Search Processing Language (SPL) Commands
Last updated
Last updated
Here are some good references
We can use metadata to retrieve metadata about the data in our indexes. The type=sourcetypes argument tells Splunk to return metadata about sourcetypes.
This command returns all available indices.
These commands return a list of all sourcetypes in the Spunk environment
These commands return a list of all data sources in the Splunk environment.
Once we have the sourcetypes, we can use sourcetype to view the data they contain.
This command will return the raw data (actual file) for the specified source type.
This command will return the data in a table for the specified source type. NOTE: be cautious, as the use of table * can result in a very wide table if our events have a large number of fields.\
This is a better approach, listing specific fields and creating a table is better for visualizing data.
The above command is a great way to return just the fields using fieldsummary
This search will return a table that includes every field found in the events returned by the search (across the sourcetype we've specified). The table includes several columns of information about each field:
field: The name of the field.
count: The number of events that contain the field.
distinct_count: The number of distinct values in the field.
is_exact: Whether the count is exact or estimated.
max: The maximum value of the field.
mean: The mean value of the field.
min: The minimum value of the field.
numeric_count: The number of numeric values in the field.
stdev: The standard deviation of the field.
values: Sample values of the field.
We may also see:
modes: The most common values of the field.
numBuckets: The number of buckets used to estimate the distinct count.
NOTE: The values shown in this command are based on the provided time in our search. We need to specify it in the search!
bucket command is used to group the events based on the _time field into 1-day buckets\
This query retrieves all data and finds the 10 rarest combinations of indexes and sourcetypes.
By default a search query returns all results, but can be narrowed down with keywords, boolean operators, wildcards, and more.
The fields command specifies which fields should be included or excluded in the search results.
The table command presents search results in a tabular format.
The rename command renames a field in the search results.
The dedup command removes duplicates.
The sort command sorts the search results. (example sorts results in decending order)
The stats command performs statistical operations. (example returns a table of timestamp (_time) and a process (Image)"
The chart command creates a data visualization based on statistical operations.
The eval command creates or redefines fields. (example creates a new field Process_Path which contains the lowercase version of the Image field)
The rex command extracts new fields from existing ones using regular expressions.
index="main" EventCode=4662 filters the events to those in the main index with the EventCode equal to 4662. This narrows down the search to specific events with the specified EventCode.
rex max_match=0 "[^%](?<guid>{.*})" uses the rex command to extract values matching the pattern from the events' fields. The regex pattern {.*} looks for substrings that begin with { and end with }. The [^%] part ensures that the match does not begin with a % character. The captured value within the curly braces is assigned to the named capture group guid.
table guid displays the extracted GUIDs in the output. This command is used to format the results and display only the guid field.
The max_match=0 option ensures that all occurrences of the pattern are extracted from each event. By default, the rex command only extracts the first occurrence.
The lookup command enriches the data with external sources
Suppose the following CSV file called malware_lookup.csv.
The inputlookup command retrieves data from a lookup file without joining it to the search results.
Every event in Splunk has a timestamp. We can limit the searches to specific time periods using the earliest and latest commands.
The transaction command is used in Splunk to group events that share common characteristics into transcation.
A subsearch in Splunk is a search that is nested inside another search.
Splunk can ingest a wide variety of data sources. To identify available source types we can run the followning SPL commands:
We can get Account_Name, EventCode and create a table of the summarized data.
If we can to get a list of fields we can use the command:
This command displays the 20 least common values of the ParentImage field.
A more complex query can provide a detailed summary of fields. This search shows a summary of all fields (fieldsummary), filters out fields that appear in less than 100 events (where count < 100)
Good command:
A more complex query can provide a detailed summary of fields.
This query uses eventcount to count events in all indexes, then summarize=false is used to display counts for each index separately, and finally, the table command is used to present the data in tabular form.
The result is a list of all sourcetypes in our Splunk environment, along with additional metadata such as the first time a source type was seen (firstTime), the last time it was seen (lastTime), and the number of hosts (totalCount).
Simpler view:
Here, the metadata command retrieves metadata about the data in our indexes.
In table form:
Once we know our source types, we can investigate the kind of data they contain.
Say we're interesting in: WinEventLog:Security
The table command generates a table with the specified fields as columns. Here, _raw represents the raw event data. This command will return the raw data for the specified source type.
