SOC Analyst - SPL Commands - Deck 1
Call Kai
Learn
Practice Test
Spaced Repetition
Match
Flashcards
Knowt Play1/24
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai |
|---|
No analytics yet
Send a link to your students to track their progress
25 Terms
"Count all events"
"index=* | stats count"
"Count events by host"
"index=* | stats count by host"
"Count unique users"
"index=* | stats dc(user)"
"Show all unique users"
"index=* | stats values(user)"
"Show all user values including duplicates"
"index=* | stats list(user)"
"Display only host
source
"Show the most common users"
"index=* | top user"
"Show the least common users"
"index=* | rare user"
"Sort results by count from highest to lowest"
"… | sort -count"
"Sort results by count from lowest to highest"
"… | sort count"
"Remove duplicate users"
"index=* | dedup user"
"Keep only the host and user fields"
"index=* | fields host user"
"Rename src_ip to SourceIP"
"index=* | rename src_ip AS SourceIP"
"Filter for events where user is jdoe"
"index=* | search user=jdoe"
"Show only results where count is greater than 10"
"… | where count>10"
"Create a field named Status with value Success"
"… | eval Status=\"Success\""
"Count events by sourcetype"
"index=* | stats count by sourcetype"
"Create a chart of event count by host"
"index=* | chart count by host"
"Show event volume over time"
"index=* | timechart count"
"Search the last 24 hours"
"index=* earliest=-24h"
"Search the last 7 days"
"index=* earliest=-7d"
"Search the last 30 minutes"
"index=* earliest=-30m"
"Return only the first 10 results"
"index=* | head 10"
"Return only the last 10 results"
"index=* | tail 10"
"Enrich events using a lookup table"
"index=* | lookup mylookup keyfield OUTPUT valuefield"