Splunk Search Command Series: Halloween Edition

 

 

Halloween is hands down my favorite time of the year. Candy, costumes, scary movies, cold weather, haunted houses (or hayrides), what’s not to love. Every time Halloween rolls around, I am always looking for a good fright. While this year has been a disappointment for going out and experiencing all the scares, Splunk has been there to provide a terrifyingly good time. 

Today, let’s look at a couple of search commands that are so good…it’s SCARY.

1. Rex command

2. Fullnull

3. Rename

(t)rex

In the land before time, one creature ruled the earth…  

Nah, just kidding, we’re not talking about dinosaurs, we’re looking at the rex command 

Field extractions don’t pull out all the values that we absolutely need for our search. It might be due to irregular data patterns, low visibility, or maybe just not necessary to have as an extracted field. Regardless of the reason, we always come back to the data and extract the values through our search. Rex allows us to use regular expression in our search to extract values and create a new field. 

 

|rex field=<field> “<regular_expression>”

 

Instead of breaking down each section, it might be easier to show an example, here are a few sample events

10:41:35 PM – I saw Casper walking down the hallway 

08:31:36 PM – I saw Zuul running after me 

06:33:12 PM – I saw Jason coming out of the lake 

04:05:01 PM – I saw Jigsaw setting something up in the basement 

02:36:52 PM – I saw Hannibal making dinner 

Apparently, we need to get out of the house we’re staying at…or call the cops, right? (We all know the phone lines have already been cut😥).

Before we do anything, we need to assess all the “things” we saw. In my panic, I forgot to set up proper field extractions and didn’t write a line in props.conf for monsters. Luckily, I can use rex to quickly grab these values.  

 

|rex field=_raw saw\s+(?<scary_things>\w+) 

From there we will get a list of our monsters:

 

Casper 

Zuul 

Jason 

Jigsaw 

Hannibal 

Fillnull

You ever look at the results and notice the empty fields? Is that data missing, or was it never really there? (x-files music plays in the background) These are null values in your data, usually caused by a field not being in some events. In a results set this would look like empty cells and all those empty cells might drive you to insanity. To help ease your mind, we can use fillnull to complete our tables  

 

|fillnull value=<value> 

 

By entering a value, fillnull will fill the empty cells with your chose value. This could be a number like 0 or a string like “null” or “empty” 

Rename

Field names don’t always play nicely. In terms of compliance or formatting, field names can really jump out and scare you. In order to blend, we may need to resort to putting a mask over them. Rename search command will let us do just that. 

 

|rename <field> as <new_name> 

 

Here are some examples of rename command in action:  

|rename monsters as users 

|rename insane_asylums as dest 

That’s it for this scary edition of our Search Command Series. I hope these search commands help eliminate the fear behind slow search performance and the ghouls lurking in our data.

Don’t Be Scared of Splunk

Splunk can be pretty frightening, especially when you’re hiding from your searches. That’s where our EOD team comes in. Think the Ghost Busters… but for Splunk.

Our Splunk Search Command Series is created by our Expertise on Demand (EOD) experts. Every day, our team of Splunk certified professionals works with customers through Splunk troubleshooting support, including Splunk search command best practice. If you’re interested in learning more about our EOD service or chat with our team of experts, fill out the form below!

Author

Start typing and press Enter to search