Skip to main content

Searching Examples

Learning the Splunk language will take practice, but following the Recommendations, there's a process you can follow:

  1. Identify your goal.
  2. Narrow the timeframe.
  3. Pick out the needed data. (Run: |tstats count where index=* by index, source, sourcetype.)
  4. Investigate the data to identify other values that will assist in achieving the goal.
  5. Make the data easy to draw conclusions using naming, statistical analysis, and visuals.

Splunk has created a collection of uses cases and common searches for information security, financials, health care, and IT.

 

Highest Log Volume

You just heard about new vulnerability that if exploited, will increase traffic on Linux systems. You need to quickly verify the Linux security logs are producing their normal amount of traffic.

  1. Let's say you're not sure what the sourcetype would explicitly be called, but you know Linux should be in there, you can run the following to see all sources that contain "linux." |tstats count where sourcetype=*linux* by index, sourcetype

     

    Note:

    To avoid arbitrary logs, it is not recommended to search for generic data such as 'networking', this will populate the top hosts that contain the word 'networking' in the logs. Similarly, it is not recommended to search your unit, 'unit', as this will also only show hosts that contain your unit name in the log. It is recommended to search by index, sourcetype, or source. For example, you're looking for the top hosts in your unit, you should specify the index. If you're looking for the top Windows hosts, your search should include sourcetype = Win*.

  2. Start a new search with the sourcetype you identified. Use a small timeframe window. Note: It will take more time and CPU space for a larger time-range. 

    Time Range picker with 24 hour selected

  3. Narrow down the search to identify the top log producers.

    sourcetype=[redacted] | top host | rename count as "Total Logs", percent as "Percent of Log Volume"

 

Windows Update Status

You pushed out a Windows update in the past 24 hours. However, you believe more hosts have updated than your Windows monitoring console shows. You want to see what percentage of hosts have updated and failed.

  1. Let's say you're not sure what the source would explicitly be called, but you know Windows should be in there, you can run the following to see all sources that contain "Win."

    |tstats count where sourcetype=Win* by index, source, sourcetype

  2. After looking through the different sourcetypes, you see sourcetype=WinEventLog* includes all Windows Event Logs. You know you want something that mentions "Installation," "Success," and "Failure." By searching source=WinEventLog* for a very short timeframe (i.e. 5 minutes), you can see all the associated fields.

    Fields sidebar example

     

  3. After looking through the interesting fields, it looks like the Keywords field could be the best fit for the search. 

    key word field values with details

     

  4. Since the top values do not indicate the specific syntax of the installation information, look up:

    source=WinEventLog* | dedup Keywords | table Keywords

    • Dedup Keywords gets rid of any duplicate values associated with the Keywords field. Table Keywords will show all values of the Keywords field.

      details of the fields to see what values you can include

       

    Installation, Started, Installation, Success, and Installation, Failure will be included in the search.

  5. Create a chart for only the installation fields. The boolean operator OR is included in this search because we want every time at least one of these values were processed.

    source=WinEventLog* Keywords="Installation, Started" OR Keywords="Installation, Success" OR Keywords="Installation, Failure" | chart count by Keywords

  6. Rename the fields "Keywords" as "Status" and "count" as "Number of Installations."

    source=WinEventLog* Keywords="Installation, Started" OR Keywords="Installation, Success" OR Keywords="Installation, Failure" | chart count by Keywords | rename "Keywords" as "Status" | rename "count" as "Number of Installations"

    Example of a completed search

 

Office365 - Data

You've been tasked with monitoring Office365 uploads and downloads for your unit.

  1. You're not sure what the source would explicitly be called, but you know Office 365 should be in there, you can run the following to see all sourcetypes that contain "365."

    |tstats count where sourcetype=*365* by index, source, sourcetype

  2. Start a new search with the sourcetype you identified. Use a small timeframe window.

    sourcetype=[redacted]

  3. Click through the available fields for one that shows different actions related to uploading or downloading. Operation is most likely the field.

    sourcetype=[redacted] | top limit=0 Operation

    Fields examples

     

  4. Looking through the different fields of the Operation field, FileUploading, FileDownloaded, FileSyncDownloadedFull, and FileSyncUploadedFull should be the selected fields.

    sourcetype=[redacted] Operation=FileSync* OR Operation=FileUploaded OR Operation=FileDownloaded

  5. Click through the available fields for one that shows the Office365 apps. Workload is most likely the field.

    sourcetype=[redacted] Operation=FileSync* OR Operation=FileUploaded OR Operation=FileDownloaded Workload=*

  6. To put the data in an easy to understand format, rename the fields and put them in a chart by the uploads and downloads.

    sourcetype=[redacted] Operation=FileSync* OR Operation=FileUploaded OR Operation=FileDownloaded Workload=* | rename FileSyncUploadedFull AS "Sync Upload" FileSyncDownloadedFull AS "Sync Download" FileUploaded AS "Manual Upload" FileDownloaded AS "Manual Download" | timechart dc(user) by Operation

 

Helpful Resources: