Splunk
Table of Contents generated with DocToc
- Extract subnet from IP address
- Calculate availability percentage based on status code
- Extract HTTP status code from web access logs
layout: post title: βSplunk cheat sheetβ teaser: Cheat sheet for splunk queries date: 2017-03-08 12:39:26 +0000 categories: cheat-sheets tags: cheat-sheets β
Extract subnet from IP address
<search> | rex field=ip "(?<subnet>\d+\.\d+\.\d+)\.\d+" | stats count by subnet
Calculate availability percentage based on status code
index="prod1" sourcetype="mc-gdm:web:access-log" | stats count as total, count(eval(statusCode=200)) as ok | eval uptime=((ok/total)*100) | table uptime
Extract HTTP status code from web access logs
# log format: 172.22.83.162 - - [10/Jul/2018:14:46:42 +0000] "GET /tests/benefits HTTP/1.1" 200 337 "-" "Ruby" 0
index="prod" sourcetype="aws:cloudwatchlogs" source="eu-central-1:/aws/elasticbeanstalk/strategic-atam-prod/var/log/web-1.log*" | rex field=_raw "^(?:[^ \n]* ){8}(?P<statusCode>\d+)"