s3splquery
The command s3splquery queries files in S3 using S3Select with a query saved in S3SPL. The usage of saved queries allows sharing of queries with other users and allows for access restrictions on a per-query basis.
Arguments
| argument | required | format | description |
|---|---|---|---|
| bucket | yes | string | bucket used by the query |
| query_name | yes | string | name of the query to run |
| replacements | no | string | kv-pairs used to replace tokens in query |
| threads | no | int | number of threads used to query S3 |
| max_results | no | int | the maximal count of events fetched from S3, defaults to unlimited |
All other fields are taken from the stored query. In case of replacements, the KV-pairs are merged. The user-provided input takes precedence if there is a definition for a key in the user's input and the saved arguments.
Examples
Query S3 bucket firewall-archive with time constraints set using the searches timerange picker and prefix. The query will check the field timestamp for the time constraints in addition to the time constraints set in the prefix.
firewall-archive with time constraints set using the searches timerange picker and prefix. The query will check the field timestamp for the time constraints in addition to the time constraints set in the prefix.| Default Field | Default Value |
|---|---|
| query | * |
| timestamp_field | timestamp |
| timestamp_used | false |
| replacements |
| s3spladhoc
bucket="firewall-archive"
query_name="firewall-logs"
replacements=""
Query S3 bucket firewall-archive with time constraints set using the searches timerange picker and prefix. The query only checks the time constraints set in the prefix. The field timestamp is still required for telling Splunk the time of the events.
firewall-archive with time constraints set using the searches timerange picker and prefix. The query only checks the time constraints set in the prefix. The field timestamp is still required for telling Splunk the time of the events.| Default Field | Default Value |
|---|---|
| query | * |
| timestamp_field | timestamp |
| timestamp_used | false |
| replacements |
| s3spladhoc
bucket="firewall-archive"
query_name="firewall-logs"
replacements=""
Query S3 bucket firewall-archive with host and the _raw field named dvc and event respectively.
firewall-archive with host and the _raw field named dvc and event respectively.| Default Field | Default Value |
|---|---|
| query | * |
| timestamp_field | timestamp |
| timestamp_used | false |
| replacements | |
| host_field | dvc |
| raw_field | event |
| s3spladhoc
bucket="firewall-archive"
query_name="firewall-logs"
replacements=""
Query S3 bucket firewall-archive with host and the _raw field named dvc and event respectively. The query will only return the fields dvc and event.
firewall-archive with host and the _raw field named dvc and event respectively. The query will only return the fields dvc and event.| Default Field | Default Value |
|---|---|
| query | * |
| timestamp_field | timestamp |
| timestamp_used | false |
| replacements | |
| host_field | dvc |
| raw_field | event |
| fields | dvc,event |
| s3spladhoc
bucket="firewall-archive"
query_name="firewall-logs"
replacements=""
Query S3 bucket firewall-archive with setting dvc using a token replacement.
firewall-archive with setting dvc using a token replacement.| Default Field | Default Value |
|---|---|
| query | dvc=$dvc$ |
| timestamp_field | timestamp |
| timestamp_used | false |
| replacements | |
| host_field | dvc |
| raw_field | event |
| fields | dvc,event |
| s3spladhoc
bucket="firewall-archive"
query_name="firewall-logs"
replacements="dvc=firewall-1""
Permissions
Each query has roles with read and / or write permissions assigned. The user executing a query needs to have read permissions for the query and execution permissions for the command. Execution permission is provided by the role s3spl_user.