What is an Overlay Chart?

An Overlay Chart in Splunk is used to display one chart on top of another so that multiple metrics can be compared in the same visualization.

Typically:

• One metric is shown as bars or columns
• Another metric is shown as a line overlay

This helps identify patterns, correlations, and trends between datasets.

Example comparison:

• File size vs Average file size
• Sales vs Average sales
• Network traffic vs Standard deviation

Example Scenario

Suppose we want to analyze file sizes from web application logs across different days of the week.

We calculate:

1️⃣ Total bytes
2️⃣ Average bytes
3️⃣ Standard deviation of bytes

These metrics help understand file size distribution.

Step 1: Create the Base Chart

First create a chart with two metrics.

Example SPL query:

Example statistical output:

This data can be visualized as a bar chart.

Step 2: Add a Third Variable

To create an overlay chart, add another statistical measure such as standard deviation.

Example updated query:

Now the statistics tab contains:

This extra field enables the overlay visualization.

Step 3: Create the Overlay Chart

Steps:

1. Go to Visualization Tab
2. Click Format
3. Select Chart Overlay

A configuration window appears.

Step 4: Configure Overlay Settings

Choose the field to overlay.

Example:

Other optional settings include:

Usually default settings work fine.

Step 5: Final Visualization

The final overlay chart typically shows:

• Bars → total or average file size
• Line overlay → standard deviation trend

This allows users to see:

• Which days have higher variation
• When file sizes deviate from the average

Example Practical Use Cases

Overlay charts are commonly used for:

Advantages of Overlay Charts

✔ Compare multiple metrics easily
✔ Identify trends quickly
✔ Detect anomalies
✔ Improve dashboard analytics
✔ Provide deeper data insights

Simple Summary

An Overlay Chart in Splunk displays two charts together in one visualization.

Steps:

1️⃣ Create a chart with statistical values
2️⃣ Add a third metric
3️⃣ Use Visualization → Format → Chart Overlay
4️⃣ Select the overlay field

Example SPL query:

This helps compare main metrics with trend indicators in the same chart.

Splunk - Sparklines

What are Sparklines?

A Sparkline is a small, compact chart that shows trends over time inside a table cell.
Unlike normal charts, sparklines do not display axes or labels. They appear as tiny line graphs that show how a value changes over time.

They are useful for quickly understanding trends or fluctuations in data.

Example idea:

The small graph indicates how the value changed over time.

Why Sparklines Are Used

Sparklines help:

• Show data trends inside tables
• Save dashboard space
• Quickly identify patterns
• Compare multiple trends simultaneously

They are commonly used in monitoring dashboards and reports.

Step 1: Select the Fields

First, run a search that produces statistical values.

Example SPL query:

Result example:

This statistical data will be used to create the sparkline.

Step 2: Create the Sparkline

To generate sparklines, use the sparkline() function with the stats command.

Example query:

Result:

Each row now shows a mini trend graph representing changes in average bytes.

Step 3: Time Range Effect

The sparkline graph depends on the selected time range.

Example:

Time Range: All Time

The sparkline displays the trend for the entire dataset.

Time Range: Last 30 Days

Only data from the last 30 days is used.

Effects:

• Some files may disappear if they were not present in that period.
• The sparkline shape changes based on recent trends.

Example Full Query

Example SPL query with sparkline:

Explanation:

Advantages of Sparklines

✔ Shows trends in a compact format
✔ Works inside tables and dashboards
✔ No extra chart space required
✔ Useful for monitoring and comparisons

Real-World Use Cases

Sparklines are commonly used for:

Simple Summary

A Sparkline in Splunk is a small trend chart displayed inside a table cell.

Key points:

• Shows data trends over time
• Does not include axes or labels
• Created using sparkline() function

Example SPL:

This displays mini trend charts for each file.

Splunk – Managing Indexes

 

 

What is an Index in Splunk?

An Index in Splunk is a storage location where processed machine data is stored and organized for fast searching.

Indexing works similar to database indexing, where data is given structured references so searches can be executed quickly.

