dashboard
WEEK_2 · DAY_10 · 1 HOUR
SPL — Search Processing Language (Beginner)
search · stats · table · top · rare · fields · sort · where
Learning Objectives
- ›Write efficient base searches
- ›Aggregate with stats, top, rare
- ›Filter with where vs search
- ›Format output with table and fields
Module 1 — Anatomy of a Search
Base filter (index/sourcetype/host) → pipe → transforming command → pipe → formatting.
Faster searches put filters in the base — index-time fields are 10× faster than search-time.
Module 2 — Core Commands
search — filter rows. stats — aggregate. table — pick columns. fields — pick columns earlier (faster).
top / rare — quick frequency. sort — order. dedup — keep unique.
Module 3 — search vs where
search runs against indexed data, supports wildcards on raw text.
where evaluates expressions on extracted fields, supports comparisons (>, <, !=, like).
SPL Queries
Top failed users
index=wineventlog EventCode=4625 | stats count by Account_Name | sort - count | head 10
// Most-attacked accounts.
Rare process names
index=sysmon EventCode=1 | rare Image limit=20
// Long-tail = anomalies often live here.
Filter post-aggregation
index=fw | stats sum(bytes_out) as out by src_ip | where out > 1073741824
// Hosts shipping > 1 GB outbound.
Lab 10 — Five Beginner Queries
- In Splunk → Search, write: top 10 source IPs.
- Write: rare destination ports.
- Write: failed logons by user, count > 10.
- Write: total bytes out per host, sorted descending.
- Save each as a Report.
Key Takeaways
- ✓Push filters into the base search (10× speed)
- ✓stats by is the analyst's everyday tool
- ✓search vs where: text vs evaluated expression