Splunk is powerful SIEM product widely in use by organizations and companies.
Network/Security engineer can use it to search device logs using queries to filter interesting data.
Here are some basic rules:
- If you are looking for specific string simply type a keyword in New Search field and press enter
- Wildcard is supported “*“
- Search terms are case insensitive
- Can use boolean separators AND, OR, NOT but few rules apply:
Booleans have to be written in upper case
If two search statements are inserted and separated by space, logical AND is applied by default
For complex seraches use () to ensure correct results - Use “” when search phrases, for example “Teardown TCP connection”
- Mathematical operators available on queries include =,<,>,!=
- Field search is supported, for example status=404 or src=192.168.100.1
Those are only some available ways to use search in Splunk. More information is available on vendor’s website.
http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/search