SPL Syntax & Searching

Begin by specifying the data using the;

  • parameter i.e. index,
  • the equal sign =
  • and the data index of your choice i.e. index=index_of_choice

Complex queries involve the pipe character | which feeds the output of the previous query into the next.

See descriptions below which explains how the Splunk search function will understand your query based on how you input (SPL search terms)

For all entries, enter * in the search head and press enter. You can then filter using the data output as you may not know what data has been indexed and in what syntax.

To filter by host/machine, right click on the host within the data output and select “add to search”. So you may have something that looks like;

We can then narrow down which Logs, by filtering the Security Logs using the same method as above. So we would have the following;
* host=”DESKTOPUSERONE” source=”WinEventLog:Security”

Let’s specifiy the Event code. We can just highlight the parameter “EventCode=1102”, right click and select “Add to search”. So we’ll have the following;
* host=”DESKTOPUSERONE” source=”WinEventLog:Security” EventCode=”1102″

If this action/event was performed, then you’ll see in the “Message” parameter, it will state what happened, in this particular case, event code 1102 relates to the audit log being cleared.

Table view: We can select “Create Table View” from the top right hand corner to view the data differently. By default, the search output data will be transferred into a table view.

On the left hand side, you’ll be able to easily select or deselect different log types.

Dahsboards: Select “Dashboards” from the top menu and click on “Create New Dashboard”. Give your dashboard a Title, dashboard type can be “Dashboard Studio” and layout mode can be “Grid” and select “Create”.

Select “Add chart”, “Table” and we can paste in oour SPL into the respective section on the right hand side, then “Apply & close” and Enter the “Title”. You could add/remove items using the “Colum formatting”.

Here is how we would remove a field/column that we could currently see i.e. “_cd”. In “Data configurations” and edit by clicking the pencil icon. Append the following to the SPL; “| fields – _cd”, click on “Apply and close” and it should now been removed. You can click on “Save” to save this dashboard. It can be found again by selecting “Dashboards” from the top menu and you should see your newly created dashboard.

When you go back into the dashboard, you’ll see a menu called “Actions”. Here you’ll have the option to do the following; download in different formats/file types, clone, set as home dashboard and delete. Useful options when needing to present data to executives etc.

Full Text Search
GreyhatFind the word “Greyhat” irrespective of capitalization
One two threeFind these three words in any order irrespective of capitalization
"One two three"Find the exact phrase with the given special characters, irrespective of capitalization
Filter by fields
source="/var/log/myapp/access.log" status=401All lines where the field status has value 401 from the file /var/log/myapp/access.log
source="gdprdata.rar:*" index="data_tutorial" Code=GREENAll entries where the field Code has value GREEN in the archive gdprdata.rar indexed as data_tutorial
index="customer_feedback" _raw="*excellent*"All entries whose text contains the keyword “excellent” in the indexed data set customer_feedback
Filter by host
host="myblog" source="/var/log/syslog" FatalShow all Fatal entries from /var/log/syslog belonging to the blog host myblog
Selecting an index
index="myIndex" passwordAccess the index called myIndex and text matching password.
source="test_data.zip:*"Access the data archive called test_data.zip and parse all its entries (*).
sourcetype="datasource01"(Optional) Search data sources whose type is datasource01.

This syntax also applies to the arguments following the search keyword. Here is an example of a longer SPL search string:

index=* OR index=_* sourcetype=generic_logs | search Cybersecurity | head 10000

In this example, index=* OR index=_* sourcetype=generic_logs is the data body on which Splunk performs search Cybersecurity, and then head 10000 causes Splunk to show only the first (up to) 10,000 entries.

Event ID’s

To explore a certain event ID, head over to Ultimate IT Security’s website here; https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx