Evil_TTL> show | s

Splunk

Category:Tools -> Monitoring

Splunk Search Syntax

<search_entry// basic search to match the keyword

<search_entry_1> <search_entry_2// logical AND

<search_entry> | head 10 // limit number of results down to 10

<search_entry_1> OR <search_entry_2// logical OR

(<search_entry_1> OR <search_entry_2>) AND <search_entry_3// logical OR and AND

(<search_entry_1> OR <search_entry_2>) AND <search_entry_3> |
table src_ip,dest_ip,dest_port |
head 10 // arrange result in a table (can use Shift+Enter for new lines and better readabily)

(<search_entry_1> OR <search_entry_2>) AND <search_entry_3> | table src_ip,dest_ip,dest_port dedup src_ip head 10 // arrange results in a table ("Statistics" Tab) and remove duplicate source IP addresses

 
chart count by src_ip // display a chart with source IP addresses and hit-count

timechart count by src_ip // display diagram in "Visualization" Tab 


NOTE
To delete search results dump to free more space (in upper right corner) go to Activity -> Jobs -> Select Jobs to delete -> Hit delete button

NOTE
After hitting search button, if it takes too long to bring the results, try changing search mode from Verbose Mode to Fast Mode. Mode changing list is to the right from PAUSE/STOP buttons


Examples:

src_ip="1.2.3.4" table generated_time,fw_name,src_zone,src_ip,dest_ip,dest_zone,dest_port,action,session_end_reason,rule 

- arrange results in a table

rule=<rule_namedest_port=<destination_port> | table _time,fw_name,host,src_ip,src_user,dest_ip,dest_port,rule  sort -_time 

- filter by rule name and destination port and arrange results in a table with most recent log entries first

By privilege15