Your interactive reference for Splunk Search Processing Language commands
Find, copy, and learn essential Splunk commands for security monitoring and threat detection
This interactive cheatsheet contains the most essential SPL commands for detection engineers and security analysts. Each command includes syntax, description, practical examples, and security use cases. Use the search box to quickly find commands or browse by category.
This page is a work in progress so let us know if you have any suggestions or feedback! We aim to have this be all encompassing for SPL commands!
search [search terms]The foundation of SPL queries, initiates a search with specified terms
search index=windows EventCode=4624Search for successful authentication events in Windows logs
index=[index_name]Specifies which index(es) to search in
index=windows index=linuxTarget searches to specific data repositories
sourcetype=[sourcetype]Filters events based on the data source type
sourcetype=WinEventLog:SecurityFocus searches on specific log types
| fields [+/-] [field1], [field2], ...Keeps (+) or removes (-) specified fields from search results
| fields + src_ip, dest_ip, user, actionFocus on the most relevant security information and remove noise
| table [field1], [field2], ...Displays results in a tabular format with specified fields
| table _time, user, src_ip, action, statusCreate clean, readable output of security events for analysis or reporting
| lookup dnslookup [ip_field] as [field_name] OUTPUT clienthost as [hostname_field]Performs DNS resolution on IP addresses in your search results
| lookup dnslookup clientip as dest_ip OUTPUT clienthost as dest_hostEnrich security alerts with hostname information for easier analysis
| metadata type=[metadata_type] [index_name]Retrieves metadata about your Splunk environment, such as available sourcetypes in an index
| metadata type=sourcetypes index=securityDiscover available data sources for security monitoring and threat hunting
| where [condition]Filters results based on a specified condition
| where user!="Administrator" AND action="failed"Filter out noise and focus on specific security conditions
| regex [field]="[pattern]"Filters results using regular expressions
| regex user="(?i)admin.*"Find variations in usernames that might indicate suspicious activity
| dedup [field1], [field2]Removes duplicate events based on specified fields
| dedup src_ip, dest_ip, actionReduce alert noise by removing duplicate security events
| rename [oldname] AS [newname]Renames fields in search results
| rename src_ip AS attacker_ip, dest_ip AS victim_ipCreate more meaningful field names in security dashboards and reports
| rex field=[fieldname] "[regex pattern with named capturing groups]"Extracts fields using regular expressions
| rex field=message "user=(?<username>[\w.]+)"Extract critical security information from unstructured log data
| lookup [lookupname] [lookup-field] AS [event-field]Enriches events with data from lookup tables
| lookup ip_classifications ip AS src_ipAdd threat intelligence context to security events
| eval user=lower(if(match(user,".*\\\\.*"), replace(user,".*\\\\",""), user))Standardizes Windows username format by removing domain prefixes and converting to lowercase
| eval user=lower(if(match(user,".*\\\\.*"), replace(user,".*\\\\",""), user))Normalize Windows usernames for consistent user tracking across different log sources
| rex field=host "^(?<host>.*?)[\.\\|$]"Extracts just the hostname part without the domain suffix
| rex field=dest "^(?<dest>.*?)[\.\\|$]"Standardize host identifiers for more consistent correlation across different log sources
| rex field=ip "(?<subnet>\d+\.\d+\.\d+)\.\d+"Extracts the subnet portion (first 3 octets) of IP addresses
| rex field=src_ip "(?<subnet>\d+\.\d+\.\d+)\.\d+" | stats count by subnetIdentify network segments with suspicious activity for network-based detection
| stats [function] BY [field]Generates statistics grouped by fields
| stats count BY src_ip, dest_ipIdentify top attackers or most targeted systems
| rare [field]Shows statistically rare values, useful for anomaly detection
| rare processIdentify unusual processes that might indicate malware or attacks
| eventstats [stats-function] AS [field]Calculates statistics and adds them to each event
| eventstats count BY user AS user_event_countAdd context to events by showing frequency compared to normal activity
| top [field]Shows the most common values of a field
| top limit=20 src_ipIdentify hosts generating the most security events or traffic
| contingency [field1] [field2]Displays a contingency table for two fields
| contingency src_ip actionAnalyze relationships between attackers and attack methods
| streamstats [stats-function] AS [field] BY [field]Computes running statistics on events in real-time order
| streamstats count AS event_sequence BY src_ipTrack progression of attack sequences in chronological order
| stats count by [field] | eval events_perDay = round(count / [days],2)Calculates the frequency of events over different time periods
| stats count by signature | eval days = 10 | eval events_perDay = round(count / days,2) | eval events_perWeek = round(count / (days / 7),2)Establish baselines for alert frequencies to identify unusual activity spikes
| fieldsummary | eventstats max(count) as total | eval event_coverage = round(((count / total)*100),2)."%"Provides a summary of fields with percentage of events containing each field
index=firewall sourcetype="pan:traffic" | fieldsummary | eventstats max(count) as total | eval event_coverage = round(((count / total)*100),2)."%"Identify which security-relevant fields are consistently populated for reliable detection
earliest=[time_modifier]Sets the earliest time boundary for the search
earliest=-24hLimit searches to relevant timeframes during incident response
latest=[time_modifier]Sets the latest time boundary for the search
latest=nowCreate time-bounded searches for specific security incidents
| bucket _time span=[time_unit]Groups events into time buckets for time-series analysis
| bucket _time span=5mAnalyze attack patterns over specific time intervals
| localizeConverts UTC timestamps to the local timezone
