soc30 / lms
connected
dashboard
WEEK_2 · DAY_11 · 1 HOUR

SPL — Advanced (eval · rex · lookup · tstats · transaction)

Power tools that turn an analyst into a hunter

Splunk Lab

Learning Objectives

  • Use eval for case logic, math, type conversion
  • Extract with rex regex
  • Enrich with lookup
  • Accelerate with tstats on data models
  • Stitch sessions with transaction & streamstats

Module 1 — eval — The Swiss Army Knife

eval risk = case(urgency=="critical",100, urgency=="high",50, urgency=="medium",25, 1=1,10).

eval supports math, string ops, conditionals (case, if, coalesce).

Module 2 — rex — Regex Extraction

rex field=_raw "user=(?<user>\w+)\s+ip=(?<src_ip>[\d.]+)" — extract on the fly without props.conf.

Module 3 — lookup — Enrichment

lookup assets ip AS src_ip OUTPUT hostname, owner, criticality.

Lookups can be CSV, KV store, or external scripted.

Module 4 — tstats — Speed

Runs against indexed metadata or accelerated data models — 10-100× faster than raw search.

Used in every Splunk ES correlation search.

Module 5 — Session Stitching

transaction src,dest maxspan=10m — group related events.

streamstats for windowed stats (e.g. beaconing intervals).

SPL Queries

Risk score pipeline
index=notable
| eval risk = case(urgency=="critical",100,urgency=="high",50,urgency=="medium",25,1=1,10)
| stats sum(risk) as total by user, src
| where total > 100
// Per-entity rolling risk — foundation of RBA.
Beaconing detection
index=network sourcetype=zeek:conn
| streamstats current=f last(_time) as prev_time by src_ip, dest_ip
| eval delta = _time - prev_time
| stats count avg(delta) as avg_int stdev(delta) as jitter by src_ip, dest_ip
| where count > 20 AND jitter < 5
// Periodic outbound = textbook C2.
tstats on Authentication DM
| tstats summariesonly=t count
  from datamodel=Authentication
  where Authentication.action=failure earliest=-1h
  by Authentication.src, Authentication.user
| where count > 20
// Brute force at scale.

Lab 11 — Hunt with Advanced SPL

  1. Open Splunk → Search.
  2. Run the pre-loaded beaconing detection query.
  3. Identify the 3 src→dest pairs with lowest jitter.
  4. Pivot: which user is on the source host? (use a lookup).
  5. Recommend a containment playbook.
Launch Lab Workbench

Key Takeaways

  • eval + case = the analyst's scoring engine
  • tstats on accelerated DMs is mandatory at scale
  • streamstats unlocks time-series hunting
← DAY_10
SPL — Search Processing Language (Beginner)
DAY_12
Knowledge Objects