Nifty Splunk Tips
Just some Splunk Tips and tricks I've found super helpful to have on hand. Concatenate field1 and 2 as a new field named test. • | eval test=field1.field2 • | eval test=field1. "optional static text to concatenate" .field2 Using regex to strip the file extension from a URL. Can use this to search for suspicious file types like xap and swf. • index=au_proxy | rex field=url "\/[\(\)a-zA-Z0-9_-]*?\.(?<ext>[a-z0-9]{2,5})(\?|$)" | search ext=* Perform a DNS lookup on input domain and output as domainIP. • | lookup dnslookup clienthost as inputdomain OUTPUT clientip as domainIP Check the raw events • | table _raw, source Ultra Toolbox thingy for parsing subdomain, extensions and filenames from URLs • | eval list="mozilla" | `ut_parse_extended(url,list)` | Sexy time formatting • eval c_time=strftime(_time,"%m/%d/%y%H:%M:%S") Use the results of one search and pipe it to another • index=wineventlog EventCode=4624 [search index=firewall dest_por...