Skip to main content

Basic SPL

📅 Published: 2026-05-03 18:57 | 🔄 Last Updated: 2026-05-07 14:42


1. Splunk core anchors​

Splunk ConceptDescriptionSPL Example (KQL Equivalent)
indexSimilar to dataview in ELKindex=windows or index=linux_servers
sourcetypeThe log format (highly critical). It tells Splunk how to parse and read the file.sourcetype="WinEventLog:Security"
sourcetype="linux_audit"
sourcetype="pan:traffic" (Palo Alto Firewall)
sourceThe original physical file path that generated the log.source="/var/log/auth.log"
Wildcards (*)If you can't remember an exact field name or value in Splunk, use asterisks everywhere.index=* sourcetype=*wineventlog*

2. Splunk CIM​

ELK (ECS)Splunk (CIM)SPL Search Example
event.category: processtag=processindex=* tag=process action=created (Find newly created processes)
event.category: networktag=networkindex=* tag=network tag=communicate (Find network connection logs)
event.category: authenticationtag=authenticationindex=* tag=authentication action=failure (Failed logins)
event.category: malwaretag=malwareindex=* tag=malware action=allowed (Malware that bypassed defenses)

3. Process & Execution​

Hunt ObjectiveSPL via CIM (Normalized)SPL via Raw Log (Most Common)
Find a specific process (e.g., PowerShell)tag=process process_name="powershell.exe"sourcetype="*Security" EventCode=4688 NewProcessName="*powershell.exe"
Find command-line execution contenttag=process process="*bypass*"sourcetype="*Security" EventCode=4688 CommandLine="*bypass*"
Find parent processtag=process parent_process_name="cmd.exe"sourcetype="*Security" EventCode=4688 ParentProcessName="*cmd.exe"
Linux: Find executed commands (Auditd/Syslog)tag=process process_name="wget"sourcetype=linux_audit type=EXECVE a0="wget"

4. Network & Web/HTTP​

Hunt ObjectiveTarget Splunk FieldsSPL Example
Find Source / Dest IPsrc_ip (or src)
dest_ip (or dest)
index=* sourcetype=pan:traffic dest_ip="10.10.10.5"
Find Network Portdest_portindex=* tag=network dest_port=3389 (Find RDP connections)
Find HTTP POST Querieshttp_method
Find Malicious URLs / Domainsurl or siteindex=* sourcetype=proxy url="*pastebin.com*"
Find Anomalous DNS Connectionsquery (Domain name)index=* sourcetype=stream:dns query="ngrok.io"

5. Basic Authentication & Logon Hunting​

Hunt ObjectiveSPL via CIMSPL via Raw Windows Log
Failed Logins (Brute-force)tag=authentication action=failuresourcetype="*Security" EventCode=4625 user="admin"
Successful Loginstag=authentication action=successsourcetype="*Security" EventCode=4624 user="admin"
RDP Logins (Logon Type 10)tag=authentication signature_id=4624 app=rdpsourcetype="*Security" EventCode=4624 Logon_Type=10
Linux: SSH Loginstag=authentication app=sshdsourcetype=linux_secure "Accepted password" OR "Failed password"

6. Splunk Piping​

In ELK, Kibana automatically draws tables and charts as you type KQL. In Splunk, after filtering with keywords, you must use the pipe character (|) to call drawing or statistical commands.

Memorize these three essential "finishing" commands:

  1. Count & Statistics (Like 'Visualize' in ELK): ... | stats count by src_ip (Counts occurrences per IP)
  2. Filter & Format Tables (Like choosing columns in ELK Discover): ... | table _time, user, process_name, CommandLine (Displays only these 4 columns for readability)
  3. Sorting: ... | sort -_time (Sorts by time from newest to oldest)

Example of a complete RDP Brute-force hunt in Splunk:

Splunk SPL

index=windows sourcetype="WinEventLog:Security" EventCode=4625 Logon_Type=10
| stats count by src_ip, user
| where count > 10
| sort -count