When data enters Splunk:

1. The Indexer processes the data
2. Data is stored in an index
3. Searches retrieve data from those indexes

Default Indexes in Splunk

When Splunk is installed, it automatically creates three default indexes.

Example Search Using an Index

Example SPL:

This searches events stored in the main index.

Example:

This searches Splunk system logs.

Role of the Indexer

The Indexer component in Splunk is responsible for:

• Processing incoming data
• Creating indexes
• Storing events in indexed format
• Enabling fast search operations

So the flow is:

Checking Existing Indexes

You can view available indexes in Splunk.

Steps:

1. Login to Splunk Web Interface
2. Go to Settings
3. Click Indexes

This displays a list of:

• Default indexes
• Custom indexes
• Storage usage
• Data size

Creating a New Index

Sometimes you may want to separate different types of data into different indexes.

Example reasons:

• Security logs
• Web application logs
• Network logs

Steps to create an index:

1. Go to Settings
2. Click Indexes
3. Click New Index

You will see a configuration screen.

Required Information

Example:

Assigning Data to an Index

After creating an index, new data must be configured to use that index.

Steps:

1. Go to Settings
2. Select Data Inputs
3. Choose Files & Directories
4. Select the data source
5. Assign the new index

Example:

Now all events from that data source will be stored in the new index.

Example Search with Custom Index

Example SPL query:

This searches only the data stored in the custom index.

Advantages of Using Multiple Indexes

✔ Better data organization
✔ Faster searches
✔ Easier data management
✔ Separate storage for different log types
✔ Improved security control

Example:

Simple Summary

An Index in Splunk is a structured storage location for processed machine data.

Key points:

• Indexing improves search performance
• Default indexes include main, internal, and audit
• New indexes can be created for better data management
• Data sources can be assigned to specific indexes

Example SPL:

This searches events stored in the main index.

Splunk – Calculated Fields

 

What are Calculated Fields?

Calculated Fields in Splunk are new fields created by applying calculations or transformations to existing fields in events.

They are useful when you want to:

• Modify existing data
• Convert values to another unit
• Extract part of a field
• Create new derived information

These calculations are usually done using the eval command in SPL.

---

Why Calculated Fields Are Used

Calculated fields help:

• Perform mathematical calculations
• Transform data formats
• Extract specific parts of a field
• Create new analytical fields

Example uses:

Original Field	Calculated Field
bytes	bytes_in_GB
date_wday	short_day

---

Example Scenario

Suppose the web_application log contains the following fields:

bytes	date_wday
2048	Wednesday
4096	Thursday
1024	Monday

Goals:

1️⃣ Convert bytes → GB
2️⃣ Show only the first three characters of the weekday

---

Using the eval Function

Splunk uses the eval command to create calculated fields.

Syntax

 

eval new_field = calculation

 

---

Example 1 – Convert Bytes to GB

To convert bytes to GB:

 

eval byte_in_GB = bytes / 1024

 

Full search example:

 

index=web_application  
| eval byte_in_GB = bytes/1024

 

Result:

bytes	byte_in_GB
2048	2
4096	4
1024	1

---

Example 2 – Extract First 3 Letters of Weekday

To extract the first three characters from the date_wday field, use the substr() function.

 

eval short_day = substr(date_wday,1,3)

 

Example search:

 

index=web_application  
| eval short_day = substr(date_wday,1,3)

 

Result:

date_wday	short_day
Wednesday	Wed
Thursday	Thu
Monday	Mon

---

Combining Both Calculations

You can apply multiple calculated fields in the same search.

