Splunk Queries: The Cheat Sheet Starter Pack

Andrew Leonzo - February 2025

There may be no silly questions, but when it comes to Splunk, there can be challenging queries. 

With a unique and complex search processing language, not to mention extraordinarily high data volume that’s often diverse and unstructured, Splunk queries can be difficult to master. 

Fortunately, Arcus is here to help OT and IT professionals with 10 essential Splunk queries for those just getting started with Splunk, along with detailed explanations, to help with troubleshooting, analyzing logs, monitoring performance, and more.



1: Stats

Command: stats: Performs statistical calculations on your data, such as count, sum, average, and more, allowing for aggregation and summarization.

Example: index=web_logs | stats count by status

Explainer: This search counts the number of events for each HTTP status code in the web_logs index.

 

2: TIMECHART

Command: timechart: Generates time-based charts by aggregating data over specified time intervals, useful for visualizing trends over time.


Example: index=web_logs | timechart count span=1h


Explainer: This search creates an hourly time chart of event counts in the web_logs index.

 

3: streamstats

Command: streamstats: Calculates cumulative statistics in a streaming manner, enabling operations like running totals or moving averages as events are processed.

Example: index=transactions | streamstats sum(amount) as RunningTotal by account_id

Explainer: This search computes a running total of transaction amounts for each account.

 

4: TSTATS

Command: tstats: Provides high-performance statistical queries on indexed fields, offering faster results by leveraging data summaries.

Example: | Stats count where index=security by host

Explainer: This search quickly counts events in the security index, grouped by host.

 

5: APPEND

Command: append: Appends the results of a subsearch to the current search results, useful for combining data from multiple searches.

Example: index=web_logs status=404
| append [search index=web_logs status=500]

Explainer: This search retrieves events with status 404 and appends events with status 500.

 

6: MAP

Command: map: Executes a subsearch for each result from the main search, allowing for complex, iterative processing. 

Example: index=users | dedup user_id
| map search="search index=transactions user_id=$user_id$"

Explainer: This search finds unique users and retrieves their related transactions.

 

7: TRANSPOSE

Command: transpose: Switches rows and columns in the search results, which can be helpful for certain types of data analysis and presentation.

Example: index=web_logs | stats count by status
| transpose 1 header_field=status

Explainer: This search transposes the status codes into column headers.

 

8: REX

Command: rex: Extracts fields using regular expressions, enabling the parsing and structuring of unstructured data.

Example: index=web_logs | rex field=_raw "User: (?<username>\w+)"

Explainer: This search extracts the username field from raw log data.

 

9: BIN

Command: bin: Groups events into buckets based on time or numeric fields, facilitating histogram creation and data aggregation.

Example: index=web_logs | bin span=5m _time
| stats count by _time

Explainer: This search groups events into 5-minute intervals and counts them.

 

10: TRANSACTION

Command: transaction: Groups related events into transactions based on specified criteria, useful for identifying sequences of events that constitute a single logical transaction.

Example: index=web_logs | transaction session_id

Explainer: This search groups events by session_id to analyze user sessions.

 

Check out new Splunk features.

With backing from Cisco, Splunk continues to grow its product offering. As covered in our recent blog post, Splunk’s new AI Assistant for SPL App, now available on Splunkbase, offers added help, translating natural language prompts into SPL queries. If you’re interested in apps from Arcus Data, you can check them out here.

 

The best cheat code of all: letting Arcus do the heavy lifting.

Mastering queries can unlock a host of valuable insights, and this cheat sheet provides a primer on some of the basic queries IT and OT professionals need. 

If you’re ready to move to the next level and optimize your Splunk ROI, operational technology, and cybersecurity, reach out to the Arcus team. With hundreds of successful deployments and decades of experience, we can help you optimize Splunk to better gather, analyze, and leverage data. 

Just think of us as the answer to that other query: How can I Splunk smarter?