Dissecting a Splunk query
A Splunk query consists of different clauses separated by the pipe symbol (|), as seen in Unix commands. For example, we can list the files in a folder and search for the inputs.conf filename all at once using the following command on a Unix command line:
$ ls -l | grep inputs.conf -rw------- 1 botsuser botsuser 123 Jul 9 13:15 inputs.conf
The ls -l command lists all the files in the folder. The result of this command is passed to the grep command and tells us whether the inputs.conf file is included in the list.
Let’s look at another example. The following command determines whether the Splunk process is running on a Splunk server by running the ps command (left-hand side of the pipe) and performing a grep search (right-hand side):
$ ps -ef | grep splunkd 501 4010 1 ...
