Splunk Search

c3
Search Processing Language

• The Splunk Search Processing Language (SPL) encompasses all the

search commands and their functions, arguments and clauses. Search
commands tell Splunk Enterprise what to do to the events you retrieved
from the indexes.

• Search commands consists of some functions with their arguments to

specify how the commands acts on your results and on which fields.

• E.g. you need to use a command to filter unwanted information, extract

more information, evaluate new fields, calculate statistics, reorder your
results, or create a chart.

2 26 February 2020
Types Of Searches

• Raw event searches are searches that just retrieve events from an index
or indexes, and are typically used when you want to analyze a problem.
These searches do not usually include search commands (except search,
itself), and the results are typically a list of raw events.

• Transforming searches are searches that perform some type of statistical

calculation against a set of results. These are searches where you first
retrieve events from an index and then pass the events into one or more
search commands. These searches will always require fields and at least
one of a set of statistical commands.

3 26 February 2020
Types Of Commands

• Streaming commands operates on each event as the event is returned by

a search. E.g. dedup, sort, eval, where, search, lookup, regex, etc.

• Transforming commands orders the results into a data table, that is, it
"transforms" the specified cell values for each event into numerical values
that Splunk can use for statistical purposes. E.g. chart, stats, timechart,
top,etc.

• Generating commands are one those fetches information without any

transformations. Generating commands are either event-generating
(distributable or centralized) or report-generating. E.g. inputcsv, tstats, etc.

4 26 February 2020
c3 5 26 February 2020
Precautions while writing search queries
• The splunk commands are Case Insensitive. e.g. SEARCH/search,
STATS/stats. ( Best practice to use uppercase letters for commands)

• The field names are Case Sensitive. E.g myfield, MyField.

• If field name contains ‘-’ then while using these type of fields use “” for the
field name. e.g. “my-field”.

• Use pipe ‘|’ for command seperator. E.g. command1 | command2

• All the keywords starting with ‘_’ are the internal splunk keywords. E.g.
_internal, _time
6 26 February 2020
Streaming Commands

• SEARCH
Use the search command to retrieve events from indexes or filter the results
of a previous search command in the pipeline. When the search command is not the
first command in the pipeline, the search is used to filter the results of the previous
command and is referred to as a subsearch.
Syntax : [SEARCH] <logical-expression>
e.g. - “abc” OR “127.0.0.1” AND “xyz”
- host=apache OR (ip=“127.0.0.1” AND response=200)
- (code=10 OR code=29) host!="localhost" xqp>5
- ……..| SEARCH name=“RAHUL”

7 26 February 2020
Streaming Commands……

• ADDINFO
Adds fields to each event that contain global, common information about the
search. It adds following fields to each event
info_min_time The earliest time boundary for the search.
info_max_time The latest time boundary for the search.
info_sid The ID of the search that generated the event.
info_search_time The time when the search was run.
Syntax : ADDINFO
e.g. ……..| ADDINFO

8 26 February 2020
Streaming Commands…….

• DEDUP
you can specify the number of duplicate events to keep for each value of a
single field or multiple fields. For historical searches it shows most recent events(by
time), for real-time searches it shows events that are received first(not necessary the
recent ones).
Syntax : ……. | DEDUP [<int>] <field-list>
e.g. ………| DEDUP 2 field1 field2
• RENAME
Use the rename command to rename a specified field or multiple fields. We
can use wildcards for field names as well.
Syntax : …..| RENAME field1 AS “new name”
e.g. …..| RENAME ip AS “IP_ADDRESS”, abc* AS xyz*
9 26 February 2020
Streaming Commands…….

