Splunk Common Queries

Quick Commands To see source types: tstats values(sourcetype) where index=winevent_kafka Search by port: index=* source=/nsm/bro/logs/current/conn.log id.resp_h=* id.resp_p=1182 Search by port and host index=* source=/nsm/bro/logs/current/conn.log id.resp_h=* id.resp_p=1182| spath “id.resp_h” | search “id.resp_h”=”192.168.20.217” DNS QUERIES Top 10 Clients by Volume of Requests Capturing spikes or changes in client volumes may show early signs of data exfiltration. tag=dns