Example SPL:

 

index=web_application  
| eval byte_in_GB = bytes/1024  
| eval short_day = substr(date_wday,1,3)

 

Result:

bytes	byte_in_GB	date_wday	short_day
2048	2	Wednesday	Wed
4096	4	Thursday	Thu

---

Displaying Calculated Fields

After creating calculated fields:

1. Click All Fields
2. Select the new fields (e.g., byte_in_GB, short_day)
3. They will appear in the search results table

---

Common Functions Used in Calculated Fields

Function	Purpose
eval	Create calculated fields
substr()	Extract part of a string
round()	Round numeric values
len()	Get string length
tonumber()	Convert string to number

Example:

 

eval rounded_value = round(bytes/1024,2)

 

---

Advantages of Calculated Fields

✔ Transform raw data into meaningful values
✔ Perform calculations during search
✔ Create reusable analytical fields
✔ Improve data interpretation

---

Simple Summary

A Calculated Field is a new field created from existing fields using calculations.

It is usually created using the eval command.

Example:

 

index=web_application  
| eval byte_in_GB = bytes/1024  
| eval short_day = substr(date_wday,1,3)

 

This produces new fields:

• byte_in_GB → converted file size
• short_day → shortened weekday name

Splunk – Tags

 

 

What are Tags in Splunk?

Tags are labels used to group specific field–value combinations in Splunk events.

They allow you to categorize events so that they can be searched easily with a single keyword instead of writing complex queries.

Tags are part of Splunk Knowledge Objects.

---

Why Tags Are Used

Tags help to:

• Organize events
• Simplify searches
• Group similar field values
• Improve data classification

Example:

Instead of searching multiple status codes:

 

status=503 OR status=505

 

You can create a tag called:

 

server_error

 

Then simply search:

 

tag=server_error

 

---

Fields That Can Be Tagged

Tags can be assigned to different Splunk fields such as:

Field Type	Example
host	server01
source	web_log
sourcetype	apache_access
event type	status events
field-value pairs	status=503

---

Example Scenario

Suppose we want to group server error status codes.

Error status codes:

 

503  
505

 

We assign them the tag:

 

server_error

 

So:

Field	Value	Tag
status	503	server_error
status	505	server_error

---

Steps to Create Tags

Step 1 – Expand Event

1. Run a search
2. Expand an event
3. View the field list

Example field:

 

status=503

 

---

Step 2 – Edit Tag

1. Locate the field
2. Click Actions
3. Select Edit Tags

---

Step 3 – Add Tag Name

Enter the tag name.

Example:

 

server_error

 

Apply this tag to:

 

status=503  
status=505

 

You must repeat the step for each value.

---

Searching Using Tags

Once tags are created, searching becomes easier.

Example Search

 

tag=server_error

 

This will return events containing:

 

status=503  
status=505

 

Even though the search does not explicitly mention them.

---

Example Comparison

Without Tag

 

status=503 OR status=505

 

With Tag

 

tag=server_error

 

Tags make the query simpler and reusable.

---

Tags vs Fields

Feature	Tags	Fields
Purpose	Group field values	Store event data
Usage	Simplify searches	Extract event information
Example	server_error	status=503

---

Advantages of Tags

✔ Simplifies complex searches
✔ Groups multiple field values
✔ Improves data categorization
✔ Helps in knowledge management
✔ Useful for dashboards and reports

---

Simple Summary

A Tag in Splunk is a label assigned to field-value combinations to group similar events.

Example:

 

status=503  
status=505

 

Tagged as:

 

server_error

 

Search query:

 

tag=server_error

 

This returns all events that match those tagged values.

 

What are Apps in Splunk?

Splunk Apps are packages that extend the functionality of Splunk.
They contain configurations, dashboards, reports, searches, field extractions, and visualizations designed for specific use cases.

Apps help users analyze specific types of data quickly without building everything from scratch.

---

Components of a Splunk App

A Splunk App may contain several components:

Component	Description
Dashboards	Visual displays of data
Reports	Saved searches with results
Alerts	Notifications triggered by conditions
Field Extractions	Extract fields from raw data
Data Models	Structured data representation
Lookups	External reference data

These components work together to provide a complete monitoring or analysis solution.

---

Examples of Popular Splunk Apps

Some commonly used apps include:

App Name	Purpose
Splunk App for AWS	Monitor Amazon Web Services
Splunk App for Windows Infrastructure	Monitor Windows systems
Splunk App for Unix and Linux	Monitor Linux servers
Splunk Security Essentials	Security analytics
Splunk IT Service Intelligence (ITSI)	IT service monitoring

These apps are usually downloaded from Splunkbase, the official marketplace.

---

Installing Splunk Apps

There are two common ways to install apps.

Method 1 – From Splunkbase

Steps:

1. Go to Apps → Find More Apps
2. Search for the desired app
3. Click Install
4. Provide Splunkbase credentials

---

Method 2 – Manual Installation

Steps:

1. Download the app from Splunkbase
2. Go to Apps → Manage Apps
3. Click Install App from File
4. Upload the .spl or .tgz package

---

Managing Installed Apps

You can manage apps using:

 

Settings → Manage Apps

 

From here you can:

• Enable or disable apps
• Upgrade apps
• Configure permissions
• Remove apps

---

Example: Using an App

Suppose you install Splunk App for AWS.

The app automatically provides:

• AWS dashboards
• Cloud monitoring reports
• Prebuilt searches
• Alerts for cloud resources

This saves time compared to building everything manually.

---

Advantages of Splunk Apps

✔ Ready-to-use dashboards and reports
✔ Faster deployment for monitoring systems
✔ Easy integration with external platforms
✔ Customizable for specific business needs
✔ Extend Splunk capabilities

---

Types of Splunk Apps

Type	Description
Technology Add-ons (TA)	Data collection and field extraction
Visualization Apps	Custom dashboards
Security Apps	Security monitoring
Infrastructure Apps	Server and cloud monitoring

---

Simple Summary

A Splunk App is a packaged extension that adds dashboards, reports, alerts, and configurations to Splunk.

Example:

 

Apps → Install → Use dashboards & reports

 

They help users analyze specific data sources quickly and efficiently.

 

Splunk – Removing Data

What Does Removing Data Mean in Splunk?

In Splunk, removing data means deleting indexed events from the system so they are no longer searchable.

However, Splunk does not normally delete individual events easily because data is stored in indexed buckets for fast searching. Instead, data removal usually happens by:

• Deleting specific events using commands
• Deleting entire indexes
• Using data retention policies

---

Methods to Remove Data in Splunk

There are mainly three ways to remove data.

Method	Description
Using the delete command	Removes specific search results
Deleting an index	Removes all events stored in that index
Data retention policy	Automatically removes old data

---

1. Removing Events Using the delete Command

Splunk provides a delete command that marks events as deleted.

Example Search

 

index=main host=server1 | delete

 

This command:

• Finds events from host=server1
• Marks them as deleted

Important points:

• Events are not physically removed immediately
• They are hidden from search results

To use the delete command, the role must have can_delete permission.

---

2. Removing Data by Deleting an Index

If you want to remove all data, you can delete the entire index.

Steps:

1. Go to Settings
2. Click Indexes
3. Select the index
4. Delete or remove it

Example index:

 

index_web_logs

 

Deleting the index removes all events stored in that index.

---

3. Removing Data Using Data Retention Policies

This is the most common method in production environments.

Splunk automatically deletes old data based on:

• Maximum storage size
• Data retention period

Example configuration:

Setting	Example
Maximum index size	500 GB
Data retention	30 days

When the limit is reached:

• Splunk automatically removes older data buckets

---

Example Scenario

Suppose an index contains web logs.

Search:

 

index=web_logs status=404

 

If you want to remove these events:

 

index=web_logs status=404 | delete

 

These events will no longer appear in searches.

---

Important Notes

⚠ Splunk discourages frequent manual deletion because:

• It can affect index integrity
• It may cause performance issues

Instead, organizations usually rely on:

• Retention policies
• Index rotation

---

Advantages of Controlled Data Removal

✔ Saves storage space
✔ Maintains system performance
✔ Ensures compliance with data policies
✔ Prevents unnecessary data accumulation

---

Simple Summary

Removing data in Splunk means deleting events from indexes.

