Main SiteSponsorMedium BlogYoutubeDiscordLinkedIN

Splunk

Replace the placeholder data from this section with your actual data

  1. index: This is the index in which your data resides in Splunk. The specific indexes you have will depend on how you've set up your data inputs.

  2. sourcetype: This specifies the data format for events from a data input, such as logs from a specific type of server or service (e.g., "access_combined", "WinEventLog:Security", "cisco:asa", etc.). The sourcetypes available will depend on the types of data inputs you have.

  3. host, src_ip, dest_ip: These fields typically represent the host, source IP, and destination IP associated with an event. The names of these fields may vary depending on your data.

  4. action, status, severity: These fields often represent the action taken (e.g., success, failure, download, accessed), the status of a request or response, or the severity of an event or alert. These could also vary depending on your data.

  5. file_path, process_name, uri, query, user_agent, service, port: These fields represent various specifics of an event such as file paths accessed, process names, URLs or URIs accessed, DNS queries made, User-Agent strings in web requests, names of services, and port numbers. The names and availability of these fields will depend on your data sources.

  6. user, clientip, src_user, session_duration, process_start: These fields could represent the user or client IP associated with an event, the user on the source system, the duration of user sessions, or the start time of processes. These field names could vary based on your data.

  7. bytes_out, bytes, amount: These fields typically represent the volume of data associated with an event, such as bytes sent out or received, or amounts in transaction events. The exact field names may vary.

  8. EventCode, level, threat_detected, device_id, printer_name, Country, description: These are more specific fields that would be associated with certain types of logs, such as Windows event logs, system logs, threat detection logs, device logs, printer logs, location data, or threat descriptions.

  1. iplocation

    • Determines the geographic location of IP addresses.

    • Example: index=firewall | iplocation src_ip

  2. cidrmatch

    • Checks if an IP falls within a specified CIDR range.

    • Example: index=firewall | where cidrmatch("10.0.0.0/8", src_ip)

  3. localop

    • Runs operation on the search head.

    • Example: index=firewall | localop | stats count

  4. metasearch

    • Searches only the metadata.

    • Example: index=firewall | metasearch | stats count

  5. tstats

    • Provides statistical information about indexed data.

    • Example: | tstats count where index=firewall by sourcetype

  6. datamodel

    • Retrieves events from a data model.

    • Example: | datamodel Network_Traffic All_Traffic search | stats count by All_Traffic.action

  7. metadata

    • Retrieves metadata about the hosts, sources, and source types in an index.

    • Example: | metadata type=hosts index=firewall

  8. predict

    • Predicts future values based on historical data.

    • Example: index=firewall | predict future_traffic as 'predicted_traffic'

  9. x11

    • Graphs the results in an X11 window for further examination.

    • Example: index=firewall | x11

  10. xmlkv

    • Extracts field and value pairs from XML-formatted events.

    • Example: index=firewall | xmlkv

  11. map

    • Runs a search for each result.

    • Example: index=firewall | map search="search index=firewall src_ip=$src_ip$"

  12. mcollect

    • Collects metrics data points.

    • Example: index=firewall | mcollect index=metrics

  13. file

    • Monitors the specified file until the command is interrupted.

    • Example: | file /var/log/firewall.log

  14. cluster

    • Groups similar events together.

    • Example: index=firewall | cluster showcount=true

  15. anomalies

    • Detects anomalous numerical values in data using machine learning.

    • Example: index=firewall | anomalies p_value_field=bytes

  16. findtypes

    • Infers new event types from existing data.

    • Example: index=firewall | findtypes

  17. outlier

    • Detects numerical outliers in your data.

    • Example: index=firewall | outlier action_field=bytes

  18. kvform

    • Extracts field and value pairs from events.

    • Example: index=firewall | kvform

  19. tag

    • Tags fields in events.

    • Example: index=firewall | tag user

  20. highlight

    • Highlights specific terms in the search results.

    • Example: index=firewall | highlight "denied"

  21. typelearner

    • Learns and suggests new event types.

    • Example: index=firewall | typelearner

  22. typer

    • Infers and assigns event types.

    • Example: index=firewall | typer

  23. sendemail

    • Sends search results via email.

    • Example: index=firewall | sendemail to="admin@company.com"

  24. strptime

    • Converts a formatted time string into epoch time.

    • Example: index=firewall | eval epoch_time=strptime(_time, "%Y-%m-%dT%H:%M:%S.%3N%:z")

  25. strftime

    • Converts epoch time to a formatted string.

    • Example: index=firewall | eval date=strftime(_time, "%Y-%m-%d")

  26. noop

    • Does not change the events or results (often used with metadata).

    • Example: index=firewall | noop | metadata type=hosts

  27. makeresults

    • Generates a result for testing purposes.

    • Example: | makeresults | eval test="Test"

  28. inputcsv

    • Loads a CSV file for use in a subsearch.

    • Example: index=firewall | inputcsv blocklist.csv

  29. format

    • Formats the results for use in a subsearch.

    • Example: index=firewall | format

  30. untable

    • Converts table formatted data into separate events.

    • Example: index=firewall | untable date user action

PreviousDefensive SecurityNextBasic Queries

Last updated