https://community.splunk.com/t5/Splunk-Search/building-search-query/m-p/556516#M158050 <P>The base query (outside of a dashboard) is the part before the first pipe.</P><P>One does not need to memorize available fields, although that often comes from repeated use.&nbsp; Instead, do your query building in Verbose Mode and consult the "Interesting fields" area to see what is available.</P> Mon, 21 Jun 2021 12:46:20 GMT richgalloway 2021-06-21T12:46:20Z https://community.splunk.com/t5/Splunk-Search/building-search-query/m-p/556414#M158018 <P>Hi Guys,</P><P>I am just wondering if anyone can put me in the right direction - I have a question about search queries in Splunk. For example, in the below 2 simple query:</P><P>A. <EM>sourcetype="WinEventLog" EventCode=4688 <FONT color="#0000FF">New_Process_Name</FONT>="*powershell.exe" | stats count by New_Process_Name, <FONT color="#0000FF">Process_Command_Line</FONT></EM></P><P>B.&nbsp;<EM>sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational” EventID=1 <FONT color="#0000FF">Image</FONT>=”*powershell.exe” | stats count by Image, <FONT color="#0000FF">CommandLine</FONT></EM></P><P><U><STRONG>How do I know the following fields exists in that particular log?</STRONG></U></P><P>1. New_Process_Name</P><P>2. Process_Command_Line</P><P>3. Image</P><P>etc.</P><P>Thanks guys!!</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 20 Jun 2021 12:56:53 GMT https://community.splunk.com/t5/Splunk-Search/building-search-query/m-p/556414#M158018 dilenthakuri 2021-06-20T12:56:53Z https://community.splunk.com/t5/Splunk-Search/building-search-query/m-p/556416#M158020 <P>You know the New_Process_Name and Image fields exist because otherwise you will get no results from the base searches.&nbsp; If Process_Command_Line does not exist then stats will return no results.</P> Sun, 20 Jun 2021 13:16:01 GMT https://community.splunk.com/t5/Splunk-Search/building-search-query/m-p/556416#M158020 richgalloway 2021-06-20T13:16:01Z https://community.splunk.com/t5/Splunk-Search/building-search-query/m-p/556417#M158021 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;!</P><P>So "<STRONG>Base Searches"</STRONG> you mean just run the below query first&nbsp;</P><P><FONT color="#0000FF"><STRONG>sourcetype="WinEventLog" EventCode=4688</STRONG></FONT></P><P>And then, look for the<STRONG> field</STRONG> that can be appended to the search query further? Otherwise, it's not possible to remember or memorise ALL the field values while building the query. I see multiple of like below parameters set in the query:</P><UL class="lia-list-style-type-square"><LI>Process_Command_Line</LI><LI>CommandLine</LI><LI>ParentCommandLine</LI><LI>Image</LI><LI>ParentImage</LI><LI>TargetFilename</LI><LI>User</LI></UL><P class="p1">Or, we just have to know all of these by heart? What's the method you guys use to build complex queries?&nbsp;</P><P class="p1">Thank you.</P> Sun, 20 Jun 2021 13:48:29 GMT https://community.splunk.com/t5/Splunk-Search/building-search-query/m-p/556417#M158021 dilenthakuri 2021-06-20T13:48:29Z https://community.splunk.com/t5/Splunk-Search/building-search-query/m-p/556516#M158050 <P>The base query (outside of a dashboard) is the part before the first pipe.</P><P>One does not need to memorize available fields, although that often comes from repeated use.&nbsp; Instead, do your query building in Verbose Mode and consult the "Interesting fields" area to see what is available.</P> Mon, 21 Jun 2021 12:46:20 GMT https://community.splunk.com/t5/Splunk-Search/building-search-query/m-p/556516#M158050 richgalloway 2021-06-21T12:46:20Z https://community.splunk.com/t5/Splunk-Search/building-search-query/m-p/556529#M158056 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;What do you mean by 'Outside of the Dashboard'? Sorry</P> Mon, 21 Jun 2021 14:19:00 GMT https://community.splunk.com/t5/Splunk-Search/building-search-query/m-p/556529#M158056 dilenthakuri 2021-06-21T14:19:00Z https://community.splunk.com/t5/Splunk-Search/building-search-query/m-p/556545#M158065 <P>In a dashboard, the term "base search" has a different meaning.</P> Mon, 21 Jun 2021 15:28:28 GMT https://community.splunk.com/t5/Splunk-Search/building-search-query/m-p/556545#M158065 richgalloway 2021-06-21T15:28:28Z