SPL Basics

Search Processing Language (SPL) is the query language that powers Splunk. Mastering SPL transforms you from someone who clicks through interfaces to someone who can answer any question the data can support.

Search Fundamentals

Every SPL search begins with data retrieval. The simplest search specifies an index and time range:

index=main earliest=-24h

This retrieves all events from the main index in the last 24 hours. From here, you add commands to filter, transform, and analyze.

Filtering with keywords narrows results. Simply add terms to match:

index=main earliest=-24h error

This returns events containing the word "error". Multiple keywords create AND logic—events must contain all specified terms.

Field-based filtering leverages parsed data:

index=main earliest=-24h sourcetype=WinEventLog:Security EventCode=4625

This searches for Windows failed login events specifically. Field=value pairs are more precise than keyword matching.

The Pipeline Model

SPL processes data through a pipeline. Each command takes input from the previous command and produces output for the next:

index=main | stats count by sourcetype | sort -count

This pipeline retrieves events, counts them by sourcetype, then sorts by count descending. The pipe character (|) separates commands.

Search retrieves data from indexes. Stats calculates statistics. Sort orders results. Table displays specific fields. Eval creates calculated fields.

Common Commands

stats aggregates data:
| stats count, avg(response_time), max(bytes) by src_ip

table displays selected fields:
| table _time, src_ip, dest_ip, action

where filters processed results:
| where count > 100

eval creates or modifies fields:
| eval mb = bytes/1024/1024

rex extracts fields with regular expressions:
| rex field=_raw "user=(?<username>\w+)"

Start simple and build complexity gradually. Test each pipeline stage before adding the next.