Splunk-Notes

index="tutorial_data" host="www1"
Searches for events in tutorial_data where the host is www1. Useful for isolating logs from a specific host.

index="tutorial_data" (host="www1" OR host="www2")
Finds events where the host is either www1 or www2. The OR operator broadens the search across multiple hosts.

index="tutorial_data" sourcetype="access_combined_wcookie" 200
Searches for events with 200 in any field within tutorial_data for the specified sourcetype. Useful for identifying successful HTTP status responses.

index="tutorial_data" sourcetype="access_combined_wcookie" AND action="purchase"
Filters events with both sourcetype=access_combined_wcookie and action="purchase". The AND operator ensures both conditions are met.

index="tutorial_data" sourcetype="access_*" host="www1"
Searches across all sourcetypes that start with access_ in the tutorial_data index for host www1. This is helpful when dealing with multiple access log types.

index="tutorial_data" sourcetype="access_*" status=200
Finds events with a status=200 across all access-related sourcetypes. Useful for summarizing successful access logs.

index="tutorial_data" action="purchase" status=200 | stats count by status
Counts events where action=purchase and status=200, grouping them by status. Provides a quick view of successful purchase actions.

index="tutorial_data" sourcetype="access_combined_wcookie" status=200 | rex field=clientip "(?<FIRSTDIGITS>[\d]+)"
Extracts the first group of digits in clientip and assigns it to the field FIRSTDIGITS. This is useful for isolating certain patterns within IP addresses.

index="tutorial_data" sourcetype="access_combined_wcookie" | eval SREEERROR="HTTPD_CODE:"+status
Creates a new field SREEERROR by concatenating HTTPD_CODE: with the status field value. Useful for custom error labeling.

index="tutorial_data" sourcetype="access_combined_wcookie" status=200 action=purchase [search index="tutorial_data" sourcetype="access_combined_wcookie" status=200 action=purchase | top limit=1 clientip | table clientip]
Searches for status=200 and action=purchase events, filtering based on the most common clientip retrieved from a subsearch. Useful for combining primary and subsearch results.

index="tutorial_data" sourcetype="access_*" | eval CUSTOM_ERR=if(status == 200, "OK", "Problem")
Creates a new field CUSTOM_ERR that displays "OK" if status=200, and "Problem" otherwise. Useful for quickly identifying issues based on status codes.

index="tutorial_data" sourcetype="access_*" | chart count as views
Generates a count of events, renaming the count as views. chart is used here for summarizing data in a visual-friendly format.

index="tutorial_data" sourcetype="access_*" action=purchase | timechart span=12h count by productId
Uses timechart to display the count of purchases by productId in 12-hour intervals. Helpful for observing trends in product purchases over time.

index="tutorial_data" sourcetype="access_*" action="purchase" status=200 productId!=""
Searches for events where action="purchase", status=200, and productId is not empty, focusing on successful purchase events with valid product information.

index="tutorial_data" sourcetype="access_*" action="purchase" status=200 productId!="" | lookup prices_lookup productId AS productId OUTPUT price AS PRICE
Uses a lookup table (prices_lookup) to enrich the search with pricing information for each productId, outputting the price as PRICE. Useful for adding context or additional data to search results.

Here’s an explanation for each panel in the SPLUNK LAB DASHBOARD. This includes the purpose of each search, the commands used, and what each panel visualizes in terms of sales data.

SPLUNK LAB DASHBOARD EXPLANATION

PANEL 1: SALES (Top Left, Single Value Panel)

Search: index="tutorial_data" sourcetype="access*" action="purchase" status=200 | stats sum(price) AS "total" | fieldformat total="$" + total + " USD"

Explanation: - Purpose: This panel calculates the total sales value by summing up the price field for all completed purchases. - Commands: - stats sum(price) AS "total": Aggregates the total price of all purchases with status=200 (indicating successful transactions). - fieldformat: Formats the total field to display as a currency with "$" and "USD". - Rounding Version: index="tutorial_data" sourcetype="access*" action=purchase status=200 | stats sum(price) AS "total" | eval total=round(total, 0) | fieldformat total="$" + total + " USD" - This version rounds the total to the nearest whole dollar using round(total, 0) for a cleaner display.

PANEL 2: DAILY SALES (Top Right, Line Chart; Connected to Time Picker)

Search: index="tutorial_data" sourcetype="access_*" action=purchase status=200 | timechart span=1d sum(price) as "Sales"

Explanation: - Purpose: This panel shows daily sales over time as a line chart, enabling users to track sales trends. - Commands: - timechart span=1d sum(price) as "Sales": Aggregates total daily sales by summing the price field and plots them with a daily (1d) interval. - Notes: - New version (October 2021): The sum(productPrice) was used initially but has been replaced by sum(price) for consistency in the data source.

PANEL 3: TOP PRODUCTS BY SALES (Bottom Left, Pie Chart; Connected to Time Picker)

Search: index="tutorial_data" sourcetype="access*" action="purchase" status=200 | top productName showperc=0

Explanation: - Purpose: This panel displays a pie chart of top-selling products, helping visualize which products contribute most to sales. - Commands: - top productName showperc=0: Identifies the most frequently purchased products (productName) without showing percentages (showperc=0). - Chart Type: Pie chart to show proportional representation of top products based on the number of purchases.

PANEL 4: PURCHASE DETAILS (Bottom Right, Table; Connected to Time Picker)

Search: index="tutorial_data" sourcetype="access_*" action="purchase" status=200 productId!="" | rename _time as Date, clientip as clientIP | fieldformat Date = strftime(Date, "%b-%d-%Y %H:%M:%S") | table Date, productId, productName, clientIP

Explanation: - Purpose: This panel provides a detailed view of each purchase, showing the purchase date, product ID, product name, and client IP. - Commands: - rename _time as Date, clientip as clientIP: Renames fields for better readability in the table. - fieldformat Date = strftime(Date, "%b-%d-%Y %H:%M:%S"): Formats the date for a more readable display (Month-Day-Year format with time). - table Date, productId, productName, clientIP: Displays data in a structured table. - Client IP Extraction: - Regex Pattern: ^(?P<clientIP>\d+\.\d+\.\d+\.\d+) - This regular expression can be used to extract clientIP if not available by default.

DRILL-DOWN FUNCTIONALITY

Search: index="tutorial_data" sourcetype="access_*" action="purchase" status=200 productId!="" productName="$productNameToken$" | rename _time as Date, clientip as clientIP | fieldformat Date = strftime(Date, "%b-%d-%Y %H:%M:%S") | table Date, productId, productName, clientIP

Explanation: - Purpose: Allows users to drill down into specific product details by selecting a product name from the dashboard. - Commands: - productName="$productNameToken$": Uses a token ($productNameToken$) that is set by user interaction on the dashboard, filtering results to show only the selected product. - Remaining commands format and display detailed information for each transaction involving the selected product.

Initialization: <init> <set token="productNameToken">*</set> </init> - This <init> tag initializes the productNameToken with a wildcard (*), so the dashboard initially displays all products until a specific product is selected.

FINAL DASHBOARD STRUCTURE

• Left Side: A single number panel showing total sales (PANEL 1).
• Right Side (Top): Line chart showing daily sales over time (PANEL 2).
• Bottom Left: Pie chart displaying top products by sales count (PANEL 3).
• Bottom Right: Table showing detailed purchase information (PANEL 4).

This dashboard design gives an interactive, comprehensive view of sales metrics, trends, and detailed transactions in an easy-to-navigate layout.