Cheat Sheet

Splunk SPL Cheat Sheet

What

Concantenate Field Value & String

Query Search Multiple Matches

Select First 5 Results

Update fields Name

Count by Operating System

Change fileds Value Case

Format Splunk _time field

Limit Results by Time Frame

Add Comments to SPL

Sum Records, AVG of Free Space

Pull AVG of all Drive Free Space

AVG of Drive Free Space Per System

Trim AVG or Anything to 2 Decimals

How

| eval CN = CN.".Scott.Local"

| where Logon_Type IN (2,4)

| head 5

| rename C_Drive_Free as "C:\ Free"

| stats count by Operating_System

| eval Name = upper(FQDN)

| eval Time=strftime(_time, "%H:%M:%S")

index = "details" earliest=@d

``` Comments Go Here ```

| stats count(CN) as Count avg(C_Drive_Free_GB) as AverageFreeSpace by CN

index="details" | stats avg(C_Drive_Free_GB)

index="details" | stats avg(C_Drive_Free_GB) by CN

| stats avg(C_Drive_Free_GB) as avg_count by CN | eval avg_count=round(avg_count,2)

Why?

Lookup Compare Field was FQDN

Required to Show both Logon Types

Order _time Only Want Top 5 Results

Wanted Clean Name Format

Wanted Chart for Dashboard by OS

Comparison Required Case Match

Allow Cleaner Display of TIme Stamp

Wanted Static Report Last 4 Hours

Wanted to Add Notes to SPL

Wanted to Display both in 1 Query

Wokring on Calculations

Wanted to Round Off Trailing Numbers

Timing is Everything :)

Midnight to Currnet Time

Yesterday Time Span

Currnet Week Time Span

Last 60 Minutes

Last 4 Hours

Date & Time Span

index = "details" earliest=@d
index = "details" earliest=-1d@d
index = "details" earliest=@w0
index = "details" earliest=-60m
index = "details" earliest=-4h
index="details" earliest="08/06/2024:11:00:00" AND latest="08/08/2024:00:00:00"

Splunk Documentation

Update License to Free Version

Select Settings \ Licensing

Click on Change License Group

Select Free License