The Splunk search processing language

Searches are made up of this basic components  

Search terms – what are you looking for?

-keywords, phrases, Booleans, etc.

Commands – what do you want to with results?

-Create a chart, compute statistic, evaluate and format etc.

Functions – how you want to chart, compute, evaluate the results?

-Get a sum, get an average, transform the values etc

Arguments – are there variable you want to apply to this functions?

Calculate the average value for a specific field, convert millisecond to seconds, etc

Clauses – how do you want to group the results?

-Get the average of values for the price field grouped by product, etc.

Here is a sample event: – – [24/Mar/2018:12:05:27 -0700] “GET  /trade/app?action=logout HTTP/1.1” 200 295

Look at the following search: host=webserver

You can use the standard <field>=<value> syntax.

Search for events on all “hosts” servers for accesses by the user “root”. It then reports the 20 most recent events.

host=* eventtype=access user=root

Search across all public indexes.

Search across all public indexes.   index=*

Search across all indexes, public and internal.    index=* OR index=_*

if you often search for failed logins         “failed login” OR “FAILED LOGIN” OR “Authentication failure” OR “Failed to authenticate user”


Web access errors from the beginning of the week to the current time of your search (now).

 eventtype=webaccess error earliest=@w0

Web access errors from the current business week (Monday to Friday).

eventtype=webaccess error earliest=@w1 latest=+7d@w6


Subsearches must be enclosed in square brackets in the primary search.

sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count, dc(productId), values(productId) by clientip


index=_internal earliest=-15m latest=now

The following search example is attempting to return the bytes for the individual indexes.

index=_internal source=*license* type=usage | stats sum(b) BY index

In this search the stats portion of the search is commented out.

index=_internal source=*license* type=usage `comment(“| stats sum(b) BY index”)

Web access errors from the last full business week

eventtype=webaccess error earliest=-7d@w1 latest=@w6

Display customer interactions and retrieve only clientip

sourcetype=access_combined* | fields clientip

Display the action, productId, and status of customer

sourcetype=access_combined* action=* productId=* | table action, productId, status


sourcetype=access_combined* action=* productId=* | table action, productId, status | rename productId as “Product ID” , actions as “Customer Purchase”, status as “HTTP Status Code”


Display and ports

sourcetype=linux_secure port “failed password” | rex “\s+(?<ports>port\s\d+)” | top src port


sourcetype=linux_secure port “failed password” | rex “(?i) port (?P<port>[^ }+” | top port


sourcetype=linux_secure port “failed password” | erex Port examples=”4940,4608,4920” | top port


Display the top mail domains from sourcetype=cisco_esa

sourcetype=cisco_esa | rex field=mailfrom “@(?<maildomain>.*)” | top limit=10 maildomain

Most IP  or  Top product selling in 24 hours.

sourcetype=linux_secure password fail* | top src

sourcetype=access_combined* action=purchase status=200 | top product_name

Display the count of retail sales made yesterday

sourcetype=vendor_sales | stats count as “Retail Sales”

Count the number of events

sourcetype=access_combined* | stats count(actions)

How many unique website visited

sourcetype=cisco_wsa_squid | stats dc(s_hostname)

Display the quantity of sales by product name and price

sourcetype=vendor_sales | stats count as quantity by product_name, price

Which website have employees accessed

sourcetype=cisco_wsa_squid | stats list(s_hostname) by cs_username

sourcetype=access_combinde* action=purchase | timechart count(product_name) by categoryId


sourcetype=access_combinde* action=purchase | chart count(product_name) by categoryId


sourcetype=vendor_sales | geostats latfield=VendorLatitude longfiled=VendorLongitude count by

product_namesourcetype=acess_combined* action=purchase | stats sum(price) as count | gauge count 0 10000 20000

Display the errors that our host produce

sourcetype=access_combined* status>299 | chart count over status by host

Display the transactions that failed for each product from the shopping cars online

sourcetype=access_combined* status>299 | chart count over host by itemId


Sourcetype=access_combinded* product_name=* | timechart span=30m count by product_name


sourcetype=access_combined* status=4* clientip=”″


The best way to learn Splunk Search is to use the Splunk tutorial data(

The below links guide you how to upload the data