Author: Aisha Moore
As a Splunk Architect, here are 5 of my favorite productivity tips for Splunk searches, reports, and dashboards.
Use Backticks to Comment Your Splunk Searches or Temporarily Ignore Some SPL Code
Adding comments to long and complex search strings makes the searches easier for you and others to understand
To comment your SPL, put three backticks (“`) at the beginning and end of your comment. The backtick key is above the tab key on keyboard or to the left of the “1” key on keyboard.
When troubleshooting long and complex Splunk searches, you can also use backticks to tell Splunk to ignore parts of the code temporarily, instead of deleting it.
Use Professional Naming Conventions to Better Organize Your Saved Searches
Here are some popular naming conventions used by highly organized Splunk Engineers
| Use Case | Example | Formula |
Saved Search to Generate Lookup Table | Mycompany_assets.csv – Generator | <csvFileName.csv> – Generator |
Saved Search to Populate Summary Index | Vulnerability Base Search – Summary | <ClearConsideName> – Summary |
Report From One Group/Region | Vulnerabilities – US East – Report | <ClearConsideName> – Report |
Use Layered Knowledge Objects for Complex Reports and Dashboards
This works great for aggregated inventories (such as VM inventies across AWS, GP, and Azure hyperscalers), vulnerability reporting (across multiple groups or regions of servers or containers).
Benefit is if changes are needed, you can make them at the relevant layer and the change will automatically flow through to later layers
Example 1: Vulnerability Reporting by Region/Group
- First: Create a massive Base Search with multiple appends that puts the results (|collect) into a Summary Index
- Run Individual reports for each group/region pulling from the summary index data
Example 2: CMDB/ Aggregate Asset Inventory
- First create 1 macro per asset type (ex ec2_instances, s3_buckets, ecr_images) that pulls the data, filtered results into a table with fields available and extracted, (ex. `ec2_instances_cmdb`)
- Next create 1 saved search per asset type that calls the macro, normalizes the field names then outputs to an individual asset CSV file <assetType_inventory.csv>
- Next create a saved search that aggregates all the data from the CSV files and outputs to a CSV or summary index
|inputlookup assetType1_inventory.csv | append |inputlookup assetType2_inventory.csv
| outputlookup aggragate_asset_inventory.csv
Use Send Email Command To Quickly Get CSV of Results
There are often alot of steps to get a CSV file of Splunk search results out of a security boundary or a VDI down to your local laptop’s Documents folder.
That’s where Splunk’s sendemail command shortens this process
Just modify the | sendemail SPL below add to the end of your search string
…| sendemail [email protected] subject=”Results from my Quick Search”
sendresults=true format=csv sendcsv=true
By default, it will use the mailserver listed in Settings > Server Settings > Email Settings
Splunk Send Email Docs
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sendemail
Use MakeResults When Testing Later Partf of a Splunk Search String and Alerts
Whether you’re trying to concatenate two fields, see in an email DL is receiving alerts, or generate a fake event in the notable index, Splunk’s makeresults command can help.
You simply modify the code below:
| makeresults then | eval field1=”value”, field2=”value” …