Skip to content

Splunk Practice Exercise 2: Finding Events on fields using Conditional statements

Introduction

This practice exercise focuses on searching for events in Splunk using the field itemID.

Step 1: Access Splunk Web

  1. Open your web browser and navigate to Splunk Web:

    http://<your server ip>:8000

  2. Log in using your credentials.

Step 2: Navigate to Search & Reporting App

  1. In the Splunk Web interface, go to the Search & Reporting app.

Step 3: Construct the Search Query

  1. In the search bar, enter the following search query:

    index=tutorial itemId="EST-*" | rex field=itemId "EST-(?<n>\d+)" | where n >= 10

This query searches for events in the tutorial index where the itemID follows the pattern 'EST-n' and the value of 'n' is greater than 10 using rex.

Note: rex and where will be discussed further on succeeding topics of the course.

  1. Press Enter or click the Search button to execute the search.

Step 5: Review Results

  1. Review the search results in the main panel. The events displayed should meet the criteria specified in the search query.

  2. You can confirm the results by appending the stats command below in the original query. You can see that the output only gets EST-n with n greater than 10.

    | stats count by itemId

Conclusion

Congratulations! You have successfully completed the practice exercise, finding events in Splunk where the itemID follows the pattern 'EST-n' and the value of 'n' is greater than 10. Continue to explore and experiment with different search queries to enhance your Splunk skills.