Splunk Walklex Command
By Jay Young | Senior Splunk Consultant
Walklex Command:
You can use walklex to view the contents of the .tsidx files in the WebUI and the Command Line Interface. It is a generating command that shows the contents listed in warm and cold buckets. The walklex command only works on buckets that have merged a .tsidx file; this is why it is not supported for hot buckets.
Uses:
The WalkLex command returns terms and location references in a tsidx file. Its uses include helping discover frequently used terms; this can be leveraged to speed up searching with the | tstats command.
Example: Location References and Terms
Roles:
- User role must have run_walklex or admin_all_objects capability.
- Can be executed from the command line interface on a single warm or cold bucket.
- Users with search filters applied to their roles cannot use walklex
What is the .tsidx File:
- Time-series index file or referred to as an index file occasionally.
- It associates specific keywords in event data with location references (number).
- The .tsidx file links with a companion rawdata file.
- Every Splunk Search scans for search keywords in the tsidx file.
- The search then uses location references from the keywords to get events from the rawdata file.
- Creates individual .tsidx files for data models.
WalkLex Command-line Interface (CLI) Example:
How to utilize the WalkLex command in the CLI; this allows for a specific warm or cold bucket inspection.
- cd /opt/splunk/var/lib/splunk/_internaldb/db/
- /opt/splunk/bin/splunk cmd walklex “/opt/splunk/var/lib/splunk/_internaldb/db/bucket name/add_name_of.tsidx” “”
Example of the WalkLex Command: /opt/splunk/bin/splunk cmd walklex “/opt/splunk/var/lib/splunk/_internaldb/db/DIR/FILESNAME.tsidx” “*”
CLI Output Example:
- Add > filename.txt to the end of the command to create a text file to view a text editor.
- The quotes at the end of the CLI command are the pattern or term you want to search for:
Example:
Search everything: “*”
Search for a specific term “scr_ip”
Using the Walklex in the WEBUI:
You can find more about using WalkLex in the SplunkWeb GUI from the Splunk documentation.
Splunk Documentation Ref: https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Walklex
Example WebUI Command:
| walklex prefix=foo type=fieldvalue index=foo | stats sum(count) by term
The walklex command attributes:
prefix/pattern=[term or pattern]
type=[fieldvalue, field, term]
index=[name]
Example WebUI Command and Output:
| walklex pattern=* type=fieldvalue index=_internal | stats sum(count) by term
The above example uses the pattern=* attribute to show everything in the _internal index with a count of the number of occurrences in the buckets for a specific time range.