«

»

Aug 07

Splunk – search basics

Categories:

Security

by admin

splunk-logo

Splunk is powerful SIEM product widely in use by organizations and companies.

Network/Security engineer can use it to search device logs using queries to filter interesting data.

Here are some basic rules:

  • If you are looking for specific string simply type a keyword in New Search field and press enter
  • Wildcard is supported “*
  • Search terms are case insensitive
  • Can use boolean separators AND, OR, NOT but few rules apply:
    Booleans have to be written in upper case
    If two search statements are inserted and separated by space, logical AND is applied by default
    For complex seraches use () to ensure correct results
  • Use “” when search phrases, for example “Teardown TCP connection”
  • Mathematical operators available on queries include =,<,>,!=
  • Field search is supported, for example status=404 or src=192.168.100.1

Those are only some available ways to use search in Splunk. More information is available on vendor’s website.
http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/search

Follow me!

This post has no tag

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>