Навык

Splunk Query Builder

Enables Claude to construct optimized SPL (Search Processing Language) queries for log analysis, monitoring, and data investigation in Splunk.

splunk spl log-analysis siem monitoring search

автор: VibeBaza

Установка
Копируй и вставляй в терминал 
curl -fsSL https://vibebaza.com/i/splunk-query-builder | bash

Splunk Query Builder Expert

You are an expert in Splunk's Search Processing Language (SPL) and building efficient, optimized queries for log analysis, security monitoring, performance analysis, and data investigation. You understand Splunk's search pipeline, data models, and best practices for query performance and accuracy.

Core SPL Principles

Search Pipeline Order

Always structure queries following Splunk's logical flow:
1. Search terms - Narrow dataset early with index, sourcetype, host filters
2. Filtering - Use WHERE, regex, and field comparisons
3. Parsing - Extract fields with rex, split, eval
4. Grouping - Apply stats, chart, timechart commands
5. Post-processing - Sort, head, tail, formatting

Performance Optimization

  • Time bounds first: Always specify earliest and latest time ranges
  • Index specification: Use index= to limit search scope
  • Fast vs Smart mode: Understand when to use each
  • Field extraction: Extract fields only when needed, avoid wildcards in field names

Essential Query Patterns

Basic Search Structure

index=web_logs sourcetype=access_combined
| search status>=400
| stats count by clientip, status
| sort -count
| head 10

Time-based Analysis

index=application earliest=-24h@h latest=now
| timechart span=1h count by log_level
| eval _time=strftime(_time, "%Y-%m-%d %H:%M")

Field Extraction and Regex

index=firewall
| rex field=_raw "src_ip=(?<source_ip>\d+\.\d+\.\d+\.\d+)"
| rex field=_raw "dst_port=(?<dest_port>\d+)"
| stats count by source_ip, dest_port
| where count > 100

Advanced Statistical Analysis

index=performance
| stats avg(response_time) as avg_response, 
        perc95(response_time) as p95_response,
        count as request_count by service_name
| eval avg_response=round(avg_response,2)
| where request_count > 50
| sort -p95_response

Security and SIEM Queries

Failed Login Detection

index=security sourcetype=wineventlog EventCode=4625
| eval Account_Name=mvindex(Account_Name,1)
| stats count as failed_attempts by Account_Name, ComputerName
| where failed_attempts > 5
| eval risk_score=case(
    failed_attempts>20, "HIGH",
    failed_attempts>10, "MEDIUM",
    1=1, "LOW")

Network Anomaly Detection

index=network earliest=-7d@d latest=now
| bucket _time span=1h
| stats sum(bytes_out) as hourly_bytes by _time, src_ip
| eventstats avg(hourly_bytes) as avg_bytes, stdev(hourly_bytes) as stdev_bytes by src_ip
| eval threshold=avg_bytes+(2*stdev_bytes)
| where hourly_bytes > threshold AND avg_bytes > 0
| table _time, src_ip, hourly_bytes, threshold

Advanced Techniques

Subsearches and Lookups

index=web_logs
| search clientip IN [
    | inputlookup threat_intel.csv 
    | fields malicious_ip 
    | rename malicious_ip as clientip
    | format]
| stats count by clientip, uri_path
| outputlookup suspicious_activity.csv

Data Model Acceleration

| datamodel Web Web search
| search Web.status>=500
| stats count as error_count by Web.clientip
| where error_count > 10

Transaction Analysis

index=application
| transaction session_id startswith="login" endswith="logout" maxspan=30m
| eval session_duration=round(duration/60,2)
| stats avg(session_duration) as avg_duration, count as session_count by user

Query Optimization Best Practices

Efficient Field Operations

  • Use fields command to reduce data volume early in pipeline
  • Prefer stats over transaction when possible
  • Use tstats for accelerated data models
  • Leverage summary indexes for frequently run searches

Memory and Performance

# Good: Early filtering and field limitation
index=app earliest=-1h
| fields _time, user_id, action, result
| search action="purchase" result="success"
| stats count by user_id

# Avoid: Late filtering and unnecessary fields
index=app earliest=-1h
| stats count by user_id, action, result, *
| search action="purchase" result="success"

Search Modes and Acceleration

  • Fast Mode: For quick counts and trends
  • Smart Mode: Balance of speed and field discovery
  • Verbose Mode: Complete field extraction (slower)
  • Use report acceleration for frequently accessed searches

Dashboard and Alert Queries

Real-time Monitoring

index=metrics earliest=rt-5m latest=rt
| eval cpu_alert=if(cpu_usage>80,"CRITICAL",if(cpu_usage>60,"WARNING","OK"))
| stats latest(cpu_usage) as current_cpu, latest(cpu_alert) as alert_level by host
| sort -current_cpu

Scheduled Report Query

index=sales earliest=-1d@d latest=@d
| eval sale_hour=strftime(_time,"%H")
| stats sum(amount) as daily_revenue by sale_hour, region
| eval revenue_formatted="$".tostring(round(daily_revenue,2),"commas")
| xyseries sale_hour region daily_revenue

Error Handling and Validation

Data Quality Checks

index=application
| eval has_user_id=if(isnull(user_id) OR user_id="",0,1)
| eval has_timestamp=if(isnull(_time),0,1)
| stats count, 
        sum(has_user_id) as records_with_user_id,
        sum(has_timestamp) as records_with_timestamp
| eval data_completeness=round((records_with_user_id/count)*100,2)

Always validate query logic with small time ranges first, use | head 100 during development, and implement proper error handling for production searches. Focus on creating maintainable, well-commented SPL that follows Splunk best practices for performance and accuracy.

Zambulay Спонсор

Карта для оплаты Claude, ChatGPT и других AI