Splunk Cheat Sheet – Some Commonly Used Splunk Commands

Get N number of results
index=myIndex sourcetype=myFileType SearchTermOrExpression | head 2

Exclude a Phrase
index=myIndex sourcetype=myFileType PhraseToSearch NOT PhraseNotToSearch

Search Exceptions or Errors
index=myIndex sourcetype=myFileType *Exception* OR *Error*

Stats – Count by Host
index=myIndex sourcetype=myFileType SearchTerm | status count by host

Stats – Count per day
index=myIndex sourcetype=myFileType SearchTerm |convert timeformat=”%Y-%m-%d” ctime(_time) AS date | stats count by date

Table of Extracted Fields
index=myIndex sourcetype=myFileType SearchTerm |table myExtractedField1, myExtractedField2, myExtractedField3

Status – Sort Descending
index=myIndex sourcetype=myFileType SearchTerm | status count by someField | sort by someField

Status – Sort Ascending
index=myIndex sourcetype=myFileType SearchTerm | status count by someField | sort by -someField

Items per hour (date_hour)
index=myIndex sourcetype=myFileType SearchTerm | top date_hour

Remove Duplicates
index=myIndex sourcetype=myFileType SearchTerm |table myExtractedField1, myExtractedField2, myExtractedField3 | dedup myExtractedField1