Splunk Query Language

index=<index>
source=<source>
log=<log>

stats

| stats avg(<field>)

| stats count by <field>

-- distinct count
| stats dc(<field>)

dedup

• Get only one entry for each unique field

| dedup <field>

table

• Generate a table and specify the fields to be the columns

| table <field1>,<field2>
| table "time","data.request{}.policy-number"

timechart

• Count occurences by a time interval

| timechart count span=60s

spath

| spath "data.request{}.my-field"

search

| search "data.request{}.my-field"=foo