SPLUNK - Filters Documentation

Return to Wiki Index

Splunk log filtering works primarily through the following features:

• **Search Processing Language (SPL)**: This is the language used to filter, analyze, and transform data in Splunk.
• **Event Types**: Classifying logs into different event types helps in simplifying complex log data into easy-to-analyze categories.
• **Field Extraction**: Fields are used to create searchable and filterable data from the raw logs.
• **Transforms**: Data transformation techniques in Splunk help in extracting or modifying specific portions of log data.
• **Props**: These define how raw log data is handled and parsed in Splunk, including line-breaking, time-stamping, and field extraction.

The Search Processing Language (SPL) is the primary tool used for filtering logs in Splunk. SPL provides various commands and operators to filter and process the data.

The `search` command is the most basic way to filter logs in Splunk. For example, to filter logs based on specific keywords or phrases, you can use:

index="main" "error" OR "failure"

This will search for logs that contain either the term "error" or "failure" within the "main" index.

To filter logs by a specific time range, the `earliest` and `latest` time modifiers can be used in conjunction with the search. For example, to find logs between 2021-01-01 and 2021-01-31:

index="main" earliest="01/01/2021:00:00:00" latest="01/31/2021:23:59:59"

Boolean operators such as `AND`, `OR`, and `NOT` can be used to filter logs based on multiple conditions.

index="main" ("error" OR "failure") AND NOT "success"

This search will return logs that contain either "error" or "failure", but exclude logs containing "success".

Splunk allows for more advanced filtering techniques, such as using field extraction, field aliases, and event types.

Field extraction is used to pull out specific pieces of information from logs that match a regular expression or delimiter pattern. For example, if the logs contain an IP address and you want to extract it, you can use:

index="main" | rex field=_raw "(?P<ip_address>\d+\.\d+\.\d+\.\d+)"

This command uses the `rex` function to extract the IP address from the raw log data and creates a field called `ip_address`.

Event types allow you to categorize logs by assigning them predefined labels based on search criteria. For example, to create an event type for "error" logs:

eventtype="error_logs" index="main" "error"

This will label all logs containing the word "error" as part of the `error_logs` event type.

Field aliases let you use multiple names for the same field. This can help when logs have fields that are named differently in different sources but essentially represent the same data. For instance:

[alias_field]
SPLUNK_SERVER = host

This field alias maps `SPLUNK_SERVER` to the `host` field, so you can refer to the host field by either name.

The `eval` command can be used to create new fields or perform calculations on existing fields. For example:

index="main" | eval response_time_in_seconds = response_time / 1000

This command divides the `response_time` field by 1000 to convert it from milliseconds to seconds, creating a new field `response_time_in_seconds`.

Transforms and props are configuration files used to parse, extract, and transform raw log data in Splunk. They are critical for handling unstructured data and defining how logs should be processed.

The `props.conf` file defines how Splunk should handle incoming data, including line-breaking, time-stamping, and field extraction. For instance, to extract a field from a specific log format:

[my_log_format]
LINE_BREAKER = \n
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TIME_PREFIX = ^
FIELDALIAS-user = user AS username

This configuration specifies how Splunk should parse log lines, timestamp them correctly, and create an alias for the `user` field.

The `transforms.conf` file defines rules for transforming log data. For example, if you want to extract specific values based on a regular expression pattern, you can define a transformation rule in `transforms.conf`:

[extract_ip]
REGEX = (?P<ip>\d+\.\d+\.\d+\.\d+)
FORMAT = ip::$1

This rule will extract IP addresses from the logs and assign them to a field called `ip`.

To ensure optimal performance and relevance when filtering logs, consider the following best practices:

It is important to define proper indexes and partition your data efficiently. Splitting log data into separate indexes (e.g., by application or log type) can help with more targeted searches.

Narrow down your searches by using time ranges effectively. Avoid broad searches across large time spans as they can increase processing time and reduce query performance.

Wildcard searches (e.g., `*error`) at the start of search terms can be resource-intensive. Try to avoid them or use them selectively in very specific cases.

To improve performance, limit the number of fields returned by your search. Use the `fields` command to restrict the data to only the necessary fields:

index="main" | fields host, source, _time, error_code

This will return only the `host`, `source`, `_time`, and `error_code` fields from the search results.

When dealing with log filtering in Splunk, it's common to encounter issues related to data formatting or configuration errors. Here are some common troubleshooting tips:

If fields are not being extracted properly, check the regular expression syntax in the `rex` command and ensure the correct delimiter or pattern is being used. Also, verify the field alias and transformation settings in `props.conf` and `transforms.conf`.

If logs are not showing the correct timestamps, ensure that the `TIME_PREFIX`, `TIME_FORMAT`, and `LINE_BREAKER` configurations in `props.conf` are set correctly for the log type.

If you are not seeing expected data from a specific index, ensure that the data is being ingested into the correct index and check for any indexing errors in Splunk’s internal logs.

• [Splunk Official Documentation](https://docs.splunk.com)
• [Splunk SPL Search Reference](https://docs.splunk.com/Documentation/Splunk/latest/SearchReference)
• [Splunk Field Extraction Guide](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/FieldExtraction)
• [Splunk Props and Transforms Documentation](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/PropsConf)
• [Splunk Blog](https://www.splunk.com/blog)