20 Commonly Used SPL Commands in Splunk (With Examples)

Commonly Used SPL Commands in Splunk

Explore 20 commonly used SPL commands in Splunk, with example queries for stats, timechart, eval, eventstats, streamstats, rex, and more. Boost your Splunk search skills and write better dashboards and alerts.

Table of Contents

πŸ”ˆIntroduction

If you’re learning Splunk or even if you’ve been using it a while, knowing the right SPL (Search Processing Language) commands can dramatically increase your efficiency, reduce time-to-insight, and help you write cleaner, faster searches. Below are 20 of the most commonly used SPL commandsβ€”what they do, when to use them, and real examples to illustrate each. Use these to level up your Splunk skills (and get your dashboards, alerts, and investigations running smoother).

πŸ“Š SPL Commands: Descriptions & Examples

Below is a table summarizing the commands with short descriptions. After that, each command is explained with example SPL (CLI style) usage.

#CommandBrief Description
1searchFilter by index, field, keyword; foundational command.
2fieldsSelect which fields to include or exclude.
3tableDisplay results in tabular form with specified columns.
4top / rareShow most common or least common values for a field.
5statsAggregate data with count, sum, avg, etc.
6timechartTime-based statistical charting over intervals.
7chartMulti-dimensional statistical summaries (non-time).
8evalCompute new fields, conditionals, rename values etc.
9whereFilter events based on computed or existing fields.
10rexExtract fields via regex.
11spathExtract fields from JSON / XML or nested data.
12lookupEnrich events using external lookup tables.
13transactionGroup events into transactions (sessions, flows, etc.).
14eventstatsAdd aggregated statistics to each event without collapsing the result.
15streamstatsGenerate running totals, moving averages, cumulative stats etc.
16sort / dedupOrder results or remove duplicate events.
17binBucket numeric values or timestamps into intervals.
18joinCombine main search results with subsearch results based on matching fields.
19append / appendcolsCombine or append subsearch results in different ways.
20head / tailKeep only the first or last N results.

▢️ Command-by-command with Examples

Here are practical SPL examples you can copy or adapt.

πŸ”„ 1. search

Filters events by index, sourcetype, or specific field conditions.

				
					index=main sourcetype=apache_access status=404

Or explicitly:

				
					search index=main "error" OR status=500

πŸ”„ 2. fields

Reduces noise by limiting which fields are returned in the result set.

				
					index=main sourcetype=syslog | fields _time host user message

You can also exclude:

				
					index=main | fields - raw _indextime
Commonly Used SPL Commands in Splunk

Photo by admingeek from Infotechys

πŸ”„ 3. table

Generate a clean tabular layout for dashboards or reports:

				
					index=auth_logs | where action="failure" | table _time user src_ip reason

πŸ”„ 4. top/rare

Find frequent or infrequent values β€” often used in troubleshooting or outlier detection.

				
					index=web_logs | top clientip
				
			
				
					index=web_logs | rare status

πŸ”„ 5. stats

One of the most powerful transforming commands.

Examples:
				
					index=web_logs | stats count by status
				
			
				
					index=transactions | stats sum(amount) as total_amount, avg(amount) as avg_amount by customer_id

πŸ”„ 6. timechart

Useful for timeseries trends, dashboard panels.

				
					index=web_logs | timechart span=1h count by status
				
			
				
					index=transactions | timechart span=30m sum(amount) as sales

πŸ”„ 7. chart

For non-time grouped summaries, e.g., counts over two dimensions:

				
					index=web_logs | chart count over status by method

πŸ”„ 8. eval

Create new fields, do conditional logic, do math operations, string functions, etc.

				
					index=web_logs | eval is_error = if(status>=500, "yes", "no")

Combine with math:

				
					... | eval response_time_ms = latency * 1000

πŸ”„ 9. where

Filter after evaluation, using field values or expressions:

				
					index=transactions | eval pct_above_avg = amount / avg(amount) * 100 | where pct_above_avg > 150
πŸ’‘NOTE: where is used after you have fields to filter on.

πŸ”„ 10. rex

Extract pieces of raw data with regex, name capturing groups:

				
					index=web_logs | rex field=_raw "user=(?<user>\w+)"
				
			
				
					... | rex field=uri_path "/products/(?<product_id>\d+)/"

πŸ”„ 11. spath

Great for JSON or XML payloads; extract nested fields cleanly.

				
					index=json_logs | spath input=body path=user.id output=user_id
				
			
				
					... | spath output=profile.name path=profile.details.name

πŸ”„ 12. lookup

Enrich your events from external/static tables (CSV, KV store, etc.)

				
					index=main | lookup dns_lookup clientip AS src_ip OUTPUT domain
				
			
				
					... | lookup user_info username OUTPUT display_name role

πŸ”„ 13. transaction

Group related events into a logical unit, often based on shared fields and time windows.

				
					index=web_logs sourcetype=security_event action in ("login","logout")
| transaction user maxspan=30m

πŸ”„ 14. eventstats

Unlike stats, it preserves original events but adds aggregated info.

