SPL-----search processing language

spl encompasses all the search commands and thier functions,arguments, and clauses.
its syntax was orginally base on the unix pipeline and sql.The scope of SPL
included data searching,filtering,modification,manipulation,insertion and deletion

SPLUNK---->
it the primary wy users interact with data in splunk
--->Query
-->caluclate
--->transform
---->Organize
---->visulize nd manipulate

pipe:Take the previous data,do something to it,then output it to the next step

TIME:

Timestams are converted to UNIX time and stord in the _time field

Specify Absolute Time Ranges using SPL

earliest=<%m/%d/%Y:%H:%M:%S> latest=<%m/%d/%Y:%H:%M:%S>

earliest=01/14/2021:16:32:00 latest=01/14/2021:16:32:00

-30m --->30 MINUTES AGO

-7d ----->7 DAS AGO
+1D ------> 1 DA FROM NOW

Time variabes: NA
Date and time variables
The following table lists variables that produce both a date and a time.

Variable Description
%c The date and time in the current locale's format as defined by the server's
operating system. For example, Thu Jul 18 09:30:00 2022 for US English on Linux.
%+ The date and time with time zone in the current locale's format as defined by
the server's operating system. For example, Thu Jul 18 09:30:00 PDT 2022 for US
English on Linux.
Time variables
The following table lists variables that produce a time.

Variable Description
%Ez Splunk-specific, timezone in minutes.
%H Hour (24-hour clock) as a decimal number. Hours are represented by the values
00 to 23. Leading zeros are accepted but not required.
%I Hour (12-hour clock) with the hours represented by the values 01 to 12.
Leading zeros are accepted but not required.
%k Like %H, the hour (24-hour clock) as a decimal number. Leading zeros are
replaced by a space, for example 0 to 23.
%M Minute as a decimal number. Minutes are represented by the values 00 to 59.
Leading zeros are accepted but not required.
%N The number of subsecond digits. The default is %9N. You can specify %3N =
milliseconds, %6N = microseconds, %9N = nanoseconds.
%p AM or PM.
%Q The subsecond component of a UTC timestamp. The default is milliseconds, %3Q.
Valid values are:
%3Q = milliseconds, with values of 000-999
 %6Q = microseconds, with values of 000000-999999
%9Q = nanoseconds, with values of 000000000-999999999
%S Second as a decimal number, for example 00 to 59.
%s The Unix Epoch Time timestamp, or the number of seconds since the Epoch:
1970-01-01 00:00:00 +0000 (UTC). (1484993700 is Tue Jan 21 10:15:00 2022)
%T The time in 24-hour notation (%H:%M:%S). For example 23:59:59.
%X The time in the format for the current locale. For US English the format for
9:30 AM is 9:30:00.
%Z The timezone abbreviation. For example EST for US Eastern Standard Time.
%z The timezone offset from UTC, in hour and minute: +hhmm or -hhmm. For
example, for 5 hours before UTC the values is -0500 which is US Eastern Standard
Time.
Examples:

Use %z to specify hour and minute, for example -0500

Use %:z to specify hour and minute separated by a colon, for example -5:00
Use %::z to specify hour minute and second separated with colons, for example -
05:00:00
Use %:::z to specify hour only, for example -05
%% A literal "%" character.
Date variables
The following table lists variables that produce a date.

Variable Description
%F Equivalent to %Y-%m-%d (the ISO 8601 date format).
%x The date in the format of the current locale. For example, 7/13/2022 for US
English.
Specifying days and weeks
The following table lists variables that produce values for days and weeks.

Variable Description
%A Full weekday name. (Sunday, ..., Saturday)
%a Abbreviated weekday name. (Sun, ... ,Sat)
%d Day of the month as a decimal number, includes a leading zero. (01 to 31)
%e Like %d, the day of the month as a decimal number, but a leading zero is
replaced by a space. (1 to 31)
%j Day of year as a decimal number, includes a leading zero. (001 to 366)
%V Week of the year. (1 to 52)
%w Weekday as a decimal number. (0 = Sunday, ..., 6 = Saturday)
Specifying months
The following table lists variables that produce values for months.

Variable Description
%b Abbreviated month name. (Jan, Feb, etc.)
%B Full month name. (January, February, etc.)
%m Month as a decimal number. (01 to 12). Leading zeros are accepted but not
required.
Specifying year
The following table lists variables that produce values for years.

Variable Description
%y Year as a decimal number, without the century. (00 to 99). Leading zeros are
accepted but not required.
%Y Year as a decimal number with century. For example, 2022.

-==========-====-=-===-=====================================
Converting time using strftime

We can convert time intothe format we want during searchtime using and eval
expression,strftime, and time variables on the _time field

eval <new field> = strftime(<time field>,"<format>")

eval new_time =strftime(_time, "%I:%M,%p")

Basic Sarching:

host==fghj source=fghj user=*(message=fail* OR message=lock*) | table _time user

mesge | sort -_time

#we can create table view after running the command and also we can add anything
to the ta

click done and save the table

afteer thet we can visualize by using pivot9we can view option in explore)

split rows as required then we can view the visulization

#we can sve as dashboard also

#stats avg(ipaddr) by domain |head 50

3we can take backups in dashboard

#new time format --->eval new_time=strftime(_time, "%Y %M-%d %I:%M%p") |table -time
new_table