• TABLE
The table command lets you specify the fields you want to keep in your
results. Use table command when you want to retain data in tabular format. (wildcards
are allowed in field names)
Synatax : ……| TABLE <field-list>
e.g. ….| TABLE field1, field2,field3
• FIELDS
Keeps (+) or removes (-) fields from search results based on the field list
criteria. If + is specified, only the fields that match one of the fields in the list are kept. If
- is specified, only the fields that match one of the fields in the list are removed. If
neither is specified, defaults to +.
Syntax : …..| FIELDS [+|-] <field-list>
e.g. …..| FIELDS - field1, field* 10 26 February 2020
Streaming Commands…….
• RANGEMAP
categorizes the values in a numeric field. The command adds in a new field
called range to each event and displays the category in the range field. The values in
the range field are based on the numeric ranges that you specify. If no range is
matched, the range value is set to the default value.
Syntax : …… | RANGEMAP FIELD=<fieldname>
<attribute_name>=<numeric_range>… <default>=<string>
e.g. ……… | RANGEMAP FIELD=count low=0-10 medium=11-20 default=high
• STRCAT
Concatenates string values from 2 or more fields. Combines together string
values and literals into a new field. A destination field name is specified at the end of
the strcat command.
Syntax : ……… | STRCAT <source-fields> <destination-field>
e.g. …..| STRCAT host “::” port address
11 26 February 2020
Streaming Commands…….

• EVAL
calculates an expression and puts the resulting value into a destination field.
If this destination field matches a field name that already exists, it overwrites the
existing field value with the results of the eval expression. The eval command
evaluates mathematical, string, and boolean expressions.
Syntax : …….. | EVAL <field>=<expression>
Where expression is a combination of values, variables, operators, and functions.
e.g. ……… | EVAL result=10+20+30
Supported Operators :
Arithmetic : +-*/%
Concatenation : .
Boolean : AND OR NOT XOR < > <= >= != = == LIKE
12 26 February 2020
 Streaming Commands…….
EVAL FUNCTIONS :

Function Description Example(s)

case(X,"Y",...) This function takes pairs of arguments X and Y. The X
arguments are Boolean expressions that will be evaluated
from first to last. When the first X expression is encountered
that evaluates to TRUE, the corresponding Y argument will
be returned. The function defaults to NULL if none are true.
if(X,Y,Z) This function takes three arguments. The first argument X
must be a Boolean expression. If X evaluates to TRUE, the
result is the second argument Y. If, X evaluates to FALSE,
the result evaluates to the third argument Z.
This example returns descriptions for the
corresponding http status code: ... | eval
description=case(error == 404, "Not found",
error == 500, "Internal Server Error", error ==
200, "OK")
This example looks at the values of error and
returns err=OK if error=200, otherwise
returns err=Error: ... | eval err=if(error == 200,
"OK", "Error")

like(TEXT, PATTERN) This function takes two arguments, a string to match TEXT This example returns islike=TRUE if the field
and a match expression string PATTERN. It returns TRUE if value starts with foo: ... | eval
and only if the first argument is like the SQLite pattern in is_a_foo=if(like(field, "foo%"), "yes a foo",
Y. The pattern language supports exact text match, as well "not a foo")
as % characters for wildcards and _ characters for a single or
character match. ... | where like(field, "foo%")
match(SUBJECT, "REGEX") This function compares the regex string REGEX to the value This example returns true IF AND ONLY IF
of SUBJECT and returns a Boolean value. It returns true if the field matches the basic pattern of an IP
REGEX can find a match against any substring of SUBJECT. address. Note that the example uses ^ and $
to perform a full match. ... | eval
n=if(match(field,
13 "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), 1, 0)
 Streaming Commands…….
now() This function takes no arguments and returns the
time that the search was started. The time is
represented in Unix time or in seconds since Epoch
time.
relative_time(X,Y) This function takes an epochtime time, X, as the first ... | eval n=relative_time(now(), "-1d@d")
argument and a relative time specifier, Y, as the
second argument and returns the epochtime value of
Y applied to X.
strftime(X,Y) This function takes an epochtime value, X, as the
This example returns the hour and minute
first argument and renders it as a string using the
from the _time field: ... | eval
format specified by Y.
n=strftime(_time, "%H:%M")

