password
12. where
Applies a condition to filter results, similar to SQL’s WHERE clause.
Example: where age > 25
13. bin
Groups events into “bins” or intervals, useful for histogram creation.
Example: bin span=5m _time
14. transaction
Groups events into transactions based on specific conditions, such as a unique session ID or field value.
Example: transaction session_id
15. fillnull
Fills empty fields with a default value, often used to handle NULL values in data.
Example: fillnull value="N/A"
16. append
Adds results from one search to the results of another search, without merging fields.
Example: search error | append [search warning]
17. appendcols
Joins the columns of two searches side by side, useful when merging datasets with different fields.
Example: search error | appendcols [search success]
18. join
Merges fields from two searches based on a common field, similar to SQL joins.
Example: search error | join user_id [search success]
19. lookup
Looks up and adds data from a lookup table, enabling enrichment of data with external information.
Example: lookup user_lookup user_id OUTPUT user_name
20. inputlookup
Reads data from a lookup table as a source.
Example: inputlookup user_lookup
21. outputlookup
Writes search results to a lookup table, useful for storing enriched or modified data.
Example: outputlookup updated_user_data
22. collect
Adds search results to a summary index, often used to improve search performance for large datasets.
Example: collect index=summary
23. eval if
Provides conditional logic within the eval command.
Example: eval status=if(error_count>0,"error","success")
24. filldown
Fills in empty field values in events based on the preceding non-empty value.
Example: filldown field_name
25. eventstats
Generates summary statistics and adds them to each event, unlike stats which only shows aggregated results.
Example: eventstats avg(duration) as avg_duration
26. cluster
Groups similar events into clusters, often used for anomaly detection or pattern recognition.
Example: cluster t=0.9
27. spath
Parses JSON-formatted events for individual field access, making it easy to work with nested JSON.
Example: spath input=payload path=response.status
28. mvexpand
Expands multi-value fields into individual rows, which allows for detailed data analysis on each value.
Example: mvexpand tags
29. multisearch
Allows multiple independent searches to be run in parallel and the results combined.
Example: multisearch [search error] [search warning]
30. tstats
Optimized for high-performance reporting, especially on accelerated data models.
Example: tstats count from datamodel=Network_Traffic
31. map
Runs a subsearch for each event in the main search, enabling dynamic searches.
Example: search user_id=* | map search="search source=$user_id$"
32. geostats
Generates a geographic statistical summary, often used in location-based searches.
Example: geostats latfield=lat longfield=lon count
33. replace
Replaces specified field values with other values. Useful for normalizing data or adjusting specific values within a dataset.
Example: | replace "error" with "failure" in status
34. makemv
Converts a single-value field into a multi-value field, typically for processing or splitting text.
Example: | makemv delim="," field_name
35. mstats
Used for efficient searches on metrics indexes, allowing you to retrieve and manipulate metric data.
Example: | mstats avg(_value) as avg_value where index=metrics metric_name="cpu.usage"
36. eval case
A variation of eval for conditional processing, similar to a switch or case statement.
Example: | eval status=case(age<18, "minor", age>=18 AND age<65, "adult", age>=65, "senior")
37. rangemap
Categorizes numeric fields into ranges (like heat maps), helpful for defining ranges like “Low,” “Medium,” and “High” based on numerical values.
Example: | rangemap field=cpu_usage low=0-20 medium=21-60 high=61-100
38. foreach
Executes a specified operation for each field matching a wildcard or pattern. Useful for bulk operations across multiple fields.
Example: | foreach field_* [eval <<FIELD>> = lower(<<FIELD>>)]
39. eval coalesce
Combines values from multiple fields and returns the first non-null value. It’s handy for filling missing data from alternative fields.
Example: | eval final_field=coalesce(field1, field2, field3)
40. spath
Extracts fields from JSON or nested structures, particularly useful for complex or deeply nested data structures.
Example: | spath input=json_field output=new_field
41. outputcsv
Exports the search results into a CSV file, allowing data export for external analysis.
Example: | outputcsv results.csv
42. searchmatch
A function used within where or eval commands to find specific strings in fields.
Example: | where searchmatch("error")
43. loadjob
Loads the results of a previously saved or scheduled search job, beneficial for reusing search results to avoid repeated queries.
Example: | loadjob savedsearch="user:app/savedsearch_name"
44. metadata
Retrieves metadata information about events, hosts, and sources, such as count, first occurrence, and last occurrence.
Example: | metadata type=hosts
45. convert
Changes the format of numeric, date, or duration fields.
Example: | convert ctime(_time)
46. eventcount
Returns the count of events in the specified index or time range, useful for summary views.
Example: | eventcount index=my_index
47. anomalies
Detects anomalous patterns in data over a specified time range.
Example: | anomalies metric="response_time" threshold=3
48. kmeans
Clusters events based on field values into K groups, using k-means clustering. Great for data segmentation.
Example: | kmeans k=5
49. predict
Predicts future values based on historical data patterns. Useful for forecasting trends or seasonal data.
Example: | predict sales future_timespan=30
50. outlier
Identifies outliers in a dataset based on statistical deviation.
Example: | outlier action=remove
51. makeresults
Generates dummy results for testing and troubleshooting, creating sample events on the fly.
Example: | makeresults count=5
52. tags
Used for searching data based on assigned tags, often for categorizing data sources or types.
Example: | search tag=web
These commands add flexibility to Splunk queries, allowing for efficient data manipulation, search optimization, and detailed analysis across various data types and structures. Let me know if you need any deeper explanations for these or if you’d like examples for specific cases!
Learn More: Carrer Guidance [Splunk Commands for Data Analysis and Visualization]
Top 50+ Splunk interview questions and answers
React native interview questions and answers for freshers and experienced
Automation Testing Interview Questions and answers for Experienced
Automation Testing Interview Questions and answers for Freshers