Felipe Borges Bumbleblo
ChrisYounger
/ splunk_datatypesbnf
Created
January 26, 2019 09:16
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [bool] | |
| syntax = t|true|f|false | |
| [field] | |
| syntax = <fvalue> | |
| [field-and-value] | |
| syntax = <field>/s*=/s*<fvalue> | |
| [field-and-value-list] | |
| syntax = (?:<field-and-value>)+ | |
| [field-list] | |
| syntax = <field>(?:[ ,]+<field>)* |
ChrisYounger
/ splunk_searchbnf
Created
January 26, 2019 09:13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # the output from running "/opt/splunk/bin/splunk btool searchbnf list" on a fairly default Splunk 7.2 instance | |
| [abstract-command] | |
| alias = excerpt | |
| appears-in = 3.0 | |
| category = formatting | |
| commentcheat = Show a summary of up to 5 lines for each search result. | |
| description = Produce an abstract -- a summary or brief representation -- of the text of search results. The original text is replaced by the summary, which is produced by a scoring mechanism. If the event is larger than the selected maxlines, those with more terms and more terms on adjacent lines are preferred over those with fewer terms. If a line has a search term, its neighboring lines also partially match, and may be returned to provide context. When there are gaps between the selected lines, lines are prefixed with "...". \p\ | |
| If the text of a result has fewer lines or an equal number of lines to maxlines, no change will occur.\i\ | |
| * <maxlines> accepts values from 1 - 500. \i\ |