We have already published articles related to Splunk Deployments & Configuration, Architecture, and Features. One of the components of Splunk is “Search Head”. There is a list of search commands to use daily to analyze the logs effectively. Some of the commands will be used in alert rules. And there are 5 golden search commands which play a vital role while searching the logs.
Five Golden Search Commands:
From school days onwards we are using some operators and those are used in all the technologies. Those operator commands are:
- Field-value pair matching
- Using boolean and comparison operators
- Using the IN operator
- Using wildcards
- Using the NOT or != comparisons
Field-value pair matching:
We can get exact match values by using OR and AND operators. Default AND specifies the space in-between the search commands.
Src ip = 220.127.116.11 ; Dest ip = 18.104.22.168
- The below query will return the results which hold either the src ip or dest ip in the event logs.
| search src_ip=22.214.171.124 OR dest_ip=126.96.36.199
- The below query will return the results which hold the src ip as well as dest ip in the event logs.
| search src_ip=188.8.131.52 AND dest_ip=184.108.40.206
| search src_ip=220.127.116.11 dest_ip=18.104.22.168 (Default AND is considered as one space between the commands)
Also Read: Latest Cyber Security News – Hacker News !
Using boolean and comparison operators:
As mentioned in the above paragraph, some of the operators are:
- The below query will search for the failed logs of the particular user “anu”
| search Event_id=4625 | where user=anu
- The below query display the result of failed logins were the failed count is above 5
| search Event_id=4625| stats count by action | where count>5
Using the IN operator:
Instead of the OR operator, we can use IN operator to return the logs which have the mentioned values.
- The below query will display the events which holds logon type 2 and 3
| search Event_id=4624 host=Desktop-Richard | where logon_type IN (2,3)
Wildcards can be used in more situations. For example, if we are not sure about the full field value, a wildcard can be used.
- The below query will display the results of the user name which begins with the letter p.
| search user_name=p*
Using the NOT or != comparisons:
NOT operator is used to exclude the unwanted logs and to get the exact result that we need.
- The below query will display the results of the failed logins except the user name begins with the letter p.
| search Event_id=4625 | where user_name!=p*
Stay tuned for the list of commonly used Splunk commands…