Converting Splunk Searches into Logscape

universal_converter_boxConverting Splunk searches into Logscape

Logscape and Splunk share a lot of overlap, and there is one question we get asked quite often by people looking to migrate from Splunk to Logscape.

 How do we convert Splunk searches and Workspaces into Logscape?

Unfortunately, there’s no magic cure or just click here style solution. Fortunately it is significantly easier than you think.

We’re going to cover converting Splunk searches into their Logscape equivalent.

 


 

Controlling Scope

We’ll start simple, with a search that simply displays how many hosts are transmitting data.

Splunk: index=testsource=*.log | stats dc(host)

Pretty simple, Logscape is equally as easy

 Logscape: * | _type.equals(testsource) _host.count()

Both searches are limited themselves to a certain set of files:

  • Splunk has the “testsource” index
  • Logscape has the “testsource” Datatype.

We then proceed to count the number of contributing hosts.

To tell Splunk, we don’t want logs from any hosts containing ship in the name, we have the following syntax

Splunk: NOT host=*ship*

Logscape: _host.exclude(ship)

This can applied to any field in order to exclude values you are not interested in.

Gathering Metrics

Now is a good time to highlight one of the main differences between the Logscape and Splunk when applying analytical functions.

  • Logscape chains the function onto the field of interest.
  • Splunk uses the field as an argument to the function.

Whilst very similar, this difference means the two read very differently.

Splunk: stats max(cpu)

Logscape: cpu.max()

Logscape also makes use of a pipe ( | ). Values placed before the pipe act as a keyword filter on your search. Making use of a keyword significantly improves search performance. You can use functions like AND OR to use multiple keywords and Boolean logic. Logscape also supports capture groups using (). Capture groups pass the value found to your search, and allow you to access it via a numeric operator e.g

Logscape: (.*)Exception | 1.count() chart(stacked)

searching-pattern-exception-functions-converting-splunk

Logscape analytics are incredibly powerful and varied, you can find a full function reference on the Logscape Support Site.

Renaming a Value

Both Logscape and Splunk offer the ability to rename the field when it shows up in the search. Replacing the default name allows you to make it more obvious what it is the value is showing.

Splunk: rename max(cpu) as “Max CPU”

Logscape: cpu.max(,Max_CPU)

In Logscape it’s actually part of the analytic, when calling max we simply provide an additional argument.

Why we designed it this way

We believe that the Logscape syntax is intuitive and easy to read, whilst not being overly verbose. Allowing our users to build powerful, yet easy to understand searches.

We’ve also broke overlaid searches into multiple individual searches – This means even the most complicated search can easily be broken into its component parts. Further improving the readability a Logscape search.

In Conclusion

Converting from Splunk to Logscape is a relatively easy experience that we believe all users will be able to pick up easily, if in doubt check out the Logscape Support Website, or when in doubt contact the Logscape support team support@logscape.com – We hope you enjoy using Logscape, and have a great day.

Regards,

The Logscape Team