Databases Reference
In-Depth Information
Tables, Charts, and Fields
Up to this point, we have learned how to search for and retrieve raw events, but
you will most likely want to create tables and charts to expose useful patterns.
Thankfully, the reporting commands in Splunk make short work of most reporting
tasks. We will step through a few common use cases in this chapter. Later in the
chapter, we will learn how to create custom fields for even more custom reports.
About the pipe symbol
Before we dive into the actual commands, it is important to understand what the
pipe symbol (
|
) is used for in Splunk. In a command line, the pipe symbol is used
to represent the sending of data from one process to another. For example, in a
Unix-style operating system, you might say:
grep foo access.log | grep bar
The first command finds, in the file
access.log
, lines that contain
foo
. Its output is
taken and piped to the input of the next
grep
command, which finds lines that contain
bar
. The final output goes wherever it was destined, usually the terminal window.
The pipe symbol is different in Splunk in a few important ways:
1.
Unlike the command line, events are not simply text, but rather each is a set
of key/value pairs. You can think of each event as a database row, a Python
dictionary, a Javascript object, a Java map, or a Perl associative array. Some
fields are hidden from the user but are available for use. Many of these
hidden fields are prefixed with an underscore, for instance
_raw
, which
contains the original event text, and
_time
, which contains the parsed
time in UTC epoch form. Unlike a database, events do not adhere to a
schema, and fields are created dynamically.
Search WWH ::
Custom Search