Download - Power of SPL
![Page 1: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/1.jpg)
Copyright © 2016 Splunk Inc.
Power of Splunk Search Processing Language (SPL™)
Tian ChenSolutions Engineer
![Page 2: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/2.jpg)
Safe Harbor Statement
2
During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
![Page 3: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/3.jpg)
Agenda● Overview & Anatomy of a Search– Quick refresher on search language and structure
● SPL Commands and Examples– Searching, charting, converging, mapping,
transactions, anomalies, exploring
● Custom Commands– Extend the capabilities of SPL
● Q&A
3
![Page 4: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/4.jpg)
SPL Overview
![Page 5: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/5.jpg)
SPL Overview● Over 140+ search commands
● Syntax was originally based upon the Unix pipeline and SQL and is optimized for time series data
● The scope of SPL includes data searching, filtering, modification, manipulation, enrichment, insertion and deletion
● Includes anomaly detection and machine learning
5
![Page 6: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/6.jpg)
Why Create a New Query Language?● Flexibility and
effectiveness on small and big data
● Late-binding schema● More/better methods
of correlation● Not just analyze, but
visualize
6
Data
BIG Data
![Page 7: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/7.jpg)
search and filter | munge | report | cleanup
| rename sum(KB) AS "Total KB" dc(clientip) AS "Unique Customers"
| eval KB=bytes/1024
sourcetype=access*
| stats sum(KB) dc(clientip)
SPL Basic Structure
7
![Page 8: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/8.jpg)
SPL Examples
![Page 9: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/9.jpg)
SPL Examples and Recipes● Find the needle in the haystack
● Charting statistics and predicting values
● Enriching and converging data sources
● Map geographic data in real time
● Identifying anomalies
● Transactions
● Data exploration & finding relationships between fields
● Custom Commands
9
![Page 10: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/10.jpg)
SPL Examples and Recipes● Find the needle in the haystack
● Charting statistics and predicting values
● Enriching and converging data sources
● Map geographic data in real time
● Identifying anomalies
● Transactions
● Data exploration & finding relationships between fields
● Custom Commands
10
![Page 11: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/11.jpg)
11
Search and FilterExamples● Keyword search:
sourcetype=access* http
● Filter:sourcetype=access* http host=webserver-02
● Combined:sourcetype=access* http host=webserver-02 (503 OR 504)
![Page 12: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/12.jpg)
12
Search and FilterExamples● Keyword search:
sourcetype=access* http
● Filter:sourcetype=access* http host=webserver-02
● Combined:sourcetype=access* http host=webserver-02 (503 OR 504)
![Page 13: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/13.jpg)
13
Search and FilterExamples● Keyword search:
sourcetype=access* http
● Filter:sourcetype=access* http host=webserver-02
● Combined:sourcetype=access* http host=webserver-02 (503 OR 504)
![Page 14: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/14.jpg)
14
Eval – Modify or Create New Fields and Values Examples● Calculation:
sourcetype=access*|eval KB=bytes/1024
● Evaluation:sourcetype=access*| eval http_response = if(status != 200, ”Error", ”OK”)
● Concatenation:sourcetype=access*| eval connection = device.” - ".clientip
![Page 15: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/15.jpg)
15
Eval – Modify or Create New Fields and Values Examples● Calculation:
sourcetype=access*|eval KB=bytes/1024
● Evaluation:sourcetype=access*| eval http_response = if(status != 200, ”Error", ”OK”)
● Concatenation:sourcetype=access*| eval connection = clientip.":".port
![Page 16: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/16.jpg)
16
Eval – Modify or Create New Fields and Values Examples● Calculation:
sourcetype=access*|eval KB=bytes/1024
● Evaluation:sourcetype=access*| eval http_response = if(status != 200, ”Error", ”OK”)
● Concatenation:sourcetype=access*| eval connection = clientip.":".port
![Page 17: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/17.jpg)
17
Eval – Just Getting Started!Splunk Search Quick Reference Guide