index=windows | localizeAlign security events with local business hours to identify suspicious after-hours activity
| sistats count BY [field1] span=[time_period]Computes statistics while maintaining chronological information
| sistats count BY src_ip span=5mIdentify burst patterns in attack traffic
| stats earliest(_time) as firstTime latest(_time) as lastTime by [field]Finds the first and last occurrence of each unique value for a field
| stats earliest(_time) as firstTime latest(_time) as lastTime by dest | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S")Identify when hosts or attackers first appeared in your environment and when they were last active
| stats latest(_time) as lastTime by host | where lastTime < relative_time(now(),"-[timeframe]")Identifies assets that have not sent logs within a specified timeframe
| stats latest(_time) as lastTime earliest(_time) as firstTime by host | eval recent = if(lastTime > relative_time(now(),"-30d"),1,0) | where recent=0Detect compromised or decommissioned assets that should be sending logs but are not
| eval [fieldname]=relative_time(now(), "[time_modifier]")Creates a timestamp relative to the current time, useful for comparing against event times
| eval yesterday=relative_time(now(), "-1d@d")Create dynamic time windows for baselining and anomaly detection
| transaction [fields] maxspan=[time]Groups related events into transactions based on fields and time windows
| transaction src_ip, dest_ip maxspan=5mTrack attack sequences and multi-stage attacks
| anomalousvalue action=filter [field]Detects statistical outliers in field values
| anomalousvalue action=filter pct(failed_logins)Identify potential brute force attacks based on unusual login failure rates
| diff [field]Shows differences between consecutive events
| diff process_listIdentify changes in system state that might indicate compromise
| cluster [field] showcount=trueGroups similar events using field similarity
| cluster message showcount=trueGroup similar attack patterns or error messages to identify attack campaigns
| multisearch [search1] [search2]Runs multiple searches and combines the results
| multisearch [search index=windows EventCode=4625] [search index=firewall action=blocked]Correlate failed login attempts with firewall blocks for comprehensive threat detection
| predict [field]Uses statistical forecasting on time series data
| timechart count by src_ip | predict countDetect anomalies by comparing actual vs. predicted event patterns
| eval vendor = mvindex(split(cpe,":"),[index])Extracts vendor, product and version information from CPE strings for software inventory
| eval cpe_parts = split(cpe,":") | eval vendor = mvindex(cpe_parts,2) | eval product = mvindex(cpe_parts,3) | eval version = mvindex(cpe_parts,4)Extract software details from CPE data to identify vulnerable software versions
| timechart count BY [field]Creates a time-series chart of events
| timechart count BY src_ipVisualize attack patterns and trends over time
| geostats count BY [field]Creates geographic visualizations
| geostats count BY src_ipMap attack origins and geographic attack patterns
| chart [stats-function] OVER [field] BY [field]Creates a chart with multiple dimensions
| chart count OVER dest_port BY src_ipVisualize attack targets by attacker across different services/ports
| timechart count | trendline [field]Adds trend lines to time-series visualizations
| timechart count | trendline sma5(count)Identify long-term security event trends and anomalies
| table [field1] [field2] | appendpipe [stats count by [field1] [field2] | rename [field1] as source, [field2] as target]Creates data for Sankey diagrams to visualize complex relationships
| table src_ip dest_port dest_ip | appendpipe [stats count by src_ip dest_port | rename src_ip as source, dest_port as target] | appendpipe [stats count by dest_port dest_ip | rename dest_port as source, dest_ip as target] | search source=* | fields source target countVisualize attack paths and lateral movement through your network
| datamodel [datamodel_name] [nodename] searchSearches accelerated data models
| datamodel Authentication Failed_Authentication searchPerform fast searches on normalized security data
| tstats [function] from datamodel=[model] where [conditions]Fast statistics from data model acceleration
| tstats count from datamodel=Network_Traffic where sourcetype=firewallQuickly analyze large volumes of security telemetry
| map [search]Runs a subsearch against each result
| map search="search index=windows host=$host$ | stats count by EventCode"Enrich alerts with additional context from related logs
| mcollect [index=name] [options]Saves search results to a specified index
| mcollect index=detected_threatsCreate curated datasets of detected threats for further analysis
| join [field] [search]Joins the results of the current search with another search
| join src_ip [search index=threats | fields ip, threat_intel]Enrich security events with threat intelligence from a separate dataset
| savedsearch [savedsearch_name]Runs a previously saved search within the current search
| savedsearch "Known Malicious IPs"Incorporate standard threat detection logic into multiple searches
| inputlookup [lookup_file]Loads a lookup table as search results
| inputlookup threat_intel.csv | search category="C2"Use static threat intelligence lists for detection and enrichment
| outputlookup [lookup_file]Saves search results to a lookup table
| stats count by src_ip | where count>100 | outputlookup suspicious_ips.csvCreate dynamic watchlists based on detected suspicious behavior
| foreach "*" [eval <<FIELD>>=...Applies an operation to all fields or specified fields
| foreach "*" [eval <<FIELD>>=lower('<<FIELD>>') ]Normalize all field values for case-insensitive analysis and correlation
| rest /services/authentication/current-contextShows information about the current Splunk user context
| rest /services/authentication/current-context splunk_server=localVerify user identity and permissions during security investigations
| eval [new_field] = mvjoin([mv_field],", ")Converts a multivalued field into a comma-separated string
| fields mv_field | eval mv_field_csv = mvjoin(mv_field,", ")Format multivalued fields like destination IPs or hostnames for reports and exports