Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Are there any other online collections of Splunk search examples?

ChrisG
Splunk Employee
Splunk Employee
‎02-26-2016 08:20 AM

Beyond what's in the Search Reference and the Search Manual, are there other sites that have SPL examples available to the community?

Reply
1 Solution
Solved! Jump to solution
Solution

vnakra_splunk
Splunk Employee
Splunk Employee
‎03-08-2017 07:42 AM

Aside from the excellent sites from Chris above, if your goal is to learn SPL, there are a few other resources I typically recommend:

Education: Take "Advanced Searching and Reporting" from Splunk Education. Very worth your time.

Apps:

People:

  • .conf is one of the best sources of wisdom out there. Archived sessions from 2013-2016 are up at conf.splunk.com. Two from the latest .conf that have great info on SPL are:
    • "Let Stats Sort Them Out: Building Complex Result Sets That Use Multiple Source Types" - by Nick Mealy (ex-Splunker, aka @Sideview): Recording and Slides
    • "Time After Time – Comparing Time Ranges in Splunk" by Lisa Guinn (Splunk Edu, aka @lguinn): Recording and Slides
  • Sign up for the Slack channel and talk to people. You soak up a lot by osmosis, and you'll meet the people who help you here on Answers.

The Splunk Book: From one of the creators of the product...http://www.splunk.com/goto/book

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-21-2022 12:06 AM

Hi @ChrisG,

in addition to the ones hinted by the other epeople I would add also Enterprise Security Content Updates (https://splunkbase.splunk.com/app/3449) that's possible to use also outside ES, eventually using the CIM data Models.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎10-21-2022 01:33 AM

The ESCU searches are also part of Splunk Security Essentials , which you can see here

https://docs.splunksecurityessentials.com/content-detail/

and also here

https://research.splunk.com/detections/

Note that some of the searches are buggy - I've raised a few bugs in the last few days

https://github.com/splunk/security_content/issues

 

0 Karma
Reply
Solved! Jump to solution

Anam
Community Manager
Community Manager
‎10-20-2022 09:41 AM

Hi all, thank you for bringing malicious links to our attention! I have gone ahead and deleted Chris's post since the links were out of date and any another reply that had the old links. Feel free to post any updated information 🙂 

0 Karma
Reply
Solved! Jump to solution

mhouse3
Path Finder
‎10-12-2019 04:13 PM

"Archived sessions from 2013-2016 are up at conf.splunk.com" where? Can you provide the direct link please?

0 Karma
Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎10-13-2019 11:17 AM

Here you go: https://conf.splunk.com/watch/conf-online.html?#/

0 Karma
Reply
Solved! Jump to solution

mhouse3
Path Finder
‎10-14-2019 07:03 AM

That link only takes me to the current 2019 .conf listings.

0 Karma
Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎10-14-2019 07:48 AM

It does kind of look like that, because of the banner on the page. But these are in fact the 775 archived sessions recorded in previous years. If you do a search on that page, like https://conf.splunk.com/watch/conf-online.html?search=SPL#/, you will see the results are tagged with the year they were recorded.

0 Karma
Reply
Solved! Jump to solution

mhouse3
Path Finder
‎10-14-2019 08:03 AM

I see now. The problem is if you go to the top left and expand Event it reflects that these are for 2016, 2017 and 2018. I am looking for the recordings before 2016.

0 Karma
Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎10-14-2019 08:14 AM

Yes, I think that is as far back as they go, vnakra might have been mistaken.

0 Karma
Reply
Solved! Jump to solution
Solution

vnakra_splunk
Splunk Employee
Splunk Employee
‎03-08-2017 07:42 AM

Aside from the excellent sites from Chris above, if your goal is to learn SPL, there are a few other resources I typically recommend:

Education: Take "Advanced Searching and Reporting" from Splunk Education. Very worth your time.

Apps:

People:

  • .conf is one of the best sources of wisdom out there. Archived sessions from 2013-2016 are up at conf.splunk.com. Two from the latest .conf that have great info on SPL are:
    • "Let Stats Sort Them Out: Building Complex Result Sets That Use Multiple Source Types" - by Nick Mealy (ex-Splunker, aka @Sideview): Recording and Slides
    • "Time After Time – Comparing Time Ranges in Splunk" by Lisa Guinn (Splunk Edu, aka @lguinn): Recording and Slides
  • Sign up for the Slack channel and talk to people. You soak up a lot by osmosis, and you'll meet the people who help you here on Answers.

The Splunk Book: From one of the creators of the product...http://www.splunk.com/goto/book

Reply
Solved! Jump to solution

raj_mpl
Path Finder
‎08-06-2018 11:39 PM

Nice information … keep it up guys

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...