![Page 18: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/18.jpg)
SPL Examples and Recipes● Find the needle in the haystack
● Charting statistics and predicting values
● Enriching and converging data sources
● Map geographic data in real time
● Identifying anomalies
● Transactions
● Data exploration & finding relationships between fields
● Custom Commands
18
![Page 19: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/19.jpg)
Stats, Timechart, Eventstats, Streamstats
19
![Page 20: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/20.jpg)
20
Stats – Calculate Statistics Based on Field Values Examples● Calculate stats and rename
Index=power_of_spl| stats avg(bytes) AS “Avg Bytes”
● Multiple statisticsindex=power_of_spl | stats avg(bytes) AS bytes sparkline(avg(bytes)) AS Bytes_Trend min(bytes) max(bytes)
● By another fieldindex=power_of_spl| stats avg(bytes) AS avg_bytes sparkline(avg(bytes)) AS Bytes_Trend min(bytes) max(bytes) by clientip | sort - avg_bytes
![Page 21: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/21.jpg)
21
Stats – Calculate Statistics Based on Field Values Examples● Calculate stats and rename
Index=power_of_spl| stats avg(bytes) AS “Avg Bytes”
● Multiple statisticsindex=power_of_spl | stats avg(bytes) AS bytes sparkline(avg(bytes)) AS Bytes_Trend min(bytes) max(bytes)
● By another fieldindex=power_of_spl| stats avg(bytes) AS avg_bytes sparkline(avg(bytes)) AS Bytes_Trend min(bytes) max(bytes) by clientip | sort - avg_bytes
![Page 22: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/22.jpg)
22
Stats – Calculate Statistics Based on Field Values Examples● Calculate stats and rename
Index=power_of_spl| stats avg(bytes) AS “Avg Bytes”
● Multiple statisticsindex=power_of_spl | stats avg(bytes) AS bytes sparkline(avg(bytes)) AS Bytes_Trend min(bytes) max(bytes)
● By another fieldindex=power_of_spl| stats avg(bytes) AS avg_bytes sparkline(avg(bytes)) AS Bytes_Trend min(bytes) max(bytes) by clientip | sort - avg_bytes
![Page 23: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/23.jpg)
23
Timechart – Visualize Statistics Over TimeExamples● Visualize stats over time
index=power_of_spl| timechart avg(bytes)
● Add a trendlineindex=power_of_spl| timechart avg(bytes) as bytes| trendline sma5(bytes)
● Add a prediction overlayindex=power_of_spl| timechart avg(bytes) as bytes| predict future_timespan=5 bytes
![Page 24: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/24.jpg)
24
Timechart – Visualize Statistics Over TimeExamples● Visualize stats over time
index=power_of_spl| timechart avg(bytes)
● Add a trendlineindex=power_of_spl| timechart avg(bytes) as bytes| trendline sma5(bytes)
● Add a prediction overlayindex=power_of_spl| timechart avg(bytes) as bytes| predict future_timespan=5 bytes
![Page 25: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/25.jpg)
25
Timechart – Visualize Statistics Over TimeExamples● Visualize stats over time
index=power_of_spl| timechart avg(bytes)
● Add a trendlineindex=power_of_spl| timechart avg(bytes) as bytes| trendline sma5(bytes)
● Add a prediction overlayindex=power_of_spl| timechart avg(bytes) as bytes| predict future_timespan=5 bytes
![Page 26: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/26.jpg)
26
Streamstats – Cumulative/Running Totals Statistics
Examples● Cumulative/Running Totals
index=power_of_spl| reverse| streamstats sum(bytes) AS sum_bytes| timechart latest(sum_bytes) as "Total Bytes"
● Summary Statisticsindex=power_of_spl | eventstats avg(bytes) AS overall_avg_bytes | stats avg(bytes) as clientip_avg_bytes by clientip overall_avg_bytes
![Page 27: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/27.jpg)
27
Eventstats – Summary StatisticsExamples● Cumulative/Running Totals
index=power_of_spl| reverse| streamstats sum(bytes) AS sum_bytes| timechart latest(sum_bytes) as "Total Bytes"
● Summary Statisticsindex=power_of_spl | eventstats avg(bytes) AS overall_avg_bytes | stats avg(bytes) as clientip_avg_bytes by clientip overall_avg_bytes
![Page 28: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/28.jpg)
28
Stats/Timechart – But Wait, There’s More!Splunk Search Quick Reference Guide
![Page 29: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/29.jpg)
SPL Examples and Recipes● Find the needle in the haystack
● Charting statistics and predicting values
● Enriching and converging data sources
● Map geographic data in real time
● Identifying anomalies
