Loopus

Pro Content

This lesson requires Loopus Pro access. Upgrade to unlock all courses, labs, and challenges.

SIEM & Log AnalysisSplunk Fundamentals

SPL Basics

35 min
lab
+60 XP

Learning Objectives

  • Write basic SPL queries for log analysis
  • Understand search command syntax and structure
  • Use field extraction and filtering effectively

SPL Basics

Search Processing Language (SPL) is the query language that powers Splunk. Mastering SPL transforms you from someone who clicks through interfaces to someone who can answer any question the data can support.

Search Fundamentals

Every SPL search begins with data retrieval. The simplest search specifies an index and time range:

index=main earliest=-24h

This retrieves all events from the main index in the last 24 hours. From here, you add commands to filter, transform, and analyze.

Filtering with keywords narrows results. Simply add terms to match:

index=main earliest=-24h error

This returns events containing the word "error". Multiple keywords create AND logic—events must contain all specified terms.

Field-based filtering leverages parsed data:

index=main earliest=-24h sourcetype=WinEventLog:Security EventCode=4625

This searches for Windows failed login events specifically. Field=value pairs are more precise than keyword matching.

The Pipeline Model

SPL processes data through a pipeline. Each command takes input from the previous command and produces output for the next:

index=main | stats count by sourcetype | sort -count

This pipeline retrieves events, counts them by sourcetype, then sorts by count descending. The pipe character (|) separates commands.

Search retrieves data from indexes. Stats calculates statistics. Sort orders results. Table displays specific fields. Eval creates calculated fields.

Common Commands

stats aggregates data:
| stats count, avg(response_time), max(bytes) by src_ip

table displays selected fields:
| table _time, src_ip, dest_ip, action

where filters processed results:
| where count > 100

eval creates or modifies fields:
| eval mb = bytes/1024/1024

rex extracts fields with regular expressions:
| rex field=_raw "user=(?<username>\w+)"

Start simple and build complexity gradually. Test each pipeline stage before adding the next.

Answer the Questions0 / 4 completed

📚 KnowledgeQuestion 1

What are basic SPL commands?

Format: ********(8 chars)
Exact match required
⌨️ Hands-OnQuestion 2

What SPL command creates a table of results?

Format: *****(5 chars)
Exact match required
📚 KnowledgeQuestion 3

How do you filter and transform data?

Format: ******(6 chars)
Exact match required
⌨️ Hands-OnQuestion 4

What SPL command uses regex to extract?

Format: ***(3 chars)
Exact match required
Answer all questions correctly to unlock the next lesson

Interactive Sandbox

Loading sandbox...

Submit Flag

Found the flag? Submit it below to complete this lesson.
Format: LOOPUS{...}

Previous
Answer all questions to continue