Splunk Commands – Field-value pair matching , Boolean and comparison , Operator and Wildcards

0

We have already published articles related to Splunk Deployments & Configuration, Architecture, and Features. One of the components of Splunk is “Search Head”. There is a list of search commands to use daily to analyze the logs effectively. Some of the commands will be used in alert rules. And there are 5 golden search commands which play a vital role while searching the logs.


Five Golden Search Commands:

From school days onwards we are using some operators and those are used in all the technologies. Those operator commands are:

  • Field-value pair matching
  • Using boolean and comparison operators
  • Using the IN operator
  • Using wildcards
  • Using the NOT or != comparisons

Field-value pair matching:

We can get exact match values by using OR and AND operators. Default AND specifies the space in-between the search commands.

Examples:

Src ip = 180.18.19.1 ; Dest ip = 181.1.1.1

  • The below query will return the results which hold either the src ip or dest ip in the event logs.

Query:

| search src_ip=180.18.19.1 OR dest_ip=181.1.1.1

  • The below query will return the results which hold the src ip as well as dest ip in the event logs.

Query:

| search src_ip=180.18.19.1 AND dest_ip=181.1.1.1

| search src_ip=180.18.19.1 dest_ip=181.1.1.1 (Default AND is considered as one space between the commands)

Also Read: Latest Cyber Security News – Hacker News !

Using boolean and comparison operators:

As mentioned in the above paragraph, some of the operators are:

  • AND
  • OR
  • =

Examples:

  • The below query will search for the failed logs of the particular user “anu”

Query:

| search Event_id=4625 | where user=anu

  • The below query display the result of failed logins were the failed count is above 5

Query:

| search Event_id=4625| stats count by action | where count>5

Also Read: Splunk Features – Quick Guide on Key Elements

Using the IN operator:

Instead of the OR operator, we can use IN operator to return the logs which have the mentioned values.

Example:

  • The below query will display the events which holds logon type 2 and 3

Query:

| search Event_id=4624 host=Desktop-Richard | where logon_type IN (2,3)

Also Read: What is the MITRE ATT&CK Framework? How Is It Useful

Using wildcards:

Wildcards can be used in more situations. For example, if we are not sure about the full field value, a wildcard can be used.

Example:

  • The below query will display the results of the user name which begins with the letter p.

Query:

| search user_name=p*

Using the NOT or != comparisons:

NOT operator is used to exclude the unwanted logs and to get the exact result that we need.

Example:

  • The below query will display the results of the failed logins except the user name begins with the letter p.

Query:

| search Event_id=4625 | where user_name!=p*

Stay tuned for the list of commonly used Splunk commands…


LEAVE A REPLY

Please enter your comment!
Please enter your name here