Skip to content

Splunk Snippets

Beginner

makeresults

makeresults can be used to run SPL queries without having to specify an index or lookup. This can be very helpful when testing out search logic or specifying simple data in a dashboard panel.

| makeresults
| eval hello = "world"
| table hello

Intermediate

Splunk Time Fun

Splunk presents us a multitude of ways to work with timestamps in searches. 

| makeresults
```Creates static time examples```
| eval time_1 = "2024-11-25T01:23:34"
| eval time_2 = "2024-11-20T04:23:45"

```Use strptime to convert a string timestamp to Unix time, specifying the format that the timestamp is in```
| eval unix_time_1 = strptime(time_1,"%Y-%m-%dT%H:%M:%S")
| eval unix_time_2 = strptime(time_2,"%Y-%m-%dT%H:%M:%S")

```Use strftime to convert from Unix time to a friendly display time```
| eval unix_time_1_friendly = strftime(unix_time_1,"%Y-%m-%d")
| eval unix_time_2_friendly = strftime(unix_time_2,"%Y-%m-%d")

```Uses Unix time representation to calculate the difference in two timestamps in days.  Divide the difference of these two dates by the number of seconds in a day```
| eval diff_in_days = round(((unix_time_1-unix_time_2)/86400))

Expert

Likeness Algorithms

More details can be found on my Splunk String Likeness post. 

| makeresults
| eval domain1 = "mktbs.net"
| eval domain2 = "mkts.net"
| eval domain3 = "gmail.com"
| jellyfisher jaro_winkler(domain1,domain2)
| rename jaro_winkler AS jaro_winkler_1_and_2
| jellyfisher jaro_winkler(domain1,domain3)
| rename jaro_winkler AS jaro_winkler_1_and_3