Loopus Labs
LOOPUSLABS
Loopus

Pro Content

This lesson requires Loopus Pro access. Upgrade to unlock all courses, labs, and challenges.

← Back to course
SIEM & Log AnalysisSplunk Fundamentals

Advanced SPL Queries

40 min
lab
+70 XP

Learning Objectives

  • Write advanced SPL queries for complex analysis
  • Use subsearches and lookups effectively
  • Optimize query performance for large datasets

Advanced SPL Queries

Basic SPL handles straightforward questions. Advanced SPL tackles complex analysis—correlating across sources, enriching with context, and finding patterns that simple searches miss.

Subsearches

Subsearches execute first, returning results used by the outer search. Enclose them in square brackets:

index=firewall action=blocked [search index=threat_intel | fields ip | rename ip as src_ip]

This finds firewall blocks where the source IP appears in threat intelligence. The subsearch runs first, returning a list of known-bad IPs. The outer search then filters firewall logs to those IPs.

Subsearches have limitations—they return limited results and add processing time. Use them when appropriate, but consider alternatives for large-scale correlation.

Lookups

Lookups enrich events with data from external tables. A CSV file mapping IP addresses to asset information can add context automatically:

| lookup asset_info ip as src_ip OUTPUT asset_name, criticality, owner

Events gain new fields from the lookup table. Now your search results include who owns each system and how critical it is.

Automatic lookups apply without explicit commands. Configure them once, and every search benefits from enrichment.

Transactions

The transaction command groups related events:

| transaction src_ip maxspan=1h

This groups events sharing src_ip occurring within one hour. Transactions reveal sequences—all actions by a user session, all stages of an attack from a single source.

Statistical Correlation

Advanced stats enable complex analysis:

| stats count by src_ip, dest_ip
| where count > 100
| stats dc(dest_ip) as targets by src_ip
| where targets > 50

This finds source IPs connecting to many destinations—potential scanning or lateral movement.

Performance Optimization

Splunk works best when searches are specific. Always specify time ranges—unbounded searches are slow. Use index and sourcetype filters early in the pipeline. Field-level filters perform better than full-text searches.

Dense searches benefit from acceleration. Datamodels and tsidx provide pre-indexed paths to common analysis. Summary indexing pre-calculates expensive aggregations.

Answer the Questions0 / 4 completed

📚 KnowledgeQuestion 1

What advanced SPL techniques exist?

Format: *******(7 chars)
Exact match required
⌨️ Hands-OnQuestion 2

What SPL command groups events by ID?

Format: ***********(11 chars)
Exact match required
📚 KnowledgeQuestion 3

How do you create lookups?

Format: *********(9 chars)
Exact match required
⌨️ Hands-OnQuestion 4

What SPL command adds data from a CSV?

Format: ******(6 chars)
Exact match required
Answer all questions correctly to unlock the next lesson

Interactive Sandbox

Loading sandbox...

Submit Flag

Found the flag? Submit it below to complete this lesson.
Format: LOOPUS{...}

Previous
Answer all questions to continue