This page in the Splunk training wiki area, discusses an array of miscellaneous tips anything from saving time, to how to approach solving a data problem, to a small performance tweak, to external tools needed to massage the data or form a query.
| Table of Contents | ||
|---|---|---|
|
1. Working with JSON
The OM mediabar data is ingested into Splunk as ‘sourcetype’=_json which is a built in type of Splunk so it knows how to read JSON. The logging by OM components are, in part or in total, in JSON format so it is useful to have tool(s) to help read compacted JSON, expand it, query it, or change it.
...
Note: the Filter shown below only has a slight complexity for the ‘hisurl’ field but it is not required, therefore, you can copy and paste the Filter below and then change field names and their order (aka map({“field0”: .[0], “field1”: .[1], “field2”: .[2], etc.) and it will work for any CSV.
...
2. Working With Regular Expressions
3. Searching with ‘tstats’ vs ‘index’
4. When Building Search Commands
...