Splunk Commands Cheat Sheet



Cheat Sheets Splunk Data On-boarding A quick reference for important settings when on-boarding a new sourcetype. Syslog Hints and quick tips for setting up rsyslogd or syslog-ng. Splunk AppDev Reference for settings and commands for Splunk App development. Securing Splunk Some of the key settings and guidelines for hardening your Splunk. Cheat sheets for Splunk administration, data on-boarding, App development, search head clustering, and syslog configurations. Extract JSON data from an JSON array. The following will try to find ten matches for strings contained in curly brackets. Next it will be expanded to a multi value field so we can use spath on each extracted field. Splunk Cheat Sheet Edit Cheat Sheet SPL Syntax Basic Searching Concepts. Simple searches look like the following examples. Note that there are literals with and without quoting and that there are data field as well as date source selections done with an “=”. The Splunk Machine Learning Toolkit App delivers new SPL commands, custom visualizations, assistants, and examples to explore a variety of ml concepts. Each assistant includes end-to-end examples with datasets, plus the ability to apply the visualizations and SPL commands to your own data.

I’m the Splunk Marine; meaning I’m both a Splunker and a Marine. After five months of working at Splunk, I realized some of my core Unix and Linux skills were getting a little rusty. In a former life, I was a Linux Systems Engineer for a government agency, so it’s important to me to keep those skills sharp. One of the most important skill sets as a Unix/Linux Systems Engineer, in my opinion, is the ability to utilize a console based text editor. My editor of choice is VI, although many prefer EMACS. Many of these console based text editors are quite complicated. One of the things I do to both remember all the commands for VI and try to stay sharp in that specific skillset is to set my desktop background as a VI cheat sheet. This is especially important, as Splunk configuration files are all editable text files. With some well-developed VI skills, it makes it quite easy to configure or reconfigure your Splunk installs, especially those installs such as the Universal Forwarder, which does not have a Splunk Web UI. So here:

is the cheat sheet I use. It’s not an all-inclusive cheat sheet, but it covers about 90% of the commands that are available to you in VI. One other interesting fact is that VI is the only text editor, by default, that is built into all Unix/Linux operating systems. I hope this tidbit of information is helpful to you. Please check back soon for more Tips and Tricks from this old Jarhead.

Semper Fi!

For your convenience:

  • Links to the above cheat sheet:
  • Link to EMACs cheat sheet:
  • Link to Splunk quick reference for RegEx:

----------------------------------------------------
Thanks!
Mark White

In looking into compromised systems, often what is needed by incident responders and investigators is not enabled or configured when it comes to logging. To help get system logs properly Enabled and Configured, below are some cheat sheets to help you do logging well and so the needed data we all need is there when we look.

Cheat Sheets to help you in configuring your systems:

  • The Windows Logging Cheat SheetUpdated Feb 2019

  • The Windows Advanced Logging Cheat SheetUpdated Feb 2019

  • The Windows HUMIO Logging Cheat Sheet Released June 2018

  • The Windows Splunk Logging Cheat Sheet Updated Sept 2019

  • The Windows File Auditing Logging Cheat Sheet Updated Nov 2017

  • The Windows Registry Auditing Logging Cheat Sheet Updated Aug 2019

  • The Windows PowerShell Logging Cheat Sheet Updated Sept 2018

  • The Windows Sysmon Logging Cheat Sheet Updated Jan 2020

MITRE ATT&CK Cheat Sheets

Splunk Spl Commands Cheat Sheet

  • The Windows ATT&CK Logging Cheat Sheet Released Sept 2018

  • The Windows LOG-MD ATT&CK Cheat Sheet Released Sept 2018

The MITRE ATT&CK Logging Cheat Sheets are available in Excel spreadsheet form on the following Github:

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Splunk commands pdf

Update Log:

SysmonLCS:Jan 2020 ver 1.1

  • Fixed GB to Kb on log size

WSplunkLCS:Sept 2019 ver 2.22

  • Minor code tweaks, conversion

WSysmonLCS:Aug 2019 ver 1.0

  • Initial release

WRACS:Aug 2019 ver 2.5

  • Added a few more items

WSLCS:Feb 2019 ver 2.21

  • Fixed shifted box, cleanup only

WLCS:Feb 2018 ver 2.3

Sheet
  • Added a couple items from Advanced

  • Adjust a couple settings

  • General Clean up

  • Referenced the Windows Advanced Logging Cheat Sheet

Splunk spl cheat sheet

WALCS: Feb 2019 ver 1.2

  • Updated and added several items

WHLCS:June 2018 ver 1.0

  • Initial release

WFACS: Oct 2016 ver 1.2

  • Added a few new locations

WRACS: oct 2016 ver 1.2

  • Added many autorun keys

  • Sorted the keys better

WSLCS:Mar 2018 ver 2.1.1

  • Fixed shifted box, cleanup only

WLCS:Jan 2016 ver 2.0

  • Added Event code 4720 - New user account created

  • Changed references to File and Registry auditing to point to the new File and Registry auditing Cheat Sheets

  • Expanded info on Command Line Logging

WRACS: Jan 2016 ver 1.1

Splunk Cheat Sheet Pdf

Sheet

Splunk Commands Pdf

  • Sort HKLM Keys

  • Added keys to monitor PowerShell and Command Line log settings

  • Updated HKCU and USERs.DEFAULT info

  • Added info about HKCU unable to be set in Security Templates

  • Added PowerShell script to set HKCU Registry Auditing