We have already published articles related to Splunk Deployments & Configuration, Architecture, and Features. One of the components of Splunk is “Search Head”. There is a list of search commands to use daily to analyze the logs effectively. Some of the commands will be used in alert rules. And there are 5 golden search commands which play a vital role while searching the logs.
Five Golden Search Commands:
From school days onwards we are using some operators and those are used in all the technologies. Those operator commands are:
- Field-value pair matching
- Using boolean and comparison operators
- Using the IN operator
- Using wildcards
- Using the NOT or != comparisons
Field-value pair matching:
We can get exact match values by using OR and AND operators. Default AND specifies the space in-between the search commands.
Examples:
Src ip = 180.18.19.1 ; Dest ip = 181.1.1.1
- The below query will return the results which hold either the src ip or dest ip in the event logs.
Query:
| search src_ip=180.18.19.1 OR dest_ip=181.1.1.1
- The below query will return the results which hold the src ip as well as dest ip in the event logs.
Query:
| search src_ip=180.18.19.1 AND dest_ip=181.1.1.1
| search src_ip=180.18.19.1 dest_ip=181.1.1.1 (Default AND is considered as one space between the commands)
Also Read: Latest Cyber Security News – Hacker News !
Using boolean and comparison operators:
As mentioned in the above paragraph, some of the operators are:
- AND
- OR
- =
- >
- <
Examples:
- The below query will search for the failed logs of the particular user “anu”
Query:
| search Event_id=4625 | where user=anu
- The below query display the result of failed logins were the failed count is above 5
Query:
| search Event_id=4625| stats count by action | where count>5
Also Read: Splunk Features – Quick Guide on Key Elements
Using the IN operator:
Instead of the OR operator, we can use IN operator to return the logs which have the mentioned values.
Example:
- The below query will display the events which holds logon type 2 and 3
Query:
| search Event_id=4624 host=Desktop-Richard | where logon_type IN (2,3)
Also Read: What is the MITRE ATT&CK Framework? How Is It Useful
Using wildcards:
Wildcards can be used in more situations. For example, if we are not sure about the full field value, a wildcard can be used.
Example:
- The below query will display the results of the user name which begins with the letter p.
Query:
| search user_name=p*
Using the NOT or != comparisons:
NOT operator is used to exclude the unwanted logs and to get the exact result that we need.
Example:
- The below query will display the results of the failed logins except the user name begins with the letter p.
Query:
| search Event_id=4625 | where user_name!=p*
Stay tuned for the list of commonly used Splunk commands…