● Transactions
● Data exploration & finding relationships between fields
● Custom Commands
29
![Page 30: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/30.jpg)
30
Converging Data SourcesIndex Untapped Data: Any Source, Type, Volume
Online Services Web
Services
ServersSecurity GPS
Location
StorageDesktops
Networks
Packaged Applications
CustomApplicationsMessaging
TelecomsOnline
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
RFID
On-Premises
Private Cloud
Public Cloud
Ask Any Question
Application Delivery
Security, Compliance and Fraud
IT Operations
Business Analytics
Industrial Data andthe Internet of Things
![Page 31: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/31.jpg)
31
Converging Data SourcesExamples
● Enrich data with lookupsindex=power_of_spl status!=200| lookup customer_info uid | stats count by customer_value
● Search Inception!index=power_of_spl[ search index=power_of_spl | stats sum(bytes) as total_bytes by clientip| sort - total_bytes | head 1 | return clientip ] | stats count by clientip status uri | sort - count
● Append multiple searchesindex=power_of_spl| timechart span=15s avg(bytes) as avg_bytes | appendcols [ search index=power_of_spl | stats stdev(bytes) as stdev_bytes] | eval 2stdv_upper = avg_bytes + stdev_bytes*2 | filldown 2stdv_upper | eval 2stdv_lower = avg_bytes - stdev_bytes*2 | filldown 2stdv_lower | eval 2stdv_lower = if('2stdv_lower’ <0,0,'2stdv_lower') | fields - stdev_bytes
![Page 32: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/32.jpg)
32
Converging Data SourcesExamples
● Enrich data with lookupsindex=power_of_spl status!=200| lookup customer_info uid | stats count by customer_value
● Search Inception!index=power_of_spl[ search index=power_of_spl | stats sum(bytes) as total_bytes by clientip| sort - total_bytes | head 1 | return clientip ] | stats count by clientip status uri | sort - count
● Append multiple searchesindex=power_of_spl| timechart span=15s avg(bytes) as avg_bytes | appendcols [ search index=power_of_spl | stats stdev(bytes) as stdev_bytes] | eval 2stdv_upper = avg_bytes + stdev_bytes*2 | filldown 2stdv_upper | eval 2stdv_lower = avg_bytes - stdev_bytes*2 | filldown 2stdv_lower | eval 2stdv_lower = if('2stdv_lower’ <0,0,'2stdv_lower') | fields - stdev_bytes
![Page 33: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/33.jpg)
33
Converging Data SourcesExamples
● Enrich data with lookupsindex=power_of_spl status!=200| lookup customer_info uid | stats count by customer_value
● Search Inception!index=power_of_spl[ search index=power_of_spl | stats sum(bytes) as total_bytes by clientip| sort - total_bytes | head 1 | return clientip ] | stats count by clientip status uri | sort - count
● Append multiple searchesindex=power_of_spl| timechart span=15s avg(bytes) as avg_bytes | appendcols [ search index=power_of_spl | stats stdev(bytes) as stdev_bytes] | eval 2stdv_upper = avg_bytes + stdev_bytes*2 | filldown 2stdv_upper | eval 2stdv_lower = avg_bytes - stdev_bytes*2 | filldown 2stdv_lower | eval 2stdv_lower = if('2stdv_lower’ <0,0,'2stdv_lower') | fields - stdev_bytes
![Page 34: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/34.jpg)
SPL Examples and Recipes● Find the needle in the haystack
● Charting statistics and predicting values
● Enriching and converging data sources
● Map geographic data in real time
● Identifying anomalies
● Transactions
● Data exploration & finding relationships between fields
● Custom Commands
34
![Page 35: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/35.jpg)
35
iplocation – Geographic DataExamples
● Assign Lat/Lon to IP addresses… | iplocation clientip
● Visualize statistics geographically… | geostats sum(price) by product
● Use custom choropleths… | geom <featureCollection> <featureId>
● Track object movements… | table _time latitude longitude vehicleId
![Page 36: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/36.jpg)
36
geostats – Geographic DataExamples
● Assign Lat/Lon to IP addresses… | iplocation clientip
● Visualize statistics geographically… | geostats sum(price) by product
● Use custom choropleths… | geom <featureCollection> <featureId>
● Track object movements… | table _time latitude longitude vehicleId
![Page 37: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/37.jpg)
37
geom – Geographic DataExamples
● Assign Lat/Lon to IP addresses… | iplocation clientip
● Visualize statistics geographically… | geostats sum(price) by product
