This is a simple Splunk search cheatsheet that covers common SPL commands. It is succinct on purpose. It includes basic Boolean expressions and behaviors, field expressions, statistical commands, search macros, and useful searches. The cheatsheet helps to understand and manipulate data outputs in Splunk, making it a useful tool for beginners or experienced users looking to refresh their knowledge.
Basic Boolean expressions and behaviors within SPL
AND operator is always implied between terms, that is: web error is the same as web AND error
NOT operator only applies to the term immediately following NOT. To apply to multiple terms, you must enclose the terms in parenthesis.
error NOT 403 OR 404
Without parenthesis, this search is processed as:
Search for any event that contains the string “error” and does not contain the keyword 403
Search for any event that contains the string “error” and 404
You can use parentheses to group Boolean expressions. For example: error NOT (403 OR 404)
Basic field expressions within SPL
Multivalued field values that exactly match “foo”.
Multivalued field values that don’t exactly match “foo”.
Numerical field values that are less than x.
Numerical field values that are greater than x.
Numerical field values that are less than and equal to x.
Numerical field values that are greater than and equal to x.
Commands that can be used to find statistical data
Calculate results based on average
| stats avg([fieldname])
Calculate count of a fieldname and rename it to a new field
| stats count (eval[fieldname]) as newname
Returns maximum value from a specific field
| stats max([fieldname])
Returns minimum value from a specific field
| stats min([fieldname])
Returns sum of values in a specific field
| stats sum([fieldname])
A search macro in Splunk is a predefined search string that is called with just some short text. They can help make SPL strings way less verbose and make us more efficient in the long run. Common search macros can be reused in many different scenarios depending on applicability. They have to be put into backticks.
Random useful searches that can help manipulate data outputs
Table with top values based on selected criteria
| top [fieldname]
Table with top “x number” of values based on selected criteria
| top [#] [fieldname]
Returns least frequent value for the defaulted top 10 results (can change using limit=3)
| rare [fieldname]
Shows results in raw events mode with fields highlighted
| highlight [fieldname1] [fieldname2]
Compares two fields together
| contingency [fieldname1] [fieldname2]
Removes duplicate values from the result
| dedup [fieldname]
Sort a field by descending
| sort [fieldname] desc
Show a stats table with multiple fields, sort descending
| stats count by [fieldname1],[fieldname2]
| sort - count
Head and Tail
This will display the most recent 10
| head limit=10
This will display the oldest 10
| tail limit=10
Where command can help filter results
| where [fieldname]=40 or [fieldname]=30
Splunk fields command add or remove field listed
| fields - [fieldname]
| fields + [fieldname]
Puts search results in reverse order
Splunk search allows for searching raw text keywords while using chaining command
| search [keyword]
Rename a field as something else to make it easier to read
| rename [fieldname1] as [new_fieldname]
Used for calculations and field creation
Example below will take some Event Codes and change them into named events to help understand Windows Event Codes better. Can be used in tons of other circumstances (e.g., converting from KB to MB to GB, etc.)
Fills null values with actual data. Can be any specified value.
| fillnull value=[examplevalue]
Helps group logs together
| transaction process
Search commands related to visualizing data in charts, tables, etc.
Creates a table using a field
| table [fieldname]
Creates a chart using a field
| chart [somefunction]([fieldname])
| timechart count by [fieldname]
Table mapping in Splunk for associating key-value pairs in the search output.
Example of a lookup table. Associating values in an existing table so that they make more sense to the consumers of the data. As a basic example, a “0” might become a “no”, and a “1” might become a “yes”.
To create a lookup table, we need a CSV file that gets uploaded to Splunk in Settings > Lookups. Have to change permissions in some cases to ensure correct users can use the lookup table.
Resolve IP Addresses to FQDN
As long as the name server holds the records, we can resolve IP addresses in a search
| lookup dnslookup clientip OUTPUT clienthost AS fqdn
| stats count by fqdn
Information about uncommon Splunk behaviors that might be useful
The search command can perform a CIDR match on a field that contains IPv4 and IPv6 addresses.
Suppose the ip field contains these values:
If you specify ip="10.10.10.0/24", the search returns the events with the first and last values: 10.10.10.12 and 10.10.10.23.
index = foo
| iplocation [ip_field]
| geostats count by [field ex: Country]
index = foo
| stats count by Country
| geom geo_countries allFeatures=True featureIdField=Country