Splunk KB

Frequent notes, search snippets, and operational reminders for the Splunk tasks I reach for often enough to not want to re-derive.

This is a working notebook, not a tutorial. It captures the SPL I keep re-typing, the config gotchas, and the "how did I do that last time" answers — sanitized for public reference.

Start here

Anatomy of a search

The order Splunk recommends you build a search in — filter first, then transform, report, and format. Start here.

Filters

Stage one of every search: index, sourcetype, time modifiers, booleans, and where. The biggest lever for speed.

Dashboards

Turning saved searches into panels, interactive inputs, alerts, and fast dashboards.

SPL cheatsheet

The commands, eval functions, and stats functions I reach for most — distilled from the quick reference guide.

A note on scope

These notes assume a working Splunk Enterprise / Cloud deployment and focus on day-to-day search and operational work rather than admin or architecture. Index names, hostnames, and field values have been generalized.