Splunk

Replace the placeholder data from this section with your actual data

index: This is the index in which your data resides in Splunk. The specific indexes you have will depend on how you've set up your data inputs.
sourcetype: This specifies the data format for events from a data input, such as logs from a specific type of server or service (e.g., "access_combined", "WinEventLog:Security", "cisco:asa", etc.). The sourcetypes available will depend on the types of data inputs you have.
host, src_ip, dest_ip: These fields typically represent the host, source IP, and destination IP associated with an event. The names of these fields may vary depending on your data.
action, status, severity: These fields often represent the action taken (e.g., success, failure, download, accessed), the status of a request or response, or the severity of an event or alert. These could also vary depending on your data.
file_path, process_name, uri, query, user_agent, service, port: These fields represent various specifics of an event such as file paths accessed, process names, URLs or URIs accessed, DNS queries made, User-Agent strings in web requests, names of services, and port numbers. The names and availability of these fields will depend on your data sources.
user, clientip, src_user, session_duration, process_start: These fields could represent the user or client IP associated with an event, the user on the source system, the duration of user sessions, or the start time of processes. These field names could vary based on your data.
bytes_out, bytes, amount: These fields typically represent the volume of data associated with an event, such as bytes sent out or received, or amounts in transaction events. The exact field names may vary.
EventCode, level, threat_detected, device_id, printer_name, Country, description: These are more specific fields that would be associated with certain types of logs, such as Windows event logs, system logs, threat detection logs, device logs, printer logs, location data, or threat descriptions.
iplocation
- Determines the geographic location of IP addresses.
- Example: index=firewall | iplocation src_ip
cidrmatch
- Checks if an IP falls within a specified CIDR range.
- Example: index=firewall | where cidrmatch("10.0.0.0/8", src_ip)
localop
- Runs operation on the search head.
- Example: index=firewall | localop | stats count
metasearch
- Searches only the metadata.
- Example: index=firewall | metasearch | stats count
tstats
- Provides statistical information about indexed data.
- Example: | tstats count where index=firewall by sourcetype
datamodel
- Retrieves events from a data model.
- Example: | datamodel Network_Traffic All_Traffic search | stats count by All_Traffic.action
metadata
- Retrieves metadata about the hosts, sources, and source types in an index.
- Example: | metadata type=hosts index=firewall
predict
- Predicts future values based on historical data.
- Example: index=firewall | predict future_traffic as 'predicted_traffic'
x11
- Graphs the results in an X11 window for further examination.
- Example: index=firewall | x11
xmlkv
- Extracts field and value pairs from XML-formatted events.
- Example: index=firewall | xmlkv
map
- Runs a search for each result.
- Example: index=firewall | map search="search index=firewall src_ip=$src_ip$"
mcollect
- Collects metrics data points.
- Example: index=firewall | mcollect index=metrics
file
- Monitors the specified file until the command is interrupted.
- Example: | file /var/log/firewall.log
cluster
- Groups similar events together.
- Example: index=firewall | cluster showcount=true
anomalies
- Detects anomalous numerical values in data using machine learning.
- Example: index=firewall | anomalies p_value_field=bytes
findtypes
- Infers new event types from existing data.
- Example: index=firewall | findtypes
outlier
- Detects numerical outliers in your data.
- Example: index=firewall | outlier action_field=bytes
kvform
- Extracts field and value pairs from events.
- Example: index=firewall | kvform
tag
- Tags fields in events.
- Example: index=firewall | tag user
highlight
- Highlights specific terms in the search results.
- Example: index=firewall | highlight "denied"
typelearner
- Learns and suggests new event types.
- Example: index=firewall | typelearner
typer
- Infers and assigns event types.
- Example: index=firewall | typer
sendemail
- Sends search results via email.
- Example: index=firewall | sendemail to="admin@company.com"
strptime
- Converts a formatted time string into epoch time.
- Example: index=firewall | eval epoch_time=strptime(_time, "%Y-%m-%dT%H:%M:%S.%3N%:z")
strftime
- Converts epoch time to a formatted string.
- Example: index=firewall | eval date=strftime(_time, "%Y-%m-%d")
noop
- Does not change the events or results (often used with metadata).
- Example: index=firewall | noop | metadata type=hosts
makeresults
- Generates a result for testing purposes.
- Example: | makeresults | eval test="Test"
inputcsv
- Loads a CSV file for use in a subsearch.
- Example: index=firewall | inputcsv blocklist.csv
format
- Formats the results for use in a subsearch.
- Example: index=firewall | format
untable
- Converts table formatted data into separate events.
- Example: index=firewall | untable date user action

