Splunk Exploring SPL
Introduction
Splunk SPL is the language used in Splunk, a robust SIEM solution for searching and exploring machine data. Search Processing Language (SPL) enhances search effectiveness by combining various functions and commands to create optimized and complex search queries. This room will explore key fundamentals of searching capability, focusing on chaining SPL queries to construct queries ranging from simple to complex.
Explore these concepts in a hands-on way with the resources available at TryHackMe - Splunk: Exploring SPL
Task 2 Connect with the Lab
Before you proceed, deploy the machine. You can access the lab in the AttackBox or click here https://Machine_IP[.]p[.]thmlabs[.]comto start it in your browser once the machine is fully started. Please allow 3-5 minutes for the machine to start.
Open Splunk and click on search and reporting to view host in the Data Summary
Step 1: Click Search and Reporting 
Step 2: Click on Data Summary 
Here hostname for machine and answer Q2.
Task 3 Search & Reporting App Overview:
First, we go to Splunk
Then to search and reporting
Then Search History to check the history of the queries
To answer this question: In the search History, what is the 7th search query in the list? (excluding your searches from today)
We select the query and set 7 as the correct answer
To answer this question: In the left field panel, which Source IP has recorded max events?
First, we search for anything related to the host: cyber-host
Secondly, we want to specify the source IP
We click on All Fields
Then we search for the sourceip field and select it, after which it will appear
Here we click on source ip
All available ips will appear in these logs
And this ip answer Q2
Here comes the third question: How many events are returned when we apply the time filter to display events on 04/15/2022 and Time from 08:05 AM to 08:06 AM?
First, we go to the Time section and choose Date & Time Range
Then we choose between and set the day and hour
Then we click on apply
Booom then shows us the answer 134 events
This final answer for task 3.
Task 4 Splunk Processing Language Overview
Here comes the first question: How many Events are returned when searching for Event ID 1 AND User as James?
First, we go to search using EventID="1"
Then we choose User Field
Boom then shows us the answer Cybertees\James
Here comes the second question: How many events are observed with Destination IP 172.18.39.6 AND destination Port 135?
First, we go to search using DestinationIp="172.18.39.6 AND DestinationPort=135"
Boom then shows us the answer 4 events
Here comes the third question:
What is the Source IP with highest count returned with this Search query?
Search Query: index=windowslogs Hostname=”Salena.Adam” DestinationIp=”172.18.38.5”
In this question I am asked to execute a specific query to get the answer to the third question
The answer is: 172.90.12.11
Here comes the fourth question: In the index windowslogs, search for all the events that contain the term cyber how many events returned?
In this question, I am asked to execute a query to search for anything that contains only the word cyber
The answer is: 0 events
Here comes the fifth question: Now search for the term cyber*, how many events are returned?
In this question, I am asked to execute a query to search for anything that contains the word cyber
We implement it
The answer is: 12256 events
Task 5 Filtering the Results in SPL
The first question
What is the third EventID returned against this search query?
Search Query: index=windowslogs | table _time EventID Hostname SourceName | reverse
In this question, I am asked to execute a query to create a table containing _time, EventID, Hostname, and SourceName.
We implement it
The answer is: 4103
Second question
Use the dedup command against the Hostname field before the reverse command in the query mentioned in Question 1. What is the first username returned in the Hostname field?
In this question I am asked to execute a query to get the first username returned in the Hostname field
Here he tells us to use the dedup command
Like this: index=windowslogs | table _time EventID Hostname SourceName |dedup Hostname | reverse
The answer is: Salena.Adam
Task 6 SPL - Structuring the Search Results
The first question
| Using the Reverse command with the search query index=windowslogs | table _time EventID Hostname SourceName - what is the HostName that comes on top? |
The answer is: James.brown
Second question
What is the last EventID returned when the query in question 1 is updated with the tail command?
Here he tells us to use the tail command
Like this: index=windowslogs | table _time EventID Hostname SourceName | tail
The answer is: 4103
The third question
Sort the above query against the SourceName. What is the top SourceName returned?
Here it tells us to use the sort command
Like this: index=windowslogs | table _time EventID Hostname SourceName | sortSourceName
So that it arranges them according to SourceName
The answer is: 4103
Task 7 Transformational Commands in SPL
The first question
List the top 8 Image processes using the top command - what is the total count of the 6th Image?
Here we use top command
| Like this: index=windowslogs | top limit=8 Image |
So that it displays only more top 8
The answer is: 196
Second question
Using the rare command, identify the user with the least number of activities captured?
Here we use rare command
Like this: index=windowslogs | rare User
Rare command is used to identify and extract infrequently occurring values within a specified field, aid in anomaly detection and analysis.
The answer is: James
The third question
Create a pie-chart using the chart command - what is the count for the conhost.exe process?
Here we use top command
Like this: index=windowslogs* "conhost.exe" | top limit=20 Image
This search retrieves the top 20 instances of “conhost.exe” in the specified Windows logs index, focusing on
The answer is: 70
Tools:
That concludes Splunk SPL room—your hub for mastering the basics of the Search Processing Language.
Happy exploring!