Comment on page
Replace the placeholder data from this section with your actual data
- 1.index: This is the index in which your data resides in Splunk. The specific indexes you have will depend on how you've set up your data inputs.
- 2.sourcetype: This specifies the data format for events from a data input, such as logs from a specific type of server or service (e.g., "access_combined", "WinEventLog:Security", "cisco:asa", etc.). The sourcetypes available will depend on the types of data inputs you have.
- 3.host, src_ip, dest_ip: These fields typically represent the host, source IP, and destination IP associated with an event. The names of these fields may vary depending on your data.
- 4.action, status, severity: These fields often represent the action taken (e.g., success, failure, download, accessed), the status of a request or response, or the severity of an event or alert. These could also vary depending on your data.
- 5.file_path, process_name, uri, query, user_agent, service, port: These fields represent various specifics of an event such as file paths accessed, process names, URLs or URIs accessed, DNS queries made, User-Agent strings in web requests, names of services, and port numbers. The names and availability of these fields will depend on your data sources.
- 6.user, clientip, src_user, session_duration, process_start: These fields could represent the user or client IP associated with an event, the user on the source system, the duration of user sessions, or the start time of processes. These field names could vary based on your data.
- 7.bytes_out, bytes, amount: These fields typically represent the volume of data associated with an event, such as bytes sent out or received, or amounts in transaction events. The exact field names may vary.
- 8.EventCode, level, threat_detected, device_id, printer_name, Country, description: These are more specific fields that would be associated with certain types of logs, such as Windows event logs, system logs, threat detection logs, device logs, printer logs, location data, or threat descriptions.
- Determines the geographic location of IP addresses.
index=firewall | iplocation src_ip
- Checks if an IP falls within a specified CIDR range.
index=firewall | where cidrmatch("10.0.0.0/8", src_ip)
- Runs operation on the search head.
index=firewall | localop | stats count
- Searches only the metadata.
index=firewall | metasearch | stats count
- Provides statistical information about indexed data.
| tstats count where index=firewall by sourcetype
- Retrieves events from a data model.
| datamodel Network_Traffic All_Traffic search | stats count by All_Traffic.action
- Retrieves metadata about the hosts, sources, and source types in an index.
| metadata type=hosts index=firewall
- Predicts future values based on historical data.
index=firewall | predict future_traffic as 'predicted_traffic'
- Graphs the results in an X11 window for further examination.
index=firewall | x11
- Extracts field and value pairs from XML-formatted events.
index=firewall | xmlkv
- Runs a search for each result.
index=firewall | map search="search index=firewall src_ip=$src_ip$"
- Collects metrics data points.
index=firewall | mcollect index=metrics
- Monitors the specified file until the command is interrupted.
| file /var/log/firewall.log
- Groups similar events together.
index=firewall | cluster showcount=true
- Detects anomalous numerical values in data using machine learning.
index=firewall | anomalies p_value_field=bytes
- Infers new event types from existing data.
index=firewall | findtypes
- Detects numerical outliers in your data.
index=firewall | outlier action_field=bytes
- Extracts field and value pairs from events.
index=firewall | kvform
- Tags fields in events.
index=firewall | tag user
- Highlights specific terms in the search results.
index=firewall | highlight "denied"
- Learns and suggests new event types.
index=firewall | typelearner
- Infers and assigns event types.
index=firewall | typer
- Converts a formatted time string into epoch time.
index=firewall | eval epoch_time=strptime(_time, "%Y-%m-%dT%H:%M:%S.%3N%:z")
- Converts epoch time to a formatted string.
index=firewall | eval date=strftime(_time, "%Y-%m-%d")
- Does not change the events or results (often used with metadata).
index=firewall | noop | metadata type=hosts
- Generates a result for testing purposes.
| makeresults | eval test="Test"
- Loads a CSV file for use in a subsearch.
index=firewall | inputcsv blocklist.csv
- Formats the results for use in a subsearch.
index=firewall | format
- Converts table formatted data into separate events.
index=firewall | untable date user action