Splunk Search Syntax
<search_entry> // basic search to match the keyword
<search_entry_1> <search_entry_2> // logical AND
<search_entry> | head 10 // limit number of results down to 10
<search_entry_1> OR <search_entry_2> // logical OR
(<search_entry_1> OR <search_entry_2>) AND <search_entry_3> // logical OR and AND
(<search_entry_1> OR <search_entry_2>) AND <search_entry_3> |
table src_ip,dest_ip,dest_port |
head 10 // arrange result in a table (can use Shift+Enter for new lines and better readabily)
(<search_entry_1> OR <search_entry_2>) AND <search_entry_3> | table src_ip,dest_ip,dest_port | dedup src_ip | head 10 // arrange results in a table ("Statistics" Tab) and remove duplicate source IP addresses
| chart count by src_ip // display a chart with source IP addresses and hit-count
| timechart count by src_ip // display diagram in "Visualization" Tab
NOTE
To delete search results dump to free more space (in upper right corner) go to Activity -> Jobs -> Select Jobs to delete -> Hit delete button
NOTE
After hitting search button, if it takes too long to bring the results, try changing search mode from Verbose Mode to Fast Mode. Mode changing list is to the right from PAUSE/STOP buttons
Examples:
src_ip="1.2.3.4" | table generated_time,fw_name,src_zone,src_ip,dest_ip,dest_zone,dest_port,action,session_end_reason,rule
- arrange results in a table
rule=<rule_name> dest_port=<destination_port> | table _time,fw_name,host,src_ip,src_user,dest_ip,dest_port,rule | sort -_time
- filter by rule name and destination port and arrange results in a table with most recent log entries first
By privilege15