Splunk Search Cheat Sheet

Beginner Reference for SPL (Search Processing Language)

Splunk Search Cheat Sheet

1. Search Basics

index=* keyword
  • index=*: Search across all indexes.
  • keyword: Match any event containing the keyword.

2. Setting Time Ranges

  • Using GUI: Top-right of search screen – select Last 15 minutes, Today, etc.
  • Using Search Command:
earliest=-15m latest=now

3. Search Modes (GUI)

  • Fast Mode: Prioritizes speed, limits field discovery.
  • Smart Mode: Balanced – shows relevant fields automatically.
  • Verbose Mode: Returns all possible fields (slowest).

Change mode from the dropdown above the search bar.

4. Formatting Data

Using table

Display data in a clean table format.

index=web_logs | table host, status, uri_path
Using stats

Count, group, or aggregate data.

index=web_logs | stats count by status
  • stats count: Counts total events.
  • by status: Group counts by HTTP status code (example).

5. Basic Search Commands

Command Purpose Example
index= Specify index to search index=web_logs
source= Filter by log source source="/var/log/syslog"
sourcetype= Filter by log type sourcetype=access_combined
host= Filter by host host=server01
fields Show specific fields | fields host, status

6. Pipes (|)

Use pipes to chain commands and refine data.

index=web_logs | stats count by host

7. Filtering Events

Example: Find only 200 or 404 status codes.

status=200 OR status=404

8. Extracting Fields (Optional)

Create custom fields using regex (advanced):

index=web_logs | rex "User:\s(?<username>\w+)"