time() This function returns the wall-clock time with

microsecond resolution. The value of time() will be
different for each event based on when that event
was processed by the eval command.
tonumber(NUMSTR,BASE) This example returns "164": ... | eval
This function converts the input string NUMSTR to a
tonumber(NUMSTR) n=tonumber("0A4",16)
number, where BASE is optional and used to define
the base of the number to convert to. BASE can be
2 to 36, and defaults to 10. If tonumber cannot
parse a field value to a number, the function returns
NULL. If tonumber cannot parse a literal string to a
number, it returns an error.
 Streaming Commands…….
This function takes an arbitrary number of numeric This example returns either "foo" or field,
max(X,...) or string arguments, and returns the max; strings are depending on the value of field: ... | eval
greater than numbers. n=max(1, 3, 6, 7, "foo", field)

This function takes an arbitrary number of numeric This example returns either 1 or field,
min(X,...) or string arguments, and returns the min; strings are depending on the value of field: ... | eval
greater than numbers. n=min(1, 3, 6, 7, "foo", field)

This function takes no arguments and returns a

random() pseudo-random integer ranging from zero to 231-1,
for example: 0…2147483647

This function returns the character length of a string

len(X) ... | eval n=len(field)
X.

This function takes one string argument and returns
lower(X) the lowercase version. The upper() function also
exists for returning the uppercase version.
This function takes one string argument and returns
upper(X) the uppercase version. The lower() function also
exists for returning the lowercase version.
15
This example returns the value provided
by the field username in lowercase. ... |
eval username=lower(username)
This example returns the value provided
by the field username in uppercase. ... |
eval n=upper(username)
 Streaming Commands…….
isbool(X) This function takes one argument X and returns TRUE if X is
Boolean. ... | eval n=if(isbool(field),"yes","no") or
... | where isbool(field)

isint(X) This function takes one argument X and returns TRUE if X is an ... | eval n=if(isint(field), "int", "not int") or
integer. ... | where isint(field)
isnotnull(X) This function takes one argument X and returns TRUE if X is not
NULL. This is a useful check for whether or not a field (X) contains
... | eval n=if(isnotnull(field),"yes","no") or
a value.
... | where isnotnull(field)

isnull(X) This function takes one argument X and returns TRUE if X is NULL.
... | eval n=if(isnull(field),"yes","no") or
... | where isnull(field)

isnum(X) This function takes one argument X and returns TRUE if X is a

number. ... | eval n=if(isnum(field),"yes","no") or
... | where isnum(field)

isstr(X) This function takes one argument X and returns TRUE if X is a ... | eval n=if(isstr(field),"yes","no") or
string. ... | where isstr(field)
typeof(X) This function takes one argument and returns a string
This example returns
representation of its type.
"NumberStringBoolInvalid": ... | eval
n=typeof(12) + typeof("string") + typeof(1==2) +
typeof(badfield)
16
 Streaming Commands…….
This example returns the absnum, whose values are
abs(X) This function takes a number X and returns its absolute value. the absolute values of the numeric field number: ... |
eval absnum=abs(number)
ceil(X), ceiling(X) This function rounds a number X up to the next highest integer. This example returns n=2: ... | eval n=ceil(1.9)
This function renders the result of a numeric eval calculation with a larger
exact(X) ... | eval n=exact(3.14 * num)
amount of precision in the formatted output.
The following example returns y=e3: ... | eval
exp(X) This function takes a number X and returns the exponential function eX.
y=exp(3)
floor(X) This function rounds a number X down to the nearest whole integer. This example returns 1: ... | eval n=floor(1.9)
This example returns the natural log of the values of
ln(X) This function takes a number X and returns its natural log.
bytes: ... | eval lnBytes=ln(bytes)

This function takes either one or two numeric arguments and returns the log of
log(X,Y) log(X) the first argument X using the second argument Y as the base. If the second ... | eval num=log(number,2)
argument Y is omitted, this function evaluates the log of number X with base 10.

