🟩Splunk: Exploring SPL

Search & Reporting App

In the left field panel, which Source IP has recorded max events?

Look at all fields and click on SourceIP and see which one has more hits

How many events are returned when we apply the time filter to display events on 04/15/2022 and Time from 08:05 AM to 08:06 AM?

Splunk Processing Language Overview

How many Events are returned when searching for Event ID 1 AND User as James?

How many events are observed with Destination IP 172.18.39.6 AND destination Port 135?

What is the Source IP with highest count returned with this Search query? Search Query: index=windowslogs Hostname="Salena.Adam" DestinationIp="172.18.38.5"

In the index windowslogs, search for all the events that contain the term cyber* how many events returned?

Filtering the Results in SPL

Let's use the fields command to only display host, User, and SourceIP fields using the following syntax.

Dedup command used to remove duplicate fields from the search results.

ex:

index=windowslogs | table EventID User Image Hostname | dedup EventID

What is the third EventID returned against this search query?

Use the dedup command against the Hostname field before the reverse command in the query mentioned in Question 1. What is the first username returned in the Hostname field?

PreviousHoneypots NextAdvanced ELK Queries

Last updated 2 months ago