Splunk: Search Processing Language (SPL) Basics

by
Sharing is caring
This entry is part 10 of 17 in the series Threat Detection Engineering
wp-content/uploads/2024/03/DE01.png
Threat Detection Engineering

Views: 63

Splunk Search Processing Language comprises of multiple functions, operators and commands that are used together to form a simple to complex search and get the desired results from the ingested logs.

Main components of SPL

Search Field Operators

Comparison Operators

These operators are used to compare the values against the fields.

Field NameOperatorExampleExplanation
Equal=UserName=MarkThis operator is used to match values against the field. In this example, it will look for all the events, where the value of the field UserName is equal to Mark.
Not Equal to!=UserName!=MarkThis operator returns all the events where the UserName value does not match Mark.
Less than<Age < 10Showing all the events with the value of Age less than 10.
Less than or Equal to<=Age <= 10Showing all the events with the value of Age less than or equal to 10.
Greater than>Outbound_traffic > 50 MBThis will return all the events where the Outbound traffic value is over 50 MB.
Greater Than or Equal to>=Outbound_traffic >= 50 MBThis will return all the events where the Outbound traffic value is greater or equal to 50 MB.

Lets use the comparison operator to display all the event logs from the index “windowslogs”, where AccountName is not Equal to “System”

Boolean Operators

OperatorSyntaxExplanation
NOTfield_A NOT valueIgnore the events from the result where field_A contain the specified value.
ORfield_A=value1 OR field_A=value2Return all the events in which field_A contains either value1 or value2.
ANDfield_A=value1 AND field_B=value2Return all the events in which field_A contains value1 and field_B contains value2.
Splunk SPL
#Example Search Query

index=windowslogs AccountName !=SYSTEM AND AccountName=James

Wild Card

Wildcard symbolExampleExplanation
*
status=fail*It will return all the results with values likestatus=failedstatus=failure
Splunk SPL
#Example Search Query
index=windowslogs DestinationIp=172.*
Splunk SPL
#Some additional Search Queries

index=windowslogs EventID="1" User="Cybertees\\James"

index=windowslogs DestinationIp=172.18.39.6 DestinationPort=135

index=windowslogs  Hostname="Salena.Adam" DestinationIp="172.18.38.5"

Filtering the results in SPL

 SPL allows us to use Filters to narrow down the result and only show the important events that we are interested in. We can add or remove certain data from the result using filters. 

Fields

CommandFields
ExplanationFields command is used to add or remove mentioned fields from the search results. To remove the field, minus sign ( – ) is used before the fieldname and plus ( + ) is used before the fields which we want to display.
Syntax| fields <field_name1>  <field_name2>
Examplefields + HostName - EventID
Splunk SPL
#Example Query
index=windowslogs | fields + host + User + SourceIp

Search

CommandSearch
ExplanationThis command is used to search for the raw text while using the chaining command |
Syntax| search  <search_keyword>
Examplesearch "Powershell"
Splunk SPL
#Example Query

index=windowslogs | search Powershell

Dedup

CommandDedup
ExplanationDedup is the command used to remove duplicate fields from the search results. We often get the results with various fields getting the same results. These commands remove the duplicates to show the unique values.
Syntax| dedup <fieldname>
Examplededup EventID

We can use the dedup command to show the list of unique EventIDs from a particular hostname.

Splunk SPL
#Example Search Query

index=windowslogs | table EventID User Image Hostname | dedup EventID

Rename

Commandrename
ExplanationIt allows us to change the name of the field in the search results. It is useful in a scenario when the field name is generic or log, or it needs to be updated in the output.
Syntax| rename  <fieldname>
Examplerename User as Employees
Splunk SPL
#Example Query

index=windowslogs | fields + host + User + SourceIp | rename User as Employees
Splunk SPL
#Additional Search Queries

index=windowslogs | table _time EventID Hostname SourceName | reverse
Splunk SPL
#Example Query

index=windowslogs | table _time EventID Hostname SourceName | reverse 
| dedup Hostname

Structuring the Search Results

SPL provides various commands to bring structure or order to the search results. These sorting commands like head, tail, and sort can be very useful during logs investigation.

Table

Commandtable
ExplanationEach event has multiple fields, and not every field is important to display. The Table command allows us to create a table with selective fields as columns.
Syntax| table <field_name1> <fieldname_2>  
Exampletable
head 20 # will return the top 20 events from the result list.

