Splunk

Replace the placeholder data from this section with your actual data

  1. index: This is the index in which your data resides in Splunk. The specific indexes you have will depend on how you've set up your data inputs.

  2. sourcetype: This specifies the data format for events from a data input, such as logs from a specific type of server or service (e.g., "access_combined", "WinEventLog:Security", "cisco:asa", etc.). The sourcetypes available will depend on the types of data inputs you have.

  3. host, src_ip, dest_ip: These fields typically represent the host, source IP, and destination IP associated with an event. The names of these fields may vary depending on your data.

  4. action, status, severity: These fields often represent the action taken (e.g., success, failure, download, accessed), the status of a request or response, or the severity of an event or alert. These could also vary depending on your data.

  5. file_path, process_name, uri, query, user_agent, service, port: These fields represent various specifics of an event such as file paths accessed, process names, URLs or URIs accessed, DNS queries made, User-Agent strings in web requests, names of services, and port numbers. The names and availability of these fields will depend on your data sources.

  6. user, clientip, src_user, session_duration, process_start: These fields could represent the user or client IP associated with an event, the user on the source system, the duration of user sessions, or the start time of processes. These field names could vary based on your data.

  7. bytes_out, bytes, amount: These fields typically represent the volume of data associated with an event, such as bytes sent out or received, or amounts in transaction events. The exact field names may vary.

  8. EventCode, level, threat_detected, device_id, printer_name, Country, description: These are more specific fields that would be associated with certain types of logs, such as Windows event logs, system logs, threat detection logs, device logs, printer logs, location data, or threat descriptions.

  9. iplocation

    • Determines the geographic location of IP addresses.

    • Example: index=firewall | iplocation src_ip

  10. cidrmatch

    • Checks if an IP falls within a specified CIDR range.

    • Example: index=firewall | where cidrmatch("10.0.0.0/8", src_ip)

  11. localop

    • Runs operation on the search head.

    • Example: index=firewall | localop | stats count

  12. metasearch

    • Searches only the metadata.

    • Example: index=firewall | metasearch | stats count

  13. tstats

    • Provides statistical information about indexed data.

    • Example: | tstats count where index=firewall by sourcetype

  14. datamodel

    • Retrieves events from a data model.

    • Example: | datamodel Network_Traffic All_Traffic search | stats count by All_Traffic.action

  15. metadata

    • Retrieves metadata about the hosts, sources, and source types in an index.

    • Example: | metadata type=hosts index=firewall

  16. predict

    • Predicts future values based on historical data.

    • Example: index=firewall | predict future_traffic as 'predicted_traffic'

  17. x11

    • Graphs the results in an X11 window for further examination.

    • Example: index=firewall | x11

  18. xmlkv

    • Extracts field and value pairs from XML-formatted events.

    • Example: index=firewall | xmlkv

  19. map

    • Runs a search for each result.

    • Example: index=firewall | map search="search index=firewall src_ip=$src_ip$"

  20. mcollect

    • Collects metrics data points.

    • Example: index=firewall | mcollect index=metrics

  21. file

    • Monitors the specified file until the command is interrupted.

    • Example: | file /var/log/firewall.log

  22. cluster

    • Groups similar events together.

    • Example: index=firewall | cluster showcount=true

  23. anomalies

    • Detects anomalous numerical values in data using machine learning.

    • Example: index=firewall | anomalies p_value_field=bytes

  24. findtypes

    • Infers new event types from existing data.

    • Example: index=firewall | findtypes

  25. outlier

    • Detects numerical outliers in your data.

    • Example: index=firewall | outlier action_field=bytes

  26. kvform

    • Extracts field and value pairs from events.

    • Example: index=firewall | kvform

  27. tag

    • Tags fields in events.

    • Example: index=firewall | tag user

  28. highlight

    • Highlights specific terms in the search results.

    • Example: index=firewall | highlight "denied"

  29. typelearner

    • Learns and suggests new event types.

    • Example: index=firewall | typelearner

  30. typer

    • Infers and assigns event types.

    • Example: index=firewall | typer

  31. sendemail

    • Sends search results via email.

    • Example: index=firewall | sendemail to="[email protected]"

  32. strptime

    • Converts a formatted time string into epoch time.

    • Example: index=firewall | eval epoch_time=strptime(_time, "%Y-%m-%dT%H:%M:%S.%3N%:z")

  33. strftime

    • Converts epoch time to a formatted string.

    • Example: index=firewall | eval date=strftime(_time, "%Y-%m-%d")

  34. noop

    • Does not change the events or results (often used with metadata).

    • Example: index=firewall | noop | metadata type=hosts

  35. makeresults

    • Generates a result for testing purposes.

    • Example: | makeresults | eval test="Test"

  36. inputcsv

    • Loads a CSV file for use in a subsearch.

    • Example: index=firewall | inputcsv blocklist.csv

  37. format

    • Formats the results for use in a subsearch.

    • Example: index=firewall | format

  38. untable

    • Converts table formatted data into separate events.

    • Example: index=firewall | untable date user action

PreviousDefensive SecurityNextBasic Queries

Last updated