Developer Cheat Sheets - Quick Reference for Professional Tools

search

Basic search command to find events matching criteria

search index=main error

Keywords: search, find, events, basic

index=

Specify which index to search

index=web_logs status=404

Keywords: index, source, data

| stats

Calculate statistics and aggregate data

| stats count by host

Keywords: stats, count, aggregate, statistics

| eval

Create or modify fields using expressions

| eval new_field=field1+field2

Keywords: eval, calculate, field, expression

| where

Filter results based on conditions

| where status_code>=400

Keywords: where, filter, condition, boolean

| table

Display specific fields in tabular format

| table _time, host, status

Keywords: table, display, fields, columns

| sort

Sort results by specified fields

| sort -_time

Keywords: sort, order, ascending, descending

| head

Return first N results

| head 10

Keywords: head, limit, first, top

| tail

Return last N results

| tail 5

Keywords: tail, limit, last, bottom

| dedup

Remove duplicate events based on field values

| dedup host

Keywords: dedup, unique, duplicate, distinct

| timechart

Create time-based statistical charts

| timechart span=1h count by status

Keywords: timechart, time, chart, visualization

| rex

Extract fields using regular expressions

| rex field=_raw "(?<ip>\d+\.\d+\.\d+\.\d+)"

Keywords: rex, regex, extract, parse

| join

Join results with another search

| join host [search index=users]

Keywords: join, merge, combine, lookup

| lookup

Enrich data using lookup tables

| lookup user_info.csv user_id

Keywords: lookup, enrich, table, reference

earliest= latest=

Specify time range for search

earliest=-24h latest=now

Keywords: time, range, earliest, latest

| fields

Include or exclude specific fields from results

| fields + _time, host, status | fields - _raw

Keywords: fields, include, exclude, select

| rename

Rename fields for better readability or standardization

| rename src_ip as "Source IP", dest_port as "Destination Port"

Keywords: rename, alias, readability, standardize

| fillnull

Replace null values with specified value or string

| fillnull value="Unknown" user_agent

Keywords: fillnull, null, replace, default

| transaction

Group events into transactions based on common fields

| transaction sessionid maxspan=30m

Keywords: transaction, group, session, correlation

| bucket

Group numeric or time values into discrete buckets

| bucket _time span=1h | stats count by _time

Keywords: bucket, group, discrete, histogram

| eventstats

Add statistical information to each event without grouping

| eventstats avg(response_time) as avg_response by host

Keywords: eventstats, statistics, augment, enrich

| streamstats

Calculate running statistics across events in time order

| streamstats count as event_number, avg(cpu_usage) as running_avg

Keywords: streamstats, running, cumulative, time

| multisearch

Run multiple searches simultaneously and combine results

| multisearch [search index=web] [search index=app]

Keywords: multisearch, multiple, parallel, combine

| append

Add results from another search to current results

| append [search index=backup earliest=-1d@d latest=@d]

Keywords: append, add, combine, union

| map

Apply search to each result and return combined results

| map search="search index=logs host=$host$ error"

Keywords: map, iterate, apply, dynamic

| convert

Convert field values to different formats or data types

| convert ctime(_time) as readable_time, dur2sec(duration) as seconds

Keywords: convert, format, datatype, transform

Splunk SPL Cheat Sheet