This search query will create a table with three columns selected and ignore all the remaining columns from the display.

Splunk SPL
#Example Search Query

index=windowslogs | table EventID Hostname SourceName

Head

Commandhead
ExplanationThe head command returns the first 10 events if no number is specified.
Syntax| head <number>   
Examplehead   # will return the top 10 events from the result list
head 20    # will return the top 20 events from the result list

The following search query will show the table containing the mentioned fields and display only the top 5 entries.

Splunk SPL
index=windowslogs |  table _time EventID Hostname SourceName | head 5

Tail

Commandtail
ExplanationThe Tail command returns the last 10 events if no number is specified.
Syntax| tail <number>   
Exampletail # will return the last 10 events from the result list
tail 20   # will return the last 20 events from the result list

The following search query will show the table containing the mentioned fields and display only 5 entries from the bottom of the list.

Splunk SPL
#Example Search Query

index=windowslogs |  table _time EventID Hostname SourceName | tail 5

Sort

Commandsort
ExplanationThe Sort command allows us to order the fields in ascending or descending order.
Syntaxsort <field_name>  
Examplesort Hostname # This will sort the result in Ascending order.

The following search query will sort the results based on the Hostname field.

Splunk SPL
#Example Search Query

index=windowslogs |  table _time EventID Hostname SourceName | sort Hostname

Reverse

Commandreverse
ExplanationThe reverse command simply reverses the order of the events.
Syntax|  reverse
Example<Search Query> | reverse         
Splunk SPL
#Example Query

index=windowslogs | table _time EventID Hostname SourceName | reverse

 Transformational Commands in SPL

Transformational commands are those commands that change the result into a data structure from the field-value pairs. These commands simply transform specific values for each event into numerical values which can easily be utilized for statistical purposes or turn the results into visualizations. Searches that use these transforming commands are called transforming searches. Some of the most used transforming commands are explained below.

Top

Commandtop
ExplanationThis command returns frequent values for the top 10 events.
Syntax| top  <field_name>| top limit=6 <field_name>
Exampletop limit=3 EventID

The following command will display the top 7 Image ( representing Processes) captured.

Splunk SPL
#Example Search Query
index=windowslogs | top limit=7 Image

Rare

Commandrare
ExplanationThis command does the opposite of top command as it returns the least frequent values or bottom 10 results.
Syntax| rare <field_name>| rare limit=6 <field_name>
Examplerare limit=3 EventID
Splunk SPL
index=windowslogs | rare limit=7 Image

Highlight

Commandhighlight
ExplanationThe highlight command shows the results in raw events mode with fields highlighted.
Syntaxhighlight      <field_name1>      <field_name2>
Examplehighlight User, host, EventID, Image

The following command will highlight the three mentioned fields in the raw logs

Splunk SPL
index=windowslogs | highlight User, host, EventID, Image

STATS Commands

SPL supports various stats commands that help in calculating statistics on the values. Some common stat commands are:

CommandExplanationSyntaxExample
AverageThis command is used to calculate the average of the given field.stats avg(field_name)stats avg(product_price)
MaxIt will return the maximum value from the specific field.stats max(field_name)stats max(user_age)
MinIt will return the minimum value from the specific field.stats min(field_name)stats min(product_price)
SumIt will return the sum of the fields in a specific value.stats sum(field_name)stats sum(product_cost)
CountThe count command returns the number of data occurrences.stats count(function) AS new_NAMEstats count(source_IP)

Splunk Chart Commands

Chart

Commandchart
ExplanationThe chart command is used to transform the data into tables or visualizations.
Syntax| chart <function>
Examplechart count by User
Splunk SPL
#Search Query: 
index=windowslogs | chart count by User
Splunk SPL
#Search Query: 
index=windowslogs | chart count by User

Timechart

Commandtimechart
ExplanationThe timechart command returns the time series chart covering the field following the function mentioned. Often combined with STATS commands.
Syntax| timechart function  <field_name>
Exampletimechart count by Image

The following query will display the Image chart based on the time.

Splunk SPL
#Search Query:
index=windowslogs | timechart count by Imag
Series Navigation<< Investigate SQLi attacks using SplunkPractical Threat Hunting using Elastic SIEM: Hunting for Stuxbot >>