Main methods:

1️⃣ Using delete command

 

index=main host=server1 | delete

 

2️⃣ Deleting an index

3️⃣ Using automatic data retention policies

 

 

Splunk – Custom Chart

 

What is a Custom Chart in Splunk?

A Custom Chart in Splunk is a user-defined visualization created to display data in a specific way that is not available in the default chart options.

Splunk provides basic charts such as:

• Pie chart
• Bar chart
• Line chart
• Area chart
• Column chart

But sometimes organizations need specialized visualizations, which can be created using custom chart modules or visualization apps.

---

Why Custom Charts Are Used

Custom charts are used when:

• Default Splunk charts are not sufficient
• Special visualization is required
• Advanced dashboards are needed
• Interactive analytics is required

Examples include:

• Heat maps
• Radar charts
• Sankey diagrams
• Advanced timelines

---

Creating a Custom Chart

To create a custom chart in Splunk:

Step 1 – Run a Search Query

First run a search that produces statistical data.

Example:

 

index=web_application  
| stats avg(bytes) by file

 

This produces a table like:

file	avg(bytes)
file1	2048
file2	4096

---

Step 2 – Open Visualization Tab

After the results appear:

1. Click Visualization
2. Choose Chart Type

Splunk will display a default chart such as pie chart or bar chart.

---

Step 3 – Customize the Chart

Use the Format option to modify:

Setting	Purpose
Axis labels	Label X and Y axes
Legend	Display chart legends
Data labels	Show values on chart
Colors	Customize appearance
Chart title	Add meaningful title

---

Using Custom Visualization Apps

Splunk also supports custom visualization apps from Splunkbase.

Examples:

Visualization	Use Case
Sankey Diagram	Data flow analysis
Heat Map	Density analysis
Bubble Chart	Multivariable comparison
Gauge Chart	Performance monitoring

These visualizations can be installed via:

 

Apps → Find More Apps → Install Visualization

 

---

Example Custom Chart Query

Example SPL:

 

index=web_application  
| stats avg(bytes) by date_wday

 

Visualization result:

Day	Avg Bytes
Monday	3000
Tuesday	2500
Wednesday	3500

This can be displayed as:

• Bar chart
• Line chart
• Custom visualization

---

Advantages of Custom Charts

✔ Better data visualization
✔ More meaningful dashboards
✔ Supports advanced analytics
✔ Improves decision making
✔ Highly customizable

---

Simple Summary

A Custom Chart in Splunk is a specialized visualization created using search results and advanced chart configuration.

Steps:

1️⃣ Run search query
2️⃣ Open Visualization tab
3️⃣ Choose chart type
4️⃣ Customize using Format options

Example SPL:

 

index=web_application  
| stats avg(bytes) by file

 

 

Splunk - Monitor Files

 

 

What is File Monitoring in Splunk?

File Monitoring in Splunk means tracking files or directories for new data and automatically indexing that data.

When new data is written to a monitored file (such as log files), Splunk reads the new entries and adds them to its index so they can be searched and analyzed.

This is commonly used for application logs, server logs, and system logs.

---

How Splunk Monitors Files

Splunk uses a monitor input to watch files or directories.

Process:

1. User specifies file or directory path
2. Splunk reads the file
3. When new data appears, Splunk indexes it automatically

Example:

 

/var/log/apache/access.log

 

Whenever new logs appear in this file, Splunk captures and indexes them.

---

Monitoring Directories

Instead of monitoring a single file, you can monitor a complete directory.

Example:

 

/var/log/apache/

 

If the directory contains subdirectories, Splunk can also monitor them recursively.

Example structure:

 

/var/log/apache/  
      access.log  
      error.log  
      archive/  
           old_logs.log

 

Splunk can monitor all files inside this directory tree.

---

Monitoring Network or Shared Directories

Splunk can also monitor:

• Mounted directories
• Shared folders
• Network file systems

Condition:

✔ Splunk must have read permission for the directory.

---

Using Whitelist and Blacklist

Sometimes you only want to monitor specific files.