● Use custom choropleths… | geom <featureCollection> <featureId>
● Track object movements… | table _time latitude longitude vehicleId
![Page 38: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/38.jpg)
38
table – Geographic DataExamples
● Assign Lat/Lon to IP addresses… | iplocation clientip
● Visualize statistics geographically… | geostats sum(price) by product
● Use custom choropleths… | geom <featureCollection> <featureId>
● Track object movements… | table _time latitude longitude vehicleId
![Page 39: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/39.jpg)
SPL Examples and Recipes● Find the needle in the haystack
● Charting statistics and predicting values
● Enriching and converging data sources
● Map geographic data in real time
● Identifying anomalies
● Transactions
● Data exploration & finding relationships between fields
● Custom Commands
39
![Page 40: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/40.jpg)
40
Anomaly Detection – Find anomalies in your dataExamples● Find anomalies
| inputlookup car_data.csv | anomalydetection
● Summarize anomalies| inputlookup car_data.csv | anomalydetection action=summary
● Use IQR and remove outliers| inputlookup car_data.csv | anomalydetection method=iqr action=remove
![Page 41: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/41.jpg)
SPL Examples and Recipes● Find the needle in the haystack
● Charting statistics and predicting values
● Enriching and converging data sources
● Map geographic data in real time
● Identifying anomalies
● Transactions
● Data exploration & finding relationships between fields
● Custom Commands
41
![Page 42: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/42.jpg)
42
Transaction – Group Related Events Spanning TimeExamples● Group by session ID
sourcetype=access*| transaction JSESSIONID
● Calculate session durationssourcetype=access*| transaction JSESSIONID | stats min(duration) max(duration) avg(duration)
● Stats is bettersourcetype=access*| stats min(_time) AS earliest max(_time) AS latest by JSESSIONID| eval duration=latest-earliest| stats min(duration) max(duration) avg(duration)
![Page 43: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/43.jpg)
43
Transaction – Group Related Events Spanning TimeExamples● Group by session ID
sourcetype=access*| transaction JSESSIONID
● Calculate session durationssourcetype=access*| transaction JSESSIONID | stats min(duration) max(duration) avg(duration)
● Stats is bettersourcetype=access*| stats min(_time) AS earliest max(_time) AS latest by JSESSIONID| eval duration=latest-earliest| stats min(duration) max(duration) avg(duration)
![Page 44: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/44.jpg)
44
Transaction – Group Related Events Spanning TimeExamples● Group by session ID
sourcetype=access*| transaction JSESSIONID
● Calculate session durationssourcetype=access*| transaction JSESSIONID | stats min(duration) max(duration) avg(duration)
● Stats is bettersourcetype=access*| stats min(_time) AS earliest max(_time) AS latest by JSESSIONID| eval duration=latest-earliest| stats min(duration) max(duration) avg(duration)
![Page 45: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/45.jpg)
SPL Examples and Recipes● Find the needle in the haystack
● Charting statistics and predicting values
● Enriching and converging data sources
● Map geographic data in real time
● Identifying anomalies
● Transactions
● Data exploration & finding relationships between fields
● Custom Commands
45
![Page 46: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/46.jpg)
Data Exploration
| analyzefields| anomalies| arules| associate| cluster| contingency| correlate| fieldsummary
46
![Page 47: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/47.jpg)
47
Cluster – Exploring Your DataExamples● Find most/least common events
* | cluster showcount=t t=.1| table _raw cluster_count
● Display Summary of Fields.sourcetype=access_combined | fields – date* source* time*| fieldsummary maxvals=5
● Show patterns of co-occurring fields.sourcetype=access_combined | fields – date* source* time* | correlate
● View field relationshipssourcetype=access_combined | contingency uri status
● Find predictors of fieldssourcetype=access_combined | analyzefields classfield=status
![Page 48: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/48.jpg)
48
Cluster – Exploring Your DataExamples● Find most/least common events
* | cluster showcount=t t=.1| table _raw cluster_count
