top of page

Splunk Search Tips & Tables

Splunk Search Query Tips:

  • Search strings do support using wildcards like *

  • Command dc stands for Distinct Count similar to SQL

  • Command dedup returns unique similar to SQL

  • Click on Fields in left colum to select subste of data

  • Fields and syntax are case sensitive. Data values are not

  • To filter faster use explicit statements to summarize datasets

    • index="windows" sourcetype="WinEventLog:Security" EventCode=4728 

  • Command to declare specific data to be shown using fields​

    • | Fields Account_Name, Group_Name, ComputerName, Keywords, Date, Time, EventCode​

  • Command to format table for output ​

    • | Table  Account_Name, Group_Name, ComputerName, Keywords, Date, Time, EventCode​​

Splunk Search Interface

  • Pressing "Shift and Enter" allows for multi-line enteries in the search bar.

  • Press "CTRL \" to auto format your query 

  • Press "CTRL SHIFT E" to open query in new window and select "Open as New Search"

  • Click on your account name in top menu and select Preferences | SPL Editor to customize look

  • On right can select Fast, Smart, Verbose search type to match your needs

  • Down the right sight of results items marked with "a" and "#" to represent apha or numeric

Splunk Search Formatting

  • To format timestamp use strftime ​with eval for time 

    • | eval Time=strftime(_time, "%H:%M:%S")​

  • To format timestamp use strftime ​with eval for date​

    • | eval Date=strftime(_time, "%m-%d-%Y")​

  • Use rename to rename a table column ​header

    • | rename ComputerName As "Source Server"​

Search & Reporting Some  Tips in Action

Query-Full.JPG
colors.jpg

AD Account Login Failure Table

index="windows" sourcetype="WinEventLog:Security" EventCode=4625
| eval Account_Name=mvindex(Account_Name,1) 
| eval Date=strftime(_time, "%m-%d-%Y")
| eval Time=strftime(_time, "%H:%M:%S")
| Fields Account_Name, ComputerName, Keywords, Date, Time, EventCode
| Table  Account_Name, ComputerName, Keywords, Date, Time, EventCode
| rename Account_Name as "Account" 
| rename ComputerName As "Source Server" 
| rename Keywords As "Logon Result" 
| rename EventCode As "Event ID"

Table-Account-Lockout.JPG

File and Folder Audit Table

index="splunkserver" sourcetype="WinEventLog:Security" EventCode=4663 Accesses="Delete"
| eval Account_Name=mvindex(Account_Name,0) 
| eval Date=strftime(_time, "%m-%d-%Y")
| eval Time=strftime(_time, "%H:%M:%S")
| Fields Account_Name, Object_Name, ComputerName, Keywords, Date, Time, EventCode
| Table  Account_Name, Object_Name, ComputerName, Keywords, Date, Time, EventCode
| rename Account_Name as "Account" 
| rename Group_Name As "Modified Group" 
| rename ComputerName As "Source Server" 
| rename Keywords As Result 
| rename EventCode As "Event ID"
| rename Object_Name As "File Deleted"

Table-File-Folder.JPG

AD Group Modified Table

index="windows" sourcetype="WinEventLog:Security" EventCode=4728
| eval Account_Name=mvindex(Account_Name,1) 
| eval Date=strftime(_time, "%m-%d-%Y")
| eval Time=strftime(_time, "%H:%M:%S")
| Fields Account_Name, Group_Name, ComputerName, Keywords, Date, Time, EventCode
| Table  Account_Name, Group_Name, ComputerName, Keywords, Date, Time, EventCode
| rename Account_Name as "Account" 
| rename Group_Name As "Modified Group" 
| rename ComputerName As "Source Server" 
| rename Keywords As Result 
| rename EventCode As "Event ID"

Table-Group-Modified.JPG

Some queries using the tips above and the resulting tables. Windows Events and File and Folder Auditing Event IDs.

AD Account Created Table

index="windows" sourcetype="WinEventLog:Security" EventCode=4720
| eval Date=strftime(_time, "%m-%d-%Y")
| eval Time=strftime(_time, "%H:%M:%S")
| Fields Display_Name, ComputerName, Keywords, Date, Time, EventCode
| Table  Display_Name, ComputerName, Keywords, Date, Time, EventCode
| rename Display_Name As "Account Created" 
| rename ComputerName As "Source Server" 
| rename Keywords As Result

Table-Account-Created.JPG

AD Account Removed from Group Table

index="windows" sourcetype="WinEventLog:Security" EventCode=4729
| eval Account_Name=mvindex(Account_Name,1) 
| eval Date=strftime(_time, "%m-%d-%Y")
| eval Time=strftime(_time, "%H:%M:%S")
| Fields Account_Name, Group_Name, ComputerName, Keywords, Date, Time, EventCode
| Table  Account_Name, Group_Name, ComputerName, Keywords, Date, Time, EventCode
| rename Account_Name as "Account" 
| rename Group_Name As "Modified Group"
| rename ComputerName As "Source Server" 
| rename Keywords As Result 
| rename EventCode As "Event ID"

Table-Account-Removed.JPG

AD Group Created Table

index="windows" sourcetype="WinEventLog:Security" EventCode=4727
| eval Date=strftime(_time, "%m-%d-%Y")
| eval Time=strftime(_time, "%H:%M:%S")
| Fields Group_Name, ComputerName, Keywords, Date, Time, EventCode
| Table  Group_Name, ComputerName, Keywords, Date, Time, EventCode
| rename Group_Name As "Group Created" 
| rename ComputerName As "Source Server" 
| rename Keywords As Result

Table-Group-Created.JPG
bottom of page