Splunk SPL Filter Reference

splunk spl filters cheatsheet


SPL Basics

Splunk Processing Language (SPL) queries start with a search command and can be piped to additional commands.

Basic Structure

index=<index_name> <search_terms> | <command> | <command>

Search Operators

OperatorDescriptionExample
ANDBoth terms (implicit)error AND critical
OREither termerror OR warning
NOTExclude termerror NOT debug
=Field equalshost=server01
!=Field not equalsstatus!=200
*Wildcardhost=web*
" "Exact phrase"connection refused"
( )Grouping(error OR warning) NOT debug

Common Commands

CommandDescriptionExample
statsAggregate statistics| stats count by src_ip
tableDisplay specific fields| table src_ip, dst_ip, action
sortSort results| sort -count (descending)
headFirst N results| head 10
tailLast N results| tail 10
topTop values| top 10 src_ip
rareLeast common values| rare src_ip
dedupRemove duplicates| dedup src_ip
whereFilter with conditions| where count > 100
evalCreate/modify fields| eval mb=bytes/1024/1024
rexRegex extraction| rex field=_raw "user=(?<user>\w+)"
renameRename fields| rename src_ip AS source
timechartTime-based chart| timechart count by host
transactionGroup related events| transaction src_ip maxspan=5m

Stats Functions

FunctionDescriptionExample
countCount eventsstats count
dc()Distinct countstats dc(src_ip)
sum()Sum valuesstats sum(bytes)
avg()Averagestats avg(duration)
min() / max()Min/max valuesstats max(response_time)
values()List unique valuesstats values(app) by user
list()List all valuesstats list(action) by src_ip
first() / last()First/last valuestats first(_time) by session

Example Queries

Firewall Logs

Basic firewall search:

index=firewall sac900-nw315-zfw02

Traffic between two IPs:

index=firewall (10.155.7.244) (10.168.55.138) host="sac900-nw257-fw31" "FIN"

Traffic from IP excluding port:

index=firewall "sac900-nw257-fw31" (10.155.204.195) NOT 443

URL filtering by category:

index=firewall sourcetype=pan:threat log_subtype=url category=games | stats count by src_user, category, url_domain, app, rule

GlobalProtect Logs

GP connections (excluding pre-logon):

index=firewall sourcetype=pan:globalprotect client_ver!=browser AND src_user!=pre-logon | stats dc(machine_name) by machine_name, src_user, client_ver

GP logs by public IP:

index=firewall sourcetype=pan:globalprotect "73.158.255.70"

Common Patterns

Count events by field:

index=firewall action=denied | stats count by src_ip | sort -count

Top talkers:

index=firewall | stats sum(bytes) as total_bytes by src_ip | sort -total_bytes | head 10

Time-based analysis:

index=firewall action=denied | timechart span=1h count by src_ip

Find anomalies (high event counts):

index=firewall | stats count by src_ip | where count > 1000

Distinct users per day:

index=firewall | timechart span=1d dc(src_user) as unique_users

Time Modifiers

ModifierDescription
earliest=-1hLast hour
earliest=-24hLast 24 hours
earliest=-7dLast 7 days
earliest=@dSince start of today
earliest=-1d@dYesterday start
latest=@dUntil start of today

Example:

index=firewall earliest=-1h | stats count by action

Field Extraction

Extract with regex:

index=firewall | rex field=_raw "user=(?<username>\w+)" | table _time, username

Create calculated field:

index=firewall | eval mb=bytes/1024/1024 | table src_ip, mb

Tips

  • Use specific index and time range to improve performance
  • Add sourcetype when you know it: sourcetype=pan:traffic
  • Use table to see specific fields instead of raw events
  • Test with head 10 before running expensive queries
  • Use dedup to reduce duplicate results
  • Parentheses matter for complex boolean logic