Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

building search query

dilenthakuri
Explorer
‎06-20-2021 05:56 AM

Hi Guys,

I am just wondering if anyone can put me in the right direction - I have a question about search queries in Splunk. For example, in the below 2 simple query:

A. sourcetype="WinEventLog" EventCode=4688 New_Process_Name="*powershell.exe" | stats count by New_Process_Name, Process_Command_Line

B. sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational” EventID=1 Image=”*powershell.exe” | stats count by Image, CommandLine

How do I know the following fields exists in that particular log?

1. New_Process_Name

2. Process_Command_Line

3. Image

etc.

Thanks guys!!

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-21-2021 05:46 AM

The base query (outside of a dashboard) is the part before the first pipe.

One does not need to memorize available fields, although that often comes from repeated use.  Instead, do your query building in Verbose Mode and consult the "Interesting fields" area to see what is available.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-20-2021 06:16 AM

You know the New_Process_Name and Image fields exist because otherwise you will get no results from the base searches.  If Process_Command_Line does not exist then stats will return no results.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

dilenthakuri
Explorer
‎06-20-2021 06:48 AM

Thanks @richgalloway !

So "Base Searches" you mean just run the below query first 

sourcetype="WinEventLog" EventCode=4688

And then, look for the field that can be appended to the search query further? Otherwise, it's not possible to remember or memorise ALL the field values while building the query. I see multiple of like below parameters set in the query:

  • Process_Command_Line
  • CommandLine
  • ParentCommandLine
  • Image
  • ParentImage
  • TargetFilename
  • User

Or, we just have to know all of these by heart? What's the method you guys use to build complex queries? 

Thank you.

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-21-2021 05:46 AM

The base query (outside of a dashboard) is the part before the first pipe.

One does not need to memorize available fields, although that often comes from repeated use.  Instead, do your query building in Verbose Mode and consult the "Interesting fields" area to see what is available.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

dilenthakuri
Explorer
‎06-21-2021 07:19 AM

Thank you @richgalloway What do you mean by 'Outside of the Dashboard'? Sorry

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-21-2021 08:28 AM

In a dashboard, the term "base search" has a different meaning.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...