Let's break down the search piece by piece:
Search fragment |
Description |
index=main |
All data in Splunk is held in one or more indexes. While not strictly necessary, it is a good practice to specify the index(es) to search, as this will ensure a more precise search. |
sourcetype=access_combined |
This tells Splunk to search only the data associated with the access_combined source type, which in our case is the web access logs. |
| table _time, referer_domain, method, uri_path, action, JSESSIONID, useragent |
Using the table command, we take the result of our search to the left of the pipe and tell Splunk to return the data in tabular format. Splunk will only display the fields specified after the table command in the ... |