Search Processing Language (SPL) Commands
References
Here are some good references
Identify Available Data
We can use metadata
to retrieve metadata about the data in our indexes. The type=sourcetypes
argument tells Splunk to return metadata about sourcetypes.
View all indices
| eventcount summarize=false index=* | dedup index | fields index
This command returns all available indices.

View sourcetypes
index="*" | stats count by sourcetype
| metadata type=sourcetypes index=* | table sourcetype
These commands return a list of all sourcetypes in the Spunk environment

View sources (data files)
index="*" | stats count by source
| metadata type=sources index=* | table source
These commands return a list of all data sources in the Splunk environment.

View Raw Data in sourcetypes
Once we have the sourcetypes, we can use sourcetype
to view the data they contain.
sourcetype="WinEventLog:Security" | table _raw
This command will return the raw data (actual file) for the specified source type.

View all data in sourcetype
sourcetype="WinEventLog:Security" | table *
This command will return the data in a table for the specified source type. NOTE: be cautious, as the use of table *
can result in a very wide table if our events have a large number of fields.\

View data in sourcetype
sourcetype="WinEventLog:Security" | fields Account_Name, EventCode
| table Account_Name, EventCode
This is a better approach, listing specific fields and creating a table is better for visualizing data.
View Field Summary
sourcetype="WinEventLog:Security" | fieldsummary
The above command is a great way to return just the fields using fieldsummary

This search will return a table that includes every field found in the events returned by the search (across the sourcetype we've specified). The table includes several columns of information about each field:
field
: The name of the field.count
: The number of events that contain the field.distinct_count
: The number of distinct values in the field.is_exact
: Whether the count is exact or estimated.max
: The maximum value of the field.mean
: The mean value of the field.min
: The minimum value of the field.numeric_count
: The number of numeric values in the field.stdev
: The standard deviation of the field.values
: Sample values of the field.
We may also see:
modes
: The most common values of the field.numBuckets
: The number of buckets used to estimate the distinct count.
NOTE: The values shown in this command are based on the provided time in our search. We need to specify it in the search!
index=* sourcetype=* | bucket _time span=1d | stats count by _time, index, sourcetype
| sort - _time
bucket
command is used to group the events based on the _time
field into 1-day buckets\

View uncommon events with rare
index=* sourcetype=* | rare limit=10 index, sourcetype
This query retrieves all data and finds the 10 rarest combinations of indexes and sourcetypes.

Basic Commands
By default a search query returns all results, but can be narrowed down with keywords, boolean operators, wildcards, and more.
fields
The fields
command specifies which fields should be included or excluded in the search results.
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | fields - User
table
The table
command presents search results in a tabular format.
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | table _time, host, Image
rename
The rename
command renames a field in the search results.
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | rename Image as Process
dedup
The dedup
command removes duplicates.
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | dedup Image
Sort
The sort
command sorts the search results. (example sorts results in decending order)
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | sort - _time
stats
The stats
command performs statistical operations. (example returns a table of timestamp (_time
) and a process (Image
)"
index="main" sourcetype="WinEventLog:Sysmon" EventCode=3 | stats count by _time, Image
chart
The chart
command creates a data visualization based on statistical operations.
index="main" sourcetype="WinEventLog:Sysmon" EventCode=3 | chart count by _time, Image
eval
The eval
command creates or redefines fields. (example creates a new field Process_Path
which contains the lowercase version of the Image
field)
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | eval Process_Path=lower(Image)
rex
The rex
command extracts new fields from existing ones using regular expressions.
index="main" EventCode=4662 | rex max_match=0 "[^%](?<guid>{.*})" | table guid
index="main" EventCode=4662
filters the events to those in themain
index with theEventCode
equal to4662
. This narrows down the search to specific events with the specified EventCode.rex max_match=0 "[^%](?<guid>{.*})"
uses the rex command to extract values matching the pattern from the events' fields. The regex pattern{.*}
looks for substrings that begin with{
and end with}
. The[^%]
part ensures that the match does not begin with a%
character. The captured value within the curly braces is assigned to the named capture groupguid
.table guid
displays the extracted GUIDs in the output. This command is used to format the results and display only theguid
field.The
max_match=0
option ensures that all occurrences of the pattern are extracted from each event. By default, the rex command only extracts the first occurrence.
lookup
The lookup
command enriches the data with external sources
Suppose the following CSV file called malware_lookup.csv
.
filename, is_malware
notepad.exe, false
cmd.exe, false
powershell.exe, false
sharphound.exe, true
randomfile.exe, true
inputlookup
The inputlookup
command retrieves data from a lookup file without joining it to the search results.
| inputlookup malware_lookup.csv
Time Range
Every event in Splunk has a timestamp. We can limit the searches to specific time periods using the earliest
and latest
commands.
index="main" earliest=-7d EventCode!=1
transaction
The transaction command is used in Splunk to group events that share common characteristics into transcation.
index="main" sourcetype="WinEventLog:Sysmon" (EventCode=1 OR EventCode=3) | transaction Image startswith=eval(EventCode=1) endswith=eval(EventCode=3) maxspan=1m | table Image | dedup Image
subsearches
A subsearch in Splunk is a search that is nested inside another search.
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 NOT [ search index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | top limit=100 Image | fields Image ] | table _time, Image, CommandLine, User, ComputerName
Identify Available Data
Splunk can ingest a wide variety of data sources. To identify available source types we can run the followning SPL commands:
Using fields command:
We can get Account_Name, EventCode and create a table of the summarized data.
sourcetype="WinEventLog:Security" | fields Account_Name, EventCode | table Account_Name, EventCode
View list of fields
If we can to get a list of fields we can use the command:
sourcetype="WinEventLog:Security" | fieldsummary
This command displays the 20 least common values of the ParentImage
field.
index="main" | rare limit=20 useother=f ParentImage
A more complex query can provide a detailed summary of fields. This search shows a summary of all fields (fieldsummary
), filters out fields that appear in less than 100 events (where count < 100
)
index=* sourcetype=* | fieldsummary | where count < 100 | table field, count, distinct_count
Good command:
index=* sourcetype=* | bucket _time span=1d | stats count by _time, index, sourcetype | sort - _time
A more complex query can provide a detailed summary of fields.
index=* | sistats count by index, sourcetype, source, host
Additional Commands
| eventcount summarize=false index=* | table index
This query uses eventcount
to count events in all indexes, then summarize=false
is used to display counts for each index separately, and finally, the table
command is used to present the data in tabular form.
| metadata type=sourcetypes
The result is a list of all sourcetypes
in our Splunk environment, along with additional metadata such as the first time a source type was seen (firstTime
), the last time it was seen (lastTime
), and the number of hosts (totalCount
).
Simpler view:
| metadata type=sourcetypes index=* | table sourcetype
Here, the metadata
command retrieves metadata about the data in our indexes.
In table form:
| metadata type=sources index=* | table source
Once we know our source types, we can investigate the kind of data they contain.
Say we're interesting in: WinEventLog:Security
sourcetype="WinEventLog:Security" | table _raw
The table
command generates a table with the specified fields as columns. Here, _raw
represents the raw event data. This command will return the raw data for the specified source type.
Last updated