Splunk App Quick Reference Guide
A Summary of queryai Commands to Use From Splunk
TL;DR Splunk App Quick Reference
Context: This is a convenient, condensed reference guide for using the Query Splunk App. We hope that you are already familiar with the Query Splunk App! If not, you can start from the beginning at https://docs.query.ai/docs/about-query-splunk-app.
Nutshell: This page explains how you can pipe your Splunk searches to the
queryai
command to direct your searches to all Query-connected data sources (Platform Connectors), expanding the reach of your Splunk environment through Query, without bulk data ingestion or Splunk license increases.Below you will find
queryai
command syntax, operators, searchable Entities/Events/Objects, and our most popular usage tips. At the end is a link to the full Query Splunk App Search documentation page.
Command Syntax
Syntax:
| queryai search=”<search conditions>” events="<list of events>" connectors="<list of connectors>" timeout=<seconds>
Examples:
| queryai search="ip = 172.16.16.10" events="detection_finding, file_activity" connectors="S3, elastic, sentinel" timeout=60
| queryai search="ip = 172.16.16.10" events="detection_finding, file_activity" connectors="S3, elastic, sentinel" timeout=60
Syntax notes:
events
,exclude_events
,connectors
, andtimeout
parameters are optional.- Connectors are unique to your Query installation, and are defined in the Query "Connections" page. You can get a list via
| queryai help=connectors
Help Options |
---|
| queryai help=all | queryai help=search | queryai help=connectors | queryai help=[entities|events|objects] | queryai help=<event/object name> |
Searchable Entities, Objects, and Events
Searchable Entities | Searchable Objects | Searchable Events |
---|---|---|
account_id account_name command_line country credential_id cve_id cwe_id file_hash file_name group_id group_name hostname ip mac_address port process_id process_name resource_id subnet url user_agent user_id username | actor agent data_security device domain_info (deprecated) domain_intelligence file file_intelligence ip_intelligence url_intelligence user | Application Activity api_activity application_lifecycle datastore_activity file_hosting web_resources_activity config_state patch_state user_inventory Discovery osint_inventory_info Findings compliance_finding data_security_finding detection_finding incident_finding security_finding (deprecated) vulnerability_finding Identity & Access Mgmt account_change authentication authorize_session Network Activity dns_activity email_activity email_delivery_activity http_activity network_activity System Activity file_activity module_activity process_activity |
Full Schema: https://schema.query.ai/
Events Schema: https://schema.query.ai/events.html
Objects Schema: https://schema.query.ai/objects.html
Conditional Operators
Conditional Operators |
---|
Equals: = Not Equals: != NOT (Boolean): NOT Logical AND: AND Logical OR: OR IN: IN (value1, value2, value3,...) Contains: *value* Starts With: value* Ends With: *value All: * |
Example Searches
Search Condition | Examples |
---|---|
With connectors and timeout parameters (Connection aliases are configuration-specific.) | | queryai search="ip = 172.16.16.10" connectors="S3, elastic, sentinel" timeout=60 |
Equals | | queryai search="ip = 8.8.8.8" | queryai search="file_hash = b5045d802394f4560280a7404af69263" |
Not Equals | | queryai search="user.devices.domain != xyzdomain" | queryai search="email != *@xyz.com" |
Starts With (Only for strings.) (No quoted values.) (Not supported for URL field by threat intelligence platforms like VirusTotal.) | | queryai search="hostname = mac*" | queryai search="user.name = sam*" |
Ends With (Only for strings.) (No quoted values.) (Not supported for URL field by threat intelligence platforms like VirusTotal.) | | queryai search="hostname = *mac" | queryai search="user.name = *anand" |
Contains (Only for strings.) (No quoted values.) (Not supported for URL field by threat intelligence platforms like VirusTotal.) | | queryai search="hostname = mac" | queryai search="user.name = ana" |
Boolean NOT | | queryai search="NOT (user.name=ana OR user.email_addr=[email protected] )" | queryai search="NOT user.name IN (ana, ava, 'abc xyz', 'abc pqr')" |
Logical AND (When AND-ing multiple conditions, you must use the same Object and Event types - like "user" - between the conditions.) | | queryai search="user.name=al AND user.email_addr=[email protected]" (AND can also be used implicitly, as below.) | queryai search="user.name=al user.email_addr=[email protected] " |
Logical OR (It is valid to do OR-ing across multiple event/object types.) | | queryai search="user.name=ana OR user.email_addr=[email protected]" | queryai search="user.name = abc OR device.ip=1.1.1.1" |
IN | | queryai search="user.name IN (ana, ava, 'abc xyz', 'abc pqr')" | queryai search="network_activity.src_endpoint.ip IN (1.1.1.1, 1.2.3.4)" |
ALL | | queryai search="authentication.logon_type_id = *" | queryai search="authentication = *" (You can use this type of search to identify records with NULL values, too, as below.) | queryai search="NOT user.email_addr = *" |
SPL spath (When you have a value containing further fields, you can use the SPL spath command to extract them.) | | queryai search="ip = 172.16.16.10" connectors=”Crowdstrike” | spath input=_raw (The _raw field contains native platform data mapped from OCSF's raw_data. You can extract further fields from native data by adding the spath pipe operation as ... | spath input=_raw (or simply ... | spath since splunk uses _raw as the default for the input parameter.) |
Usage Notes
- Entities, Events, Objects, and their attribute names are case-sensitive.
- Entity searches allow for a maximum of one entity type. Give multiple values for that type via an IN condition.
- Values containing reserved keywords (like AND, OR, NOT, IN), whitespaces, or special characters (like dots, @, etc.) should be enclosed inside single or double quotes.
- Values are generally case-insensitive. (With few exceptions, e.g., enum attribute values are uppercase. So rather than an enum value of ‘Informational,’ use ‘INFORMATIONAL.’)
- For enum values, although the QDM documentation shows both values and an internal numeric code, use only the uppercase style values. (Rather than a
scan_activity.severity_id
value of "1," use "INFORMATIONAL.") - Hierarchical attributes can be accessed at a maximum depth of two dots, e.g.,
network_activity.src_endpoint.ip
. - Nesting of parentheses is not supported. However, you can use multiple parentheses to associate separate condition sections.
Updated 3 months ago
Want more complete guidance? Hop over to the full description of how to search with the Query Splunk App.