For unix users, the following scripts should be familiar -- you grep out all the lines you are interested in, then pipe them into other commands.
grep "hello" Hello.txt | cut -d ' ' -f1,2,3 | sort | uniq
splunk scripts work the same way: you find all the events you are interested in, then pipe them to a "fields" command to remove un-interested fields, then pipe to "sort" command to sort by firstname, then pipe to "dedup" command to remove duplicates on these interested fields, then pipe to "table" command to generate a table with 3 columns, then pipe the table to a "rename" command to replace the header strings. The end result: a table is draw on the webpage with the events you found.
index=nyStore firstname=swim earlist=-3h | fields firstname, lastname, instructor | sort firstname | dedup firstname, lastname, instructor | table firstname, lastname, instructor | rename firstname as "First Name", lastname as "Last Name"
You can do statistics with the events: In the following example, what the command "stats" do is: for each people (firstname lastname), it counts the total events involve her, her number of instructors, her total scores and GPA. The final result: a 6 column table is draw on the webpage. The table headers are firstname, lastname, total, instructor, total scores, GPA.
index=nyStore firstname=swim earlist=-3h | fields firstname, lastname, instructor, score | stats count as total, distinct_count(instructor) as instructor, sum(score) as "total scores", avg(score) as GPA by firstname, lastname | sort GPA
If you think table is boring, you can draw graph instead. Table or graph are just different representations of the same data. Splunk put various tables and graphs into one webpage -- the so called dashboard. The code for a dashboard is the form xml file. In that sparse xml file, the SPL query is where you spent 90% of the time, you switch between table or graph by replacing <table></table> with <chart></chart> in the xml file in 5 seconds. You probably get a stylish dashboard for free by copying your colleague's code as a template.
