Table of Contents generated with DocToc


layout: post title: β€œSplunk cheat sheet” teaser: Cheat sheet for splunk queries date: 2017-03-08 12:39:26 +0000 categories: cheat-sheets tags: cheat-sheets β€”

Extract subnet from IP address

<search> |  rex field=ip "(?<subnet>\d+\.\d+\.\d+)\.\d+" | stats count by subnet

Calculate availability percentage based on status code

index="prod1" sourcetype="mc-gdm:web:access-log" | stats count as total, count(eval(statusCode=200)) as ok | eval uptime=((ok/total)*100) | table uptime

Extract HTTP status code from web access logs

# log format: 172.22.83.162 - - [10/Jul/2018:14:46:42 +0000] "GET /tests/benefits HTTP/1.1" 200 337 "-" "Ruby" 0
index="prod" sourcetype="aws:cloudwatchlogs" source="eu-central-1:/aws/elasticbeanstalk/strategic-atam-prod/var/log/web-1.log*" | rex field=_raw "^(?:[^ \n]* ){8}(?P<statusCode>\d+)"