I’m super excited to announce that my new book Practical Splunk Search Processing Language has been published.
While there are many Splunk books in the market today, almost all of them try to combine several aspects of Splunk into one book. I’ve not found a single book that focuses solely on teaching SPL (Search Processing Language). For a user, learning SPL is the key to getting the most out of the Splunk platform. So, I decided to fill in the gap :-).
I know that SPL can be intimidating for a new user (heck, even for an experienced user, it can be intimidating). But it does not have to remain that way. The key to mastering SPL is to focus on a handful of commands and fully mastering them. For example, while SPL has more than 140 commands, you’ve probably only used the following commands more often than not:
Just by mastering eval and stats, you can pretty much solve 90% of the problems. This is why I’ve dedicated a chapter for stats command alone.
Here are the chapters at a glance:
Chapter 1, Introducing the Splunk platform, introduces the Splunk platform and the problems it solves. It discusses the architecture of the platform at a high level. It then introduces Search Processing Language (SPL) along with its syntax and usage. This chapter also walks you through the Splunk search interface. At the end of this chapter, you will have written your first SPL query yourself.
Chapter 2, Calculating Statistics, dives right into calculating statistics, an important function of SPL. It explains the all-powerful stats command with plenty of examples. It also covers the chart command. This chapter then dives into another useful command eval and discusses its most useful functions. At the end of this chapter, you will have a thorough knowledge of using stats, chart and eval.
Chapter 3, Using Time Related Operations, reveals how you can generate insightful results from your machine-generated data using time. It discusses the command timechart in detail and provides various examples. It also provides few advanced examples such as comparing two different time frames and using timewrap command.
Chapter 4, Grouping and Correlating discusses a very practical use of SPL, grouping conceptually related events to make sense. It explains the powerful transaction command with many examples. It shows the various constraints you can use to group events. It also introduces subsearcehs and moves on to cover join and append commands.
Chapter 5, Working with Fields, shows how you can extract fields from your raw data. It shows how to identify automatically extracted fields and walks through field extractor wizard for manually extracting fields. It then introduces regular expressions and dive into rex command. Finally, it discusses the practical uses of fields such as deduping, filtering and sorting.
Chapter 6, Using Lookups, takes a little detour and discusses lookups. It walks through using a CSV file as lookup table to enhance the search results. It explains the use of lookup and inputlookup commands. It also shows how to create and maintain a lookup table using outputlookup command.
Chapter 7, Advanced SPL Commands, introduces some of the advanced commands such as predict, kmeans and cluster. It provides examples for commands such as convert and outlier. It also explains the various ways to handle multi-valued fields by using command such as mvcombine and mvexpand. Finally, it teaches various eval functions such as mvcount and mvfind that help with multi-valued fields.
Chapter 8, Less Common Yet Impactful SPL Commands, discusses commands such as geostats, iplocation and tstats. It explains how machine-generated data can be plotted in a map. In addition, it shows how to use erex to automatically generate regular expressions.
Chapter 9, Optimizing SPL, deals with improving the performance of your SPL queries. It explains the factors affecting search performance and shows how to use job inspector, an important tool to understand the execution costs of various components of your search. It also discusses the best practices for scheduling searches.
I’ve also added a digital chapter on Dashboards and Alerts that you can access here.
If you are interested in learning SPL in a practical way with lots of examples, this book is for you.