FromΒ Splunk docs:

πŸ’‘eventstats generates aggregations and adds them as a new field to each event.
Examples:
				
					index=web_logs | eventstats avg(bytes) AS avg_bytes
				
			
				
					index=web_logs | eventstats sum(bytes) AS total_bytes BY clientip

Then you can compare each event’s bytes to average or total.

πŸ”„ 15. streamstats

Running / streaming statistics β€” cumulative sums, moving averages, or between consecutive events.

Example:
				
					index=web_logs | sort _time | streamstats sum(bytes) as cumulative_bytes by clientip
βœ‹Use case: to see how much a given IP has sent over time up to each event.

πŸ”„ 16. sort/dedup

  • sort: order results
				
					index=web_logs | sort - bytes
  • dedup: keep only one event per value of a field
				
					index=web_logs | dedup clientip

πŸ”„ 17. bin

Group or bucket numeric or timestamp fields into intervals:

				
					index=web_logs | bin span=5m _time

Often used before chart or timechart for coercing into buckets.

πŸ”„ 18. join

Combine search results with another search (subsearch) keyed by common field(s):

				
					index=web_logs status=404
| join host [ search index=web_logs status=500 | stats count by host ]
| table host count
πŸ›‘ Be cautious: joins can be expensive. Use sparingly or with limits.

πŸ”„ 19. append/appendcols

  • append: stack results from subsearch below the main results.
				
					index=web_logs error | append [ search index=web_logs warning ]
  • appendcols: add fields (columns) from subsearch side by side to main results. Requires same number of rows (or else nulls).

πŸ”„ 20. head/tail

Only want the first or last N events.

				
					index=web_logs | head 10
				
			
				
					index=web_logs | tail 5

▢️  Tips for Efficient Use of SPL

  • Filter early: Put high-selectivity search, where commands early so Splunk fetches fewer events.
  • Minimize transforming commands until necessary: Commands like stats, transaction, join can change structure or reduce events.
  • Use streaming commands when you can (e.g. streamstats, eventstats) for incremental/real-time contexts.
  • Take advantage of accelerated data models or summary indexing if your datasets are large.
  • Use field extractions (rex, spath) only when necessaryβ€”automatic extractions or indexed fields are more efficient.

πŸ–₯️ More Advanced / Combined Examples

Here are two combined examples showing how multiple SPL commands work together.

πŸ”Ή Example A: Monitoring error spike per host

				
					index=app_logs error 
| stats count AS error_count by host  
| timechart span=1h sum(error_count) AS total_errors by host

This gives you an hourly view per host of how many errors are appearing.

Commonly Used SPL Commands in Splunk

Photo by admingeek from Infotechys

πŸ”Ή Example B: Detecting unusual behavior vs baseline

				
					index=traffic_logs 
| stats avg(bytes) AS avg_bytes BY src_ip 
| eventstats global_avg = avg(avg_bytes) 
| where avg_bytes > global_avg * 2 
| table src_ip avg_bytes global_avg
Here:
  • First stats computes the average bytes per source IP.
  • Then eventstats computes a global average across those per-IP averages.
  • Then we filter with where to find which src_ips are much higher than baseline.

⏱️ When to Use Which Command: Quick Decision Table

ScenarioBest SPL command(s)
Filter data by keyword / field valuessearch, where
Clean up output fieldsfields, table
Extract nested or raw datarex, spath
Aggregate for metrics / countsstats, timechart, chart
Add context (baseline / running totals)eventstats, streamstats
Structure events into sessions or logical unitstransaction
Combine additional datasetslookup, join, append
Limit results for dashboards or previewshead, tail, dedup, sort

🏁 Conclusion

Mastering these 20 SPL commands will make you much more effective in writing searches, building dashboards, troubleshooting, and detecting anomalies. As you work more in Splunk, you’ll develop instincts about when to use a streaming command vs transforming vs generating, and how to combine them in the most efficient way.

Did you find this article helpful? Your feedback is invaluable to us! Feel free to share this post with those who may benefit, and let us know your thoughts in the comments section below.

πŸ‘‰ Related Posts
Tags

Leave a Reply

Your email address will not be published. Required fields are marked *