s3spladhoc
The command s3spladhoc queries files in S3 using S3Select with a select statement provided in the search command itself. The command helps to explore data in S3 and for quick checks.
More information regarding the query syntax is available in the S3Select WHERE Clause documentation.
Arguments
| argument | required | format | description |
|---|---|---|---|
| bucket | yes | string | bucket used by the query |
| query | yes | string | WHERE statement of S3 Select SQL |
| replacements | no | string | kv-pairs used to replace tokens in query |
| timestamp_field | yes | string | field in S3 results containing the events timestamp |
| timestamp_used | no | boolean | defines if the time given in the Splunk Search is used for the query |
| timestamp_format | no | string | string or None |
| index_field | no | string | field in S3 results containing the events index |
| source_field | no | string | field in S3 results containing the events source |
| sourcetype_field | no | string | field in S3 results containing the events sourcetype |
| host_field | no | string | field in S3 results containing the events host |
| raw_field | no | string | field in S3 results containing the events raw |
| fields | no | string | fields to be returned by S3Select |
| field_delimiter | no | string | delimiter used to separate fields in S3 results (for CSV files) |
| record_delimiter | no | string | delimiter used to separate records in S3 results (for CSV files) |
| threads | no | int | number of threads used to query S3 |
| max_results | no | int | the maximal count of events fetched from S3, defaults to unlimited |
Examples
Query S3 bucket firewall-archive with time constraints set using the searches timerange picker and prefix. The query will check the field timestamp for the time constraints in addition to the time constraints set in the prefix.
firewall-archive with time constraints set using the searches timerange picker and prefix. The query will check the field timestamp for the time constraints in addition to the time constraints set in the prefix.| s3spladhoc
bucket="firewall-archive"
timestamp_used="true"
timestamp_field="timestamp"
replacements=""
query="*"
Query S3 bucket firewall-archive with time constraints set using the searches timerange picker and prefix. The query only checks the time constraints set in the prefix. The field timestamp is still required for telling Splunk the time of the events.
firewall-archive with time constraints set using the searches timerange picker and prefix. The query only checks the time constraints set in the prefix. The field timestamp is still required for telling Splunk the time of the events.| s3spladhoc
bucket="firewall-archive"
timestamp_used="false"
timestamp_field="timestamp"
replacements=""
query="*"
Query S3 bucket firewall-archive with host and the _raw field named dvc and event respectively.
firewall-archive with host and the _raw field named dvc and event respectively.| s3spladhoc
bucket="firewall-archive"
timestamp_used="false"
timestamp_field="timestamp"
replacements=""
query="*"
host_field="dvc"
raw_field="event"
Query S3 bucket firewall-archive with host and the _raw field named dvc and event respectively. The query will only return the fields dvc and event.
firewall-archive with host and the _raw field named dvc and event respectively. The query will only return the fields dvc and event.| s3spladhoc
bucket="firewall-archive"
timestamp_used="false"
timestamp_field="timestamp"
replacements=""
query="*"
host_field="dvc"
raw_field="event"
fields="dvc,event"
Query S3 bucket firewall-archive with setting dvc using a token replacement.
firewall-archive with setting dvc using a token replacement.| s3spladhoc
bucket="firewall-archive"
timestamp_used="false"
timestamp_field="timestamp"
replacements="dvc=firewall-1""
query="dvc=$dvc$"
host_field="dvc"
raw_field="event"
fields="dvc,event"
Permissions
s3spladhoc as the user can run arbitrary queries.The only restrictions applied while running s3spladhoc are the access restrictions on bucket level.
By default, the command s3spladhoc is only visible to users with the role s3spl_adhoc. When the command is run, S3SPL validates that the user has read permissions for the specified bucket. The command will fail if the user does not have the required permissions.