Skip to main content

Search events with Splunk

Once you set up federated search, you can search an index in Imply Lumi using a federated index in Splunk®. In federated search, you use Splunk Search Processing Language (SPL) to query Imply Lumi events.

This topic provides federated search examples using SPL commands supported by Imply Lumi.

Supported commands

Some SPL commands in federated search run on the federated search head (Splunk) and others run on the remote search head (Imply Lumi). This topic lists commands that run on the federated search head by design and commands Imply has implemented on the remote search head.

If you want to use an SPL command that isn't listed here, try it out - it might work. If it doesn't, contact your Imply representative. We're adding more commands to the remote search head and we can prioritize the commands you need.

See the documentation on Splunk command types for information on how and where the search head processes commands.

Example queries

You can run the example federated search queries below against the example data for Imply Lumi tutorials.

Imply Lumi supports all Splunk search modes for federated search. See the Splunk documentation for more information.

The search keyword is implied at the beginning of a query. Supported operators for filters and wildcards are as follows:

OperatorUseExample
=Equal tostatus=200
!=Not equal tostatus!=200
""Phrase"Intel Mac"
*Wildcarduri="*policy*"
CASEMake case-sensitiveCASE(Intel)
NOTExclude matching eventsNOT "/orders"
ORMatch two or more conditionsstatus=500 OR level=error

appendcols

Count the total number of events and append the count of successful requests as an additional column in the same row:

index="federated:lumi_index" 
| stats count as total_events
| appendcols [ 
    search index="federated:lumi_index" status=200
    | stats count as successful_requests
  ]

Example output:

| total_events | successful_requests |
|--------------|---------------------|
| 214352       | 148242              |

For more information, see the Splunk documentation on appendcols.

appendpipe

Show the count of status=200 events per host and append a row with the total count across all hosts:

index="federated:lumi_index" 
| stats count as host_event_count by host
| appendpipe [ 
    stats sum(host_event_count) as total_events 
  ]

Example output:

| host     | host_event_count | total_events |
|----------|------------------|--------------|
| 10.0.1.5 | 1683             |              |
| 10.0.1.6 | 1654             |              |
| 10.0.1.7 | 1677             |              |
|          |                  | 5014         |

For more information, see the Splunk documentation on appendpipe.

concurrency

Retrieve 100 recent events, assume each event spans 5 minutes, and calculate how many of those events overlap at any point in time.

index="federated:lumi_index" 
| head 100
| eval start=_time, duration=300
| concurrency start=start duration=duration

For more information, see the Splunk documentation on concurrency.

datamodel

Assuming that the sample data is mapped to the Web data model, use the Web object to filter events where the URI is /track-order. Count the number of events by status and URI:

index="federated:lumi_index" 
| datamodel Web Web search
| search uri="/track-order"
| stats count by status, uri

For more information, see the Splunk documentation on datamodel.

eval

Check if the useragent exactly matches Google's bot identifier and count how many events are from bots versus non-bots:

index="federated:lumi_index" 
| eval is_bot=if(useragent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", "yes", "no")
| stats count by is_bot

Example output:

| is_bot | count |
|--------|-------|
| no     | 254   |
| yes    | 54    |

For more information, see the Splunk documentation on eval.

eventstats

Add a field to every event showing how many events its user has in the entire result set:

index="federated:lumi_index" 
| eventstats count as user_event_count by user

For more information, see the Splunk documentation on eventstats.

fields

Find all HTTP 400 (Bad Request) events, displaying only the host, source, and method fields in the results:

index="federated:lumi_index" status=400 | fields host, source, method

For more information, see the Splunk documentation on fields.

fieldsummary

Summarize the status field:

index="federated:lumi_index" | fields status | fieldsummary

For more information, see the Splunk documentation on fieldsummary.

Search for events where method is either GET or POST, and show the five most recent results:

index="federated:lumi_index" method IN (GET, POST) | head 5

For more information, see the Splunk documentation on head.

map

Find the top two hosts with the most HTTP 403 (Forbidden) errors, then for each host, search all events to show how many times each uri was accessed.

index="federated:lumi_index" status=403
| stats count by host
| head 2
| map search="search index=federated:lumi_index host=$host$
| stats count by uri"

Example output:

| uri           | count |
|---------------|-------|
| /account      | 876   |
| /best-sellers | 861   |
| /brands       | 910   |

For more information, see the Splunk documentation on map.

outlier

Aggregate average bytes transferred per hour and flag statistical outliers in the average byte values in a timechart.

index="federated:lumi_index" 
| timechart span=1h avg(bytes) as avg_bytes
| outlier avg_bytes

Example output. Note that fabricated data was added to the sample data to display outliers:

Timechart outlier

For more information, see the Splunk documentation on outlier.

rename

Note that Imply Lumi doesn't support renaming similarly named fields using wildcards.

Count events by status code and rename the status field to http_status for clearer labeling in the output:

index="federated:lumi_index" 
| stats count by status
| rename status AS http_status

For more information, see the Splunk documentation on rename.

reverse

Select the first five events and reverse their order, so the most recent event appears last in the output.

index="federated:lumi_index" 
| head 5 | reverse

For more information, see the Splunk documentation on reverse.

setfields

Set the host, status, and uri fields to specific values and display the results in a table:

index="federated:lumi_index" 
| setfields host="10.0.1.19", status="200", uri="/shipping-policy"
| table host, status, uri, _time

For more information, see the Splunk documentation on setfields.

sort

Note that you can't sort on calculated fields.

Retrieve all HTTP 400 (Bad Request) events, show the host, source, and method fields only, and sort the results alphabetically by host:

index="federated:lumi_index" 
| status=400
| fields host, source, method
| sort host

For more information, see the Splunk documentation on sort.

tail

Search for all HTTP 400 (Bad Request) events, returning only the last three matching events:

index="federated:lumi_index" status=400 | tail 3

For more information, see the Splunk documentation on tail.

top

Show the most common URIs accessed in the index, with how often they appear and their percentage of total events:

index="federated:lumi_index" | top uri

Example output:

| uri              | count  | percent |
|------------------|--------|---------|
| /home            | 524    | 23.4%   |
| /shipping-policy | 312    | 13.9%   |
| /contact         | 290    | 12.9%   |

For more information, see the Splunk documentation on top.

where

Retrieve events where the host is 10.0.1.19 and the status is 200:

index="federated:lumi_index" | where host = "10.0.1.19" and status = 200

For more information, see the Splunk documentation on where.

Learn more

See the following topics for more information: