Splunk Search

Are there any other online collections of Splunk search examples?

ChrisG
Splunk Employee
Splunk Employee

Beyond what's in the Search Reference and the Search Manual, are there other sites that have SPL examples available to the community?

1 Solution

vnakra_splunk
Splunk Employee
Splunk Employee

Aside from the excellent sites from Chris above, if your goal is to learn SPL, there are a few other resources I typically recommend:

Education: Take "Advanced Searching and Reporting" from Splunk Education. Very worth your time.

Apps:

People:

  • .conf is one of the best sources of wisdom out there. Archived sessions from 2013-2016 are up at conf.splunk.com. Two from the latest .conf that have great info on SPL are:
    • "Let Stats Sort Them Out: Building Complex Result Sets That Use Multiple Source Types" - by Nick Mealy (ex-Splunker, aka @Sideview): Recording and Slides
    • "Time After Time – Comparing Time Ranges in Splunk" by Lisa Guinn (Splunk Edu, aka @lguinn): Recording and Slides
  • Sign up for the Slack channel and talk to people. You soak up a lot by osmosis, and you'll meet the people who help you here on Answers.

The Splunk Book: From one of the creators of the product...http://www.splunk.com/goto/book

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @ChrisG,

in addition to the ones hinted by the other epeople I would add also Enterprise Security Content Updates (https://splunkbase.splunk.com/app/3449) that's possible to use also outside ES, eventually using the CIM data Models.

Ciao.

Giuseppe

0 Karma

bowesmana
SplunkTrust
SplunkTrust

The ESCU searches are also part of Splunk Security Essentials , which you can see here

https://docs.splunksecurityessentials.com/content-detail/

and also here

https://research.splunk.com/detections/

Note that some of the searches are buggy - I've raised a few bugs in the last few days

https://github.com/splunk/security_content/issues

 

0 Karma

Anam
Community Manager
Community Manager

Hi all, thank you for bringing malicious links to our attention! I have gone ahead and deleted Chris's post since the links were out of date and any another reply that had the old links. Feel free to post any updated information 🙂 

0 Karma

mhouse3
Path Finder

"Archived sessions from 2013-2016 are up at conf.splunk.com" where? Can you provide the direct link please?

0 Karma

ChrisG
Splunk Employee
Splunk Employee
0 Karma

mhouse3
Path Finder

That link only takes me to the current 2019 .conf listings.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

It does kind of look like that, because of the banner on the page. But these are in fact the 775 archived sessions recorded in previous years. If you do a search on that page, like https://conf.splunk.com/watch/conf-online.html?search=SPL#/, you will see the results are tagged with the year they were recorded.

0 Karma

mhouse3
Path Finder

I see now. The problem is if you go to the top left and expand Event it reflects that these are for 2016, 2017 and 2018. I am looking for the recordings before 2016.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Yes, I think that is as far back as they go, vnakra might have been mistaken.

0 Karma

vnakra_splunk
Splunk Employee
Splunk Employee

Aside from the excellent sites from Chris above, if your goal is to learn SPL, there are a few other resources I typically recommend:

Education: Take "Advanced Searching and Reporting" from Splunk Education. Very worth your time.

Apps:

People:

  • .conf is one of the best sources of wisdom out there. Archived sessions from 2013-2016 are up at conf.splunk.com. Two from the latest .conf that have great info on SPL are:
    • "Let Stats Sort Them Out: Building Complex Result Sets That Use Multiple Source Types" - by Nick Mealy (ex-Splunker, aka @Sideview): Recording and Slides
    • "Time After Time – Comparing Time Ranges in Splunk" by Lisa Guinn (Splunk Edu, aka @lguinn): Recording and Slides
  • Sign up for the Slack channel and talk to people. You soak up a lot by osmosis, and you'll meet the people who help you here on Answers.

The Splunk Book: From one of the creators of the product...http://www.splunk.com/goto/book

raj_mpl
Path Finder

Nice information … keep it up guys

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...