PreviousDefensive Security NextBasic Queries

Last updated 5 months ago

Splunk

Replace the placeholder data from this section with your actual data

index: This is the index in which your data resides in Splunk. The specific indexes you have will depend on how you've set up your data inputs.
sourcetype: This specifies the data format for events from a data input, such as logs from a specific type of server or service (e.g., "access_combined", "WinEventLog:Security", "cisco:asa", etc.). The sourcetypes available will depend on the types of data inputs you have.
host, src_ip, dest_ip: These fields typically represent the host, source IP, and destination IP associated with an event. The names of these fields may vary depending on your data.
action, status, severity: These fields often represent the action taken (e.g., success, failure, download, accessed), the status of a request or response, or the severity of an event or alert. These could also vary depending on your data.
file_path, process_name, uri, query, user_agent, service, port: These fields represent various specifics of an event such as file paths accessed, process names, URLs or URIs accessed, DNS queries made, User-Agent strings in web requests, names of services, and port numbers. The names and availability of these fields will depend on your data sources.
user, clientip, src_user, session_duration, process_start: These fields could represent the user or client IP associated with an event, the user on the source system, the duration of user sessions, or the start time of processes. These field names could vary based on your data.
bytes_out, bytes, amount: These fields typically represent the volume of data associated with an event, such as bytes sent out or received, or amounts in transaction events. The exact field names may vary.
EventCode, level, threat_detected, device_id, printer_name, Country, description: These are more specific fields that would be associated with certain types of logs, such as Windows event logs, system logs, threat detection logs, device logs, printer logs, location data, or threat descriptions.
iplocation
- Determines the geographic location of IP addresses.
- Example: index=firewall | iplocation src_ip
cidrmatch
- Checks if an IP falls within a specified CIDR range.
- Example: index=firewall | where cidrmatch("10.0.0.0/8", src_ip)
localop
- Runs operation on the search head.
- Example: index=firewall | localop | stats count
metasearch
- Searches only the metadata.
- Example: index=firewall | metasearch | stats count
tstats
- Provides statistical information about indexed data.
- Example: | tstats count where index=firewall by sourcetype
datamodel
- Retrieves events from a data model.
- Example: | datamodel Network_Traffic All_Traffic search | stats count by All_Traffic.action
metadata
- Retrieves metadata about the hosts, sources, and source types in an index.
- Example: | metadata type=hosts index=firewall
predict
- Predicts future values based on historical data.
- Example: index=firewall | predict future_traffic as 'predicted_traffic'
x11
- Graphs the results in an X11 window for further examination.
- Example: index=firewall | x11
xmlkv
- Extracts field and value pairs from XML-formatted events.
- Example: index=firewall | xmlkv
map
- Runs a search for each result.
- Example: index=firewall | map search="search index=firewall src_ip=$src_ip$"
mcollect
- Collects metrics data points.
- Example: index=firewall | mcollect index=metrics
file
- Monitors the specified file until the command is interrupted.
- Example: | file /var/log/firewall.log
cluster
- Groups similar events together.
- Example: index=firewall | cluster showcount=true
anomalies
- Detects anomalous numerical values in data using machine learning.
- Example: index=firewall | anomalies p_value_field=bytes
findtypes
- Infers new event types from existing data.
- Example: index=firewall | findtypes
outlier
- Detects numerical outliers in your data.
- Example: index=firewall | outlier action_field=bytes
kvform
- Extracts field and value pairs from events.
- Example: index=firewall | kvform
tag
- Tags fields in events.
- Example: index=firewall | tag user
highlight
- Highlights specific terms in the search results.
- Example: index=firewall | highlight "denied"
typelearner
- Learns and suggests new event types.
- Example: index=firewall | typelearner
typer
- Infers and assigns event types.
- Example: index=firewall | typer
sendemail
- Sends search results via email.
- Example: index=firewall | sendemail to="admin@company.com"
strptime
- Converts a formatted time string into epoch time.
- Example: index=firewall | eval epoch_time=strptime(_time, "%Y-%m-%dT%H:%M:%S.%3N%:z")
strftime
- Converts epoch time to a formatted string.
- Example: index=firewall | eval date=strftime(_time, "%Y-%m-%d")
noop
- Does not change the events or results (often used with metadata).
- Example: index=firewall | noop | metadata type=hosts
makeresults
- Generates a result for testing purposes.
- Example: | makeresults | eval test="Test"
inputcsv
- Loads a CSV file for use in a subsearch.
- Example: index=firewall | inputcsv blocklist.csv
format
- Formats the results for use in a subsearch.
- Example: index=firewall | format
untable
- Converts table formatted data into separate events.
- Example: index=firewall | untable date user action

PreviousDefensive Security NextBasic Queries

Last updated 5 months ago