-
-
Save Zohorul/eea2730542c3d5f26d2c2ba4248a83fd to your computer and use it in GitHub Desktop.
Splunk SPL cheatsheet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# SPL cheatsheet: | |
# Additional resource: http://www.bbosearch.com/searches | |
######################################################## | |
- List users and corresponding roles: | |
===================================== | |
| rest /services/authentication/users splunk_server=? | |
| fields title roles realname | |
- List indexes: | |
=============== | |
| eventcount summarize=false index=* index=_* | dedup index | fields index | |
| rest /services/data/indexes | dedup title | table title | |
- Simple tabling of results: | |
============================ | |
... | |
| table _time src_ip src_port dest_ip dest_port proto url method proxy | |
| sort _time | |
- Simple count statistics: | |
========================== | |
index=os sourcetype="wineventlog:security" EventCode=4688 | |
| stats count, values(Creator_Process_Name) as Creator_Process_Name by New_Process_Name | |
| table New_Process_Name, count, Creator_Process_Name | |
| sort count | |
- Send e-mail function: | |
======================= | |
| sendemail to="[email protected]" | |
- Create timechart: | |
=================== | |
... | |
| table _time, <field>, name | |
| timechart span=1d sum(<field>) by name | |
- Show rare events: | |
=================== | |
index=os sourcetype=registry | |
| rare process_image | |
- Keep only the results that match a valid email address: | |
========================================================= | |
... | |
| regex email="/^([a-z0-9_\.-]+)@([\da-z\.-]+)\.([a-z\.]{2,6})$/" | |
- Use sed syntax to match the regex to a series of numbers and replace them with an anonymized string: | |
====================================================================================================== | |
... | |
| rex field=ccnumber mode=sed "s/(\d{4}-){3}/XXXX-XXXX-XXXX-/g" | |
- Expand an event with more than one multivalue field into individual events for each field value: | |
================================================================================================== | |
source="mvexpandData.csv" | |
| rex field=_raw "a=(?<a>\d+)" max_match=5 | |
| rex field=_raw "b=(?<b>\d+)" max_match=5 | |
| eval fields = mvzip(a,b) | |
| table _time fields | |
- Match valid IPv4 addresses: | |
============================= | |
... | |
| eval ipv4_valid = if(match(ipv4, "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$"), "valid", "invalid") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment