Databases Reference
In-Depth Information
Things to note:
• By default, searches are performed over All time. Protect yourself by
including
earliest=-1d
or an appropriate time range in your query.
• By default, Splunk will only output 100 lines of results. If you need more,
use the
-maxout
flag.
• Search requires authentication, so the user will be asked to authenticate
unless
-auth
is included as an argument.
Most use cases for the command line involve counting events for outputting to other
systems. Let's try a simple
stats
call to count instances of the word
error
over the
last hour by host:
$ /opt/splunk/bin/splunk search 'earliest=-1h error | stats count by
host'
This produces:
host count
------------ -----
host2 3114
vlb.local 3063
Things to notice in this case are:
•
earliest=-1h
is included to limit the query to the last hour.
• By default, the output is in a
table
format. This is nicer to read, but much
harder to parse in another scripting language. Use
-output
to control the
output format.
• By default, Splunk will render a preview of the results as results are
retrieved. This slows down the overall execution. Disable preview with
-preview false
. Previews are not calculated when the script is not being
called from an interactive terminal, for instance, when run from cron.
To retrieve the output as CSV, try the following code:
$ /opt/splunk/bin/splunk search 'earliest=-1h error | stats count by
host' -output csv -preview false
This gives us the following output:
count,host
3120,host2
3078,"vlb.local"
Note that if there are no results, the output will be empty.
Search WWH ::
Custom Search