Splunk allows filtering using:

Option	Purpose
Whitelist	Include only specific files
Blacklist	Exclude specific files

Example:

Whitelist:

 

*.log

 

Blacklist:

 

debug.log

 

This means Splunk monitors all .log files except debug.log.

---

Important Behavior

If you disable or delete a monitor input:

• Splunk stops checking the file for new data
• But already indexed data remains searchable

So Splunk does not delete indexed data automatically.

---

Adding Files to Monitor (Using Splunk Web)

Steps:

Step 1 – Open Add Data

Go to:

 

Splunk Home → Add Data

 

---

Step 2 – Choose Monitor

Select:

 

Add Data → Monitor

 

This allows monitoring:

• Files
• Directories
• Network paths

---

Step 3 – Select File or Directory

Example:

 

/var/log/web_application.log

 

Splunk automatically detects:

• Source type
• Timestamp
• File structure

---

Step 4 – Confirm Settings

Splunk automatically configures:

• Source type
• Host
• Index

Then click Submit.

---

Viewing Monitored Data

After configuration, Splunk begins indexing events.

Example search:

 

index=main

 

Result:

Timestamp	Event
10:01	GET /index.html
10:02	POST /login

If new log entries appear, Splunk updates the results automatically.

---

Common Logs Monitored by Splunk

Splunk often monitors logs such as:

Log Type	Example
Web server logs	Apache, Nginx
Application logs	Java, .NET
System logs	Linux syslog
Security logs	Firewall logs

---

Advantages of File Monitoring

✔ Real-time log monitoring
✔ Automatic data indexing
✔ Easy integration with applications
✔ Supports large-scale log analysis

---

Simple Summary

File Monitoring in Splunk allows the system to watch files or directories and index new data automatically.

Steps:

1️⃣ Add data
2️⃣ Choose Monitor
3️⃣ Select file or directory
4️⃣ Splunk starts indexing new data

Example monitored file:

 

/var/log/web_access.log

 

Whenever new logs appear, Splunk captures and indexes them for analysis.

 

1. Splunk – Sort Command

What it Does

The sort command arranges search results in ascending or descending order based on one or more fields.

It works like ORDER BY in SQL.

Syntax

 

... | sort <field>

 

Examples

Sort results in ascending order

 

index=web_application | sort bytes

 

This sorts events by bytes from smallest to largest.

Sort results in descending order

 

index=web_application | sort - bytes

 

- means descending order.

Example Result

file	bytes
file1	200
file2	400
file3	800

---

2. Splunk – Top Command

What it Does

The top command finds the most frequent values in a field.

It shows:

• Top values
• Count
• Percentage

Syntax

 

... | top <field>

 

Example

 

index=web_application | top file

 

This shows which files appear most frequently in the logs.

Example Result

file	count	percent
index.html	120	40%
login.html	80	27%
about.html	50	17%

You can also limit the results.

 

index=web_application | top limit=5 file

 

This shows top 5 most frequent values.

---

3. Splunk – Stats Command

What it Does

The stats command performs statistical calculations on fields.

It is one of the most powerful commands in Splunk.

Syntax

 

... | stats <function>(field)

 

Common Statistical Functions

Function	Purpose
count	Count events
sum	Add values
avg	Average
max	Maximum value
min	Minimum value

---

Examples

Count events

 

index=web_application | stats count

 

Average file size

 

index=web_application | stats avg(bytes)

 

Average bytes by file

 

index=web_application | stats avg(bytes) by file

 

Example Result

file	avg(bytes)
file1	400
file2	650
file3	900

---

Key Differences

Command	Purpose	Example Use
sort	Order search results	Sort logs by size
top	Find most frequent values	Top visited pages
stats	Perform calculations	Average response time

---

Example Using All Three Together

 

index=web_application  
| stats avg(bytes) by file  
| sort - avg(bytes)

 

What happens here:

1. stats → calculates average bytes per file
2. sort → sorts results in descending order

---

Simple Summary

Command	What it Does
sort	Arranges results in ascending/descending order
top	Finds most frequent values
stats	Performs statistical calculations