sourcetype=access_combined* | fields host,clientip,bytes

sourcetype=access_combined* action=* | table clientip,action,status <-- afisare in

forma de tabel

sourcetype=access_combined* action=* | table clientip,action,status | rename

clientip as "Client IP", status as "HTTP Status" <-- redenumeste coloanele (le face
user friendly)

sourcetype=www* | erex useridexamples="appserver,testuser,mongodb,desktop,root" |

search punct="__::____" <--sa adaugam un field nou care nu a aparut in rezultatele
initiale iar cu punct cautam rezultatele cu acelasi pattern

sourcetype=access_combined* action=* | top productId <-- face un top al id-urilor

de produse

sourcetype=access_combined* action=* | top limit=3 productId <-- primii 3

sourcetype=access_combined* action=* | top limit=3 productId by action <-- grupeaza

dupa fieldul action

sourcetype=access_combined* action=purchase | table clientip,bytes,action | sort

+bytes <-- sorteaza crescator dupa bytes

sourcetype=access_combined* action=* | stats sum(bytes) by productId <-- calculeaza

cata banda a fost consumata pentru fiecare produs in parte

sourcetype=access_combined* action=* | stats avg(bytes) as Bandwidth by productId |

sort -Bandwidth <-- calculeaza cata banda a fost consumata in medie pentru fiecare
produs in parte

sourcetype=access_combined* action=* productId=* | timechart count(productId) by

action <-- afiseaza informatiile sub forma de grafic

sourcetype=access_combined* action=* | stats sum(bytes) as Sum by productId | eval

Bandwidth=Sum/(1024*1024) <-- a creat un camp Bandwidth

docs.splunk.com <-- totul despre comenzi, sintaxa, toate problemele postate intr-un
forum (answers.splunk.com)

===================================================================================
===================================================================================
========

earliest=11/17/2015:15:05:00 latest=11/17/2015:15:06:00 index=proxy "youtube.com"

earliest=11/17/2015:15:05:00 latest=11/17/2015:15:06:00 index=proxy e7594327

(<==user ID) | table ............... [CHECK STATISTICS]

earliest=11/17/2015:15:05:00 latest=11/17/2015:15:06:00 index=proxy e7594327

(<==user ID) | table ............... | stats count by dest_host, category

earliest=11/17/2015:15:05:00 latest=11/17/2015:15:06:00 index=vpns 172.19.74.185

earliest=11/17/2015:15:05:00 latest=11/17/2015:15:06:00 index=vpns fhdjsk@dksd.com

AND hostname

VPN Search (??)

===================================================================================
===================================================================================
========

sourcetype=access* action=* | transaction JSESSONID [<-- fieldul dupa care fac

gruparea] startswith=action=addtocart endswith=action=purchase mvlist=n | table
JSESSIONID,clientIP,eventcount,duration,action | search action=purchase

sourcetype=access* action=* status>399 (sa vedem doar erorile) | lookup

http_status_def code as status OUTPUT code,description | table
code,description,clientip

inputlookup http_status.csv <--interogarea sursei definite mai devreme, in cazul in

care vrei sa-l exporti