This is a simple Splunk search cheatsheet that covers common SPL commands. It is succinct on purpose. It includes basic Boolean expressions and behaviors, field expressions, statistical commands, search macros, and useful searches. The cheatsheet helps to understand and manipulate data outputs in Splunk, making it a useful tool for beginners or experienced users looking to refresh their knowledge.

Boolean Expressions

Basic Boolean expressions and behaviors within SPL

AND operator is always implied between terms, that is: web error is the same as web AND error

NOT operator only applies to the term immediately following NOT. To apply to multiple terms, you must enclose the terms in parenthesis.

Parentheses

error NOT 403 OR 404

Without parenthesis, this search is processed as:

• Search for any event that contains the string “error” and does not contain the keyword 403
• Search for any event that contains the string “error” and 404

You can use parentheses to group Boolean expressions. For example: error NOT (403 OR 404)

Field Expressions

Basic field expressions within SPL

Stats Commands

Commands that can be used to find statistical data

Stats Average

Calculate results based on average

index=foo
| stats avg([fieldname])

Stats Count

Calculate count of a fieldname and rename it to a new field

index=foo
| stats count (eval[fieldname]) as newname

Stats Max/Min

Returns maximum value from a specific field

index=foo
| stats max([fieldname])

Returns minimum value from a specific field

index=foo
| stats min([fieldname])

Stats Sum

Returns sum of values in a specific field

index=foo
| stats sum([fieldname])

Search Macros

A search macro in Splunk is a predefined search string that is called with just some short text. They can help make SPL strings way less verbose and make us more efficient in the long run. Common search macros can be reused in many different scenarios depending on applicability. They have to be put into backticks.

Example:

| `mygeneratingmacro`

Useful Searches

Random useful searches that can help manipulate data outputs

Top

Table with top values based on selected criteria

index=foo
| top [fieldname]

Top “x”

Table with top “x number” of values based on selected criteria

index=foo
| top [#] [fieldname]

Rare

Returns least frequent value for the defaulted top 10 results (can change using limit=3)

index=foo
| rare [fieldname]

Highlight

Shows results in raw events mode with fields highlighted

index=foo
| highlight [fieldname1] [fieldname2]

Contingency

Compares two fields together

index=foo
| contingency [fieldname1] [fieldname2]

Dedup

Removes duplicate values from the result

index=foo
| dedup [fieldname]

Sort

Sort a field by descending

index=foo
| sort [fieldname] desc

Stats

Show a stats table with multiple fields, sort descending

index=foo
| stats count by [fieldname1],[fieldname2]
| sort - count

Head and Tail

This will display the most recent 10

index=foo
| head limit=10

This will display the oldest 10

index=foo
| tail limit=10

Where

Where command can help filter results

index=foo
| where [fieldname]=40 or [fieldname]=30

Field Command

Splunk fields command add or remove field listed

Remove:

index=foo
| fields - [fieldname]

Add:

index=foo
| fields + [fieldname]

Reverse

Puts search results in reverse order

index=foo
| reverse

Search

Splunk search allows for searching raw text keywords while using chaining command

index=foo
| search [keyword]

Rename

Rename a field as something else to make it easier to read

index=foo
| rename [fieldname1] as [new_fieldname]

Eval

Used for calculations and field creation Example below will take some Event Codes and change them into named events to help understand Windows Event Codes better. Can be used in tons of other circumstances (e.g., converting from KB to MB to GB, etc.)

index=foo
| eval NamedEvents = case(EventCode == 4624, "Successful Logon", EventCode == 4634, "Logoff", EventCode == 1234, "More Examples")

Fill Null

Fills null values with actual data. Can be any specified value.

index=foo
| fillnull value=[examplevalue]

Transaction

Helps group logs together

index=foo
| transaction process

Visualizations

Search commands related to visualizing data in charts, tables, etc.

Table

Creates a table using a field

index=foo
| table [fieldname]

Chart

Creates a chart using a field

index=web
| chart [somefunction]([fieldname])

Timechart

index=foo
| timechart count by [fieldname]

Lookups

Table mapping in Splunk for associating key-value pairs in the search output.

Example of a lookup table. Associating values in an existing table so that they make more sense to the consumers of the data. As a basic example, a “0” might become a “no”, and a “1” might become a “yes”.

To create a lookup table, we need a CSV file that gets uploaded to Splunk in Settings > Lookups. Have to change permissions in some cases to ensure correct users can use the lookup table.

Resolve IP Addresses to FQDN

As long as the name server holds the records, we can resolve IP addresses in a search

index=foo
| lookup dnslookup clientip OUTPUT clienthost AS fqdn
| stats count by fqdn

Useful Info

Information about uncommon Splunk behaviors that might be useful

CIDR matching

The search command can perform a CIDR match on a field that contains IPv4 and IPv6 addresses.

Suppose the ip field contains these values:

10.10.10.12
50.10.10.17
10.10.10.23

If you specify ip="10.10.10.0/24", the search returns the events with the first and last values: 10.10.10.12 and 10.10.10.23.

Maps

Cluster Maps

index = foo
| iplocation [ip_field]
| geostats count by [field ex: Country]

Chloropleth Maps

index = foo
| stats count by Country
| geom geo_countries allFeatures=True featureIdField=Country