Splunk#

Splunk is a platform to search, analyze, and visualize machine-generated data from websites, applications, sensors, and devices. The operator uses SPL to extract fields, group events, and build detections.

Fields#

Extract data from events into fields so reports can run on it meaningfully.

SPL

Effect

* | extract reload=true

Extract field / value pairs and reload extraction settings from disk.

* | extract pairdelim="|;", kvdelim="=:", auto=f

Extract field / value pairs delimited by |; with values by =:.

* | multikv fields COMMAND filter splunkd

Extract the COMMAND field in rows containing splunkd.

* | xmlkv

Automatically extract fields from XML-formatted data.

* | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"

Extract from and to via regex.

* | strcat sourceIP "/" destIP comboIP

Add comboIP field, value sourceIP + "/" + destIP.

* | eval velocity=distance/time

Add velocity field as distance / time (SQLite eval).

404 host=webserver1 | head 20 | iplocation

Add location info for the first 20 events with 404 from webserver1.

Convert#

Change names, units, types, or attributes of fields.

SPL

Effect

* | convert auto(*) none(foo)

Convert every field to a number except foo.

* | convert memk(virt)

Convert memory values in virt to KB.

* | convert dur2sec(delay)

Convert D+HH:MM:SS to seconds.

* | convert rmunit(duration)

Strip unit text from duration.

* | rename _ip as IPAddress

Rename _ip as IPAddress.

* | replace *localhost with localhost in host

Normalize *localhost to localhost in host.

Filter#

Filter and re-arrange how Splunk displays fields.

SPL

Effect

* | fields host, ip

Keep only the host and ip fields.

* | fields + host, ip

Keep only host and ip, remove internal fields.

* | fields - host, ip

Remove host and ip.

* | search src="10.9.165.*" OR dst="10.9.165.8"

Keep results with matching src or dst values.

* | regex _raw=(?<!\d)10.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d

Keep results whose _raw contains class-A non-routable IPs (10.0.0.0/8).

* | dedup host

Remove duplicates with the same host.

* Fatal | rex "(?i) msg=(?P[^,]+)"

Extract a pattern and store as a new field.

* | regex _raw=".*Fatal.*"

Use a regex against raw results.

Order#

SPL

Effect

* | sort ip, -url

Sort by ip ascending then url descending.

* | reverse

Reverse the order of a result set.

* | head 20

Return the first 20 results.

* | tail 20

Return the last 20 results in reverse order.

* | head 1000 | top 50 method

First 1000 lines of log file, order top 50.

Group#

SPL

Effect

* | transaction fields="host,cookie" maxspan=30s maxpause=5s

Group results with same host and cookie, within 30s, no pause greater than 5s.

* | transaction fields=from maxspan=30s maxpause=5s

Group results sharing same value of from with span 30s, pause 5s.

* | kmeans k=4 date_hour date_minute

Group results into 4 clusters by date_hour and date_minute.

* | cluster t=0.9 showcount=true | sort -cluster_count | head 20

Cluster events, sort by cluster_count, return the 20 largest.

Classify#

SPL

Effect

* | typer

Force Splunk to apply event types you have configured.

error | typelearner

Auto-discover and apply event types to events containing error.

Display#

Generate results from data using commands other than search. You must use a pipe (|) before any data-generating command that is not the search command.

SPL

Effect

| inputcsv all.csv | search error | outputcsv errors.csv

Read CSV results, keep error-containing rows, write to CSV.

| file /var/log/messages.1

Display events from a file as if indexed.

| savedsearch mysecurityquery AND _count > 0 or | sendemail to=user@domain.com

Run saved search and email results.

Report#

Summarize results, perform stats, graph.

SPL

Effect

* | rare url

Return least common values of url.

* | top limit=20 url

Return 20 most common url values.

* | stats dc(host)

Total count of unique host values.

* | stats avg(*lay) BY date_hour

Average for each hour of any field ending in lay.

sourcetype=access_combined | top limit=100 referer_domain | stats sum(count)

Search access logs, sum hits from top 100 referer_domain.

sourcetype=access_combined | associate supcnt=3

Associate results with each other (at least 3 references).

* | chart avg(size) by host

Average size per distinct host.

* | chart max(delay) by size bins=10

Maximum delay by size, max 10 buckets.

* | timechart span=5m avg(thruput) by host

Graph average thruput of hosts over time.

* | timechart avg(cpu_seconds) by host | outlier action=TR

Timechart of avg cpu_seconds by host with outliers removed.

sourcetype=ps | multikv | timechart span=1m avg(CPU) by host

Average CPU per minute per host.

sourcetype=web | timechart count by host | fillnull value=NULL

Timechart of count by host, null filled.

* | contingency datafield1 datafield2 maxrows=5 maxcols=5 usetotal=F

Contingency table.

* | correlate type=cocur

Co-occurrence correlation between all fields.

* | addtotals fieldname=sum

Sum numeric fields per result into sum.

* | anomalousvalue action=filter pthresh=0.02

Return events with uncommon values.

* | bucket size bins=10 | stats count(_raw) by size

Bucket results into 10 bins, count raw events.

* | bucket _time span=5m | stats avg(thruput) by=_time host

Average thruput per host per 5-minute span.

* | stats sum(<field>) as result | eval result=(result/1000)

Sum and divide by 1000.

* | eval raw_len=len(_raw) | stats avg(raw_len), p10(raw_len), p90(raw_len) by sourcetype

p10 and p90 of raw log length per sourcetype.

Admin#

SPL

Effect

| crawl root="/;/Users/" | input add

Crawl roots and add discovered inputs to inputs.conf.

| admin props

View processing properties in props.conf.

index=audit | audit

View audit trail; check for tampering.

| eventcount summarize=false index=* | dedup index | fields index

List all indices.

| eventcount summarize=false report_size=true index=* | eval size_MB = round(size_bytes/1024/1024,2)

List indices with sizes in MB.

Subsearch#

SPL

Effect

* | set diff [search 404 | fields url] [search 303 | fields url]

URLs that contain 404 or 303 but not both.

login root | localize maxspan=5m maxpause=5m | map search="search failure starttimeu=$starttime$ endtimeu=$endtime$"

Find events around root login, search each time range for failure.

[* | fields + source, sourcetype, host | format]

Build a search string from host, source, sourcetype.

Email#

Append sendemail to mail any query results.

... | sendemail to="john@example.com"

References#