Cmdlets for Splunk

Build 24.0.9060

AlertsInInternalServer

A dataset object in the example InternalServer data model.

Select

This is an example of a dataset view. These views are generated from dataset objects inside a data model. The cmdlet will use the Splunk APIs to process the following query components; the cmdlet processes other parts of the query client-side in memory.

All columns support server-side processing for the following operators and functions:

  • Operators: =, <, >, >=, <=, IN, IS NULL, IS NOT NULL, NOT
  • Functions: AVG, SUM, MIN, MAX, COUNT, STDEV, STDEVP, VAR, VARP

LIMIT, ORDER BY, GROUP BY, and HAVING are also processed server-side. An exception is the case when in the selected columns, there are fields that are not in the GROUP BY, and GROUP BY, criteria, and limiting are handled client-side.

In the case when an unsupported criteria or function is used, all processing will be completed client-side (except selecting specified fields). This is also the case when a SELECT statement has a column that is not in the GroupBy clause.

For example, the cmdlet uses the Splunk APIs to process the following queries.

SELECT Component, Timeendpos as Timeend FROM [AlertsInInternalServer] WHERE Component = 'Saved' OR EventType != '' AND Priority IS NOT NULL AND Linecount NOT IN ('1', '2') ORDER BY Priority DESC LIMIT 5 

SELECT AVG(Suppressed), Priority FROM [AlertsInInternalServer] GROUP BY Priority HAVING AVG(Suppressed) > 0 

Columns

Name Type Description
_time Datetime
component String
date_hour Int
date_mday Int
date_minute Int
date_month String
date_second Int
date_wday String
date_year Int
date_zone Int
digest_mode Int
dispatch_time Int
host String
linecount Int
log_level String
priority String
punct String
savedsearch_id String
scheduled_time Int
search_type String
server_alert_actions String
server_app String
server_message String
server_result_count Int
server_run_time Double
server_savedsearch_name String
server_sid String
server_status String
server_user String
source String
sourcetype String
splunk_server String
suppressed Int
thread_id String
timeendpos Int
timestartpos Int
window_time Int

Copyright (c) 2024 CData Software, Inc. - All rights reserved.
Build 24.0.9060