● Display Summary of Fields.sourcetype=access_combined | fields – date* source* time* | fieldsummary maxvals=5
● Show patterns of co-occurring fields.sourcetype=access_combined | fields – date* source* time* | correlate
● View field relationshipssourcetype=access_combined | contingency uri status
● Find predictors of fieldssourcetype=access_combined | analyzefields classfield=status
![Page 49: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/49.jpg)
49
Correlate – Exploring Your DataExamples● Find most/least common events
* | cluster showcount=t t=.1| table _raw cluster_count
● Display Summary of Fields.sourcetype=access_combined | fields – date* source* time* | fieldsummary maxvals=5
● Show patterns of co-occurring fields.sourcetype=access_combined | fields – date* source* time* | correlate
● View field relationshipssourcetype=access_combined | contingency uri status
● Find predictors of fieldssourcetype=access_combined | analyzefields classfield=status
![Page 50: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/50.jpg)
50
Contingency – Exploring Your DataExamples● Find most/least common events
* | cluster showcount=t t=.1| table _raw cluster_count
● Display Summary of Fields.sourcetype=access_combined | fields – date* source* time* | fieldsummary maxvals=5
● Show patterns of co-occurring fields.sourcetype=access_combined | fields – date* source* time* | correlate
● View field relationshipssourcetype=access_combined | contingency uri status
● Find predictors of fieldssourcetype=access_combined | analyzefields classfield=status
![Page 51: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/51.jpg)
51
Analyzefields – Exploring Your DataExamples● Find most/least common events
* | cluster showcount=t t=.1| table _raw cluster_count
● Display Summary of Fields.sourcetype=access_combined | fields – date* source* time* | fieldsummary maxvals=5
● Show patterns of co-occurring fields.sourcetype=access_combined | fields – date* source* time* | correlate
● View field relationshipssourcetype=access_combined | contingency uri status
● Find predictors of fieldssourcetype=access_combined | analyzefields classfield=status
![Page 52: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/52.jpg)
52
Machine Learning Toolkit and ShowcaseExamples● Predict Numeric Fields● Predict Categorical Fields● Detect Numerical Outliers● Detect Categorical Outliers● Forecast Time Series● Cluster Events
![Page 53: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/53.jpg)
SPL Examples and Recipes● Find the needle in the haystack
● Charting statistics and predicting values
● Enriching and converging data sources
● Map geographic data in real time
● Identifying anomalies
● Transactions
● Data exploration & finding relationships between fields
● Custom Commands
53
![Page 54: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/54.jpg)
Custom Commands● What is a Custom Command?– “| haversine origin="47.62,-122.34" outputField=dist lat lon”
● Why do we use Custom Commands?– Run other/external algorithms on your Splunk data– Save time munging data (see Timewrap!)– Because you can!
● Create your own or download as Apps– Haversine (Distance between two GPS coords)– Timewrap (Enhanced Time overlay)– Levenshtein (Fuzzy string compare)– Base64 (Encode/Decode)
54
![Page 55: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/55.jpg)
55
Custom Commands – HaversineExamples● Download and install App
Haversine● Read documentation then
use in SPL!sourcetype=access* | iplocation clientip| search City=A*| haversine origin="47.62,-122.34" units=mi outputField=dist lat lon | table clientip, City, dist, lat, lon
![Page 56: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/56.jpg)
56
Custom Commands – HaversineExamples● Download and install App
Haversine● Read documentation then
use in SPL!sourcetype=access* | iplocation clientip| search City=A*| haversine origin="47.62,-122.34" units=mi outputField=dist lat lon | table clientip, City, dist, lat, lon
![Page 57: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/57.jpg)
For More Information● Additional information can be found in:– Power Of SPL App!– Search Manual– Blogs– Answers– Exploring Splunk
57
![Page 58: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/58.jpg)
Q & A
![Page 59: Power of SPL](https://reader031.vdocuments.us/reader031/viewer/2022021419/58aa892d1a28ab2e448b5f37/html5/thumbnails/59.jpg)
Thank you!