This function takes no arguments and returns the constant pi to 11 digits of

pi() ... | eval area_circle=pi()*pow(radius,2)
precision.
pow(X,Y) This function takes two numeric arguments X and Y and returns X Y. ... | eval area_circle=pi()*pow(radius,2)

This function takes one or two numeric arguments X and Y, returning X rounded This example returns n=4: ... | eval n=round(3.5)
round(X,Y) to the amount of decimal places specified by Y. The default is to round to an This example returns n=2.56:
integer. ... | eval n=round(2.555, 2)

sqrt(X) This function takes one numeric argument X and returns its square root. This example returns 3: ... | eval n=sqrt(9)
 Streaming Commands…….

This function takes one or two arguments X and Y and returns X with
ltrim(X,Y) This example returns x="abcZZ": ... | eval
the characters in Y trimmed from the left side. If Y is not specified,
ltrim(X) x=ltrim(" ZZZZabcZZ ", " Z")
spaces and tabs are removed.
This function takes one or two arguments X and Y and returns X with
This example returns n="ZZZZabc": ... | eval
rtrim(X,Y) rtrim(X) the characters in Y trimmed from the right side. If Y is not specified,
n=rtrim(" ZZZZabcZZ ", " Z")
spaces and tabs are removed.
This function takes two arguments, field X and delimiting character Y. It
split(X,"Y") splits the value(s) of X on the delimiter Y and returns X as a multivalue ... | eval n=split(foo, ";")
field.
This function takes either two or three arguments, where X is a string
and Y and Z are numeric. It returns a substring of X, starting at the index
This example concatenates "str" and "ing"
specified by Y with the number of characters specified by Z. If Z is not
substr(X,Y,Z) together, returning "string": ... | eval
given, it returns the rest of the string. The indexes follow SQLite
n=substr("string", 1, 3) + substr("string", -3)
semantics; they start at 1. Negative indexes can be used to indicate a
start from the end of the string.
This function takes one or two arguments X and Y and returns X with
This example returns "abc": ... | eval n=trim("
trim(X,Y) trim(X) the characters in Y trimmed from both sides. If Y is not specified, spaces
ZZZZabcZZ ", " Z")
and tabs are removed.

18
Streaming Commands…….

• REPLACE
Replaces field values with the values that you specify.
Syntax : ……| REPLACE “string1” WITH “string2” IN field_name1, field_name2
e.g. …..| REPLACE aug WITH august IN month.

• FILLNULL
Replaces null values with a specified value. If nothing specified after
FILLNULL replaces all null values with 0 in all fields.
Syntax : ……| FILLNULL VALUE=“string” [field-list]
e.g. …| FILLNULL VALUE=NULL field1

19 26 February 2020
Streaming Commands…….
• HEAD
Returns the first n number of specified results in search order. By default
returns 10 results.
Syntax : …..| HEAD [<int>]
e.g. …..| HEAD 20
• TAIL
Returns the last N number of specified results. By default returns last 10
results.
Syntax : ……| TAIL [<int>]
e.g. …..| TAIL 20
• REVERSE
Reverses the order of the results.
Syntax : …….| REVERSE
e.g. …..| REVERSE 20 26 February 2020
Streaming Commands…….

• WHERE
The where command uses eval expressions to filter search results. The
search keeps only the results for which the evaluation was successful . This command
includes all the evaluation functions like if, ifnull, isbool, isint, isnotnull, isnull, isnum,
isstr, len, like, ln, log, lower, ltrim, match.
Syntax : …….| WHERE <eval-expression>
e.g. ……| WHERE host=“localhost”
……….| WHERE host LIKE “local%”

Insert Confidentiality Level in slide footer 21 26 February 2020

Insert Confidentiality Level in slide footer 22 26 February 2020