The Splunk search processing language
Searches are made up of this basic components
Search terms – what are you looking for?
-keywords, phrases, Booleans, etc.
Commands – what do you want to with results?
-Create a chart, compute statistic, evaluate and format etc.
Functions – how you want to chart, compute, evaluate the results?
-Get a sum, get an average, transform the values etc
Arguments – are there variable you want to apply to this functions?
Calculate the average value for a specific field, convert millisecond to seconds, etc
Clauses – how do you want to group the results?
-Get the average of values for the price field grouped by product, etc.
Here is a sample event: 172.26.34.223 – – [24/Mar/2018:12:05:27 -0700] “GET /trade/app?action=logout HTTP/1.1” 200 295
Look at the following search: host=webserver
You can use the standard <field>=<value> syntax.
Search for events on all “hosts” servers for accesses by the user “root”. It then reports the 20 most recent events.
host=* eventtype=access user=root
Search across all public indexes.
Search across all public indexes. index=*
Search across all indexes, public and internal. index=* OR index=_*
if you often search for failed logins “failed login” OR “FAILED LOGIN” OR “Authentication failure” OR “Failed to authenticate user”
Web access errors from the beginning of the week to the current time of your search (now).
eventtype=webaccess error earliest=@w0
Web access errors from the current business week (Monday to Friday).
eventtype=webaccess error earliest=@w1 latest=+7d@w6
Subsearches must be enclosed in square brackets in the primary search.
sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count, dc(productId), values(productId) by clientip
index=_internal earliest=-15m latest=now
The following search example is attempting to return the bytes for the individual indexes.
index=_internal source=*license* type=usage | stats sum(b) BY index
In this search the stats portion of the search is commented out.
index=_internal source=*license* type=usage `comment(“| stats sum(b) BY index”)
Web access errors from the last full business week
eventtype=webaccess error earliest=-7d@w1 latest=@w6
Display customer interactions and retrieve only clientip
sourcetype=access_combined* | fields clientip
Display the action, productId, and status of customer
sourcetype=access_combined* action=* productId=* | table action, productId, status
sourcetype=access_combined* action=* productId=* | table action, productId, status | rename productId as “Product ID” , actions as “Customer Purchase”, status as “HTTP Status Code”
Display and ports
sourcetype=linux_secure port “failed password” | rex “\s+(?<ports>port\s\d+)” | top src port
sourcetype=linux_secure port “failed password” | rex “(?i) port (?P<port>[^ }+” | top port
sourcetype=linux_secure port “failed password” | erex Port examples=”4940,4608,4920” | top port
Display the top mail domains from sourcetype=cisco_esa
sourcetype=cisco_esa | rex field=mailfrom “@(?<maildomain>.*)” | top limit=10 maildomain
Most IP or Top product selling in 24 hours.
sourcetype=linux_secure password fail* | top src
sourcetype=access_combined* action=purchase status=200 | top product_name
Display the count of retail sales made yesterday
sourcetype=vendor_sales | stats count as “Retail Sales”
Count the number of events
sourcetype=access_combined* | stats count(actions)
How many unique website visited
sourcetype=cisco_wsa_squid | stats dc(s_hostname)
Display the quantity of sales by product name and price
sourcetype=vendor_sales | stats count as quantity by product_name, price
Which website have employees accessed
sourcetype=cisco_wsa_squid | stats list(s_hostname) by cs_username
sourcetype=access_combinde* action=purchase | timechart count(product_name) by categoryId
sourcetype=access_combinde* action=purchase | chart count(product_name) by categoryId
sourcetype=vendor_sales | geostats latfield=VendorLatitude longfiled=VendorLongitude count by
product_namesourcetype=acess_combined* action=purchase | stats sum(price) as count | gauge count 0 10000 20000
Display the errors that our host produce
sourcetype=access_combined* status>299 | chart count over status by host
Display the transactions that failed for each product from the shopping cars online
sourcetype=access_combined* status>299 | chart count over host by itemId
Sourcetype=access_combinded* product_name=* | timechart span=30m count by product_name
sourcetype=access_combined* status=4* clientip=”69.72.161.186″
The best way to learn Splunk Search is to use the Splunk tutorial data(http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchTutorial/Systemrequirements#Download_the_tutorial_data_files)
The below links guide you how to upload the data
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchTutorial/GetthetutorialdataintoSplunk
