Splunk App Quick Reference Guide

📘
TL;DR Splunk App Quick Reference
Context: This is a convenient, condensed reference guide for using the Query Splunk App. We hope that you are already familiar with the Query Splunk App! If not, you can start from the beginning at https://docs.query.ai/docs/about-query-splunk-app.
Nutshell: This page explains how you can pipe your Splunk searches to the queryai command to direct your searches to all Query-connected data sources (Platform Connectors), expanding the reach of your Splunk environment through Query, without bulk data ingestion or Splunk license increases.
Below you will find queryai command syntax, operators, searchable Entities and Events, and our most popular usage tips. At the end is a link to the full Query Splunk App Search documentation page.

Command Syntax

Syntax:

| queryai search=”<search conditions>” events="<list of events>" connectors="<list of connectors>"

Examples:

| queryai search="ip = 172.16.16.10" events="detection_finding, file_activity" connectors="S3, elastic, sentinel"
| queryai search="ip = 172.16.16.10" events="detection_finding, file_activity" connectors="S3, elastic, sentinel"

Syntax notes:

events, exclude_events,connectors, and exclude_connectors parameters are optional.
Connectors are unique to your Query installation, and are defined in the Query "Connections" page. You can get a list via | queryai help=connectors

Help Options
\| queryai help=all \| queryai help=search \| queryai help=connectors \| queryai help=[entities\|events] \| queryai help=event_name

Searchable Entities and Events

Searchable Entities	Searchable Events
account_id account_name command_line country credential_id cve_id cwe_id email file_hash file_name group_id group_name hostname ip mac_address port process_id process_name resource_id subnet url user_agent user_id username	account_change admin_group_query api_activity application_lifecycle authentication authorize_session compliance_finding config_state data_security_finding datastore_activity detection_finding dhcp_activity dns_activity email_activity file_activity file_hosting file_query file_remediation_activity folder_query ftp_activity group_management http_activity incident_finding inventory_info job_query kernel_object_query module_activity module_query network_activity networks_query osint_inventory_info patch_state process_activity process_query rdp_activity security_finding service_query ssh_activity tunnel_activity user_inventory user_query vulnerability_finding web_resources_activity

Searchable Entities

Searchable Events

account_id account_name command_line country credential_id cve_id cwe_id email file_hash file_name group_id group_name hostname ip mac_address port process_id process_name resource_id subnet url user_agent user_id username

account_change admin_group_query api_activity application_lifecycle authentication authorize_session compliance_finding config_state data_security_finding datastore_activity detection_finding dhcp_activity dns_activity email_activity file_activity file_hosting file_query file_remediation_activity folder_query ftp_activity group_management http_activity incident_finding inventory_info job_query kernel_object_query module_activity module_query network_activity networks_query osint_inventory_info patch_state process_activity process_query rdp_activity security_finding service_query ssh_activity tunnel_activity user_inventory user_query vulnerability_finding web_resources_activity

Query Data Model: https://schema.query.ai/
Full Events Schema: https://schema.query.ai/events.html

Conditional Operators

Conditional Operators
Equals: = Not Equals: != NOT (Boolean): NOT Logical AND: AND Logical OR: OR IN: IN (value1, value2, value3,...) Contains: value Starts With: value* Ends With: value All:

Example Searches

Search Condition	Examples
With connectors parameter (Connection aliases are configuration-specific.)	\| queryai search="ip = 172.16.16.10" connectors="S3, elastic, sentinel"
Equals	\| queryai search="ip = 8.8.8.8" \| queryai search="file_hash = b5045d802394f4560280a7404af69263"
Not Equals	\| queryai search="user.devices.domain != xyzdomain" \| queryai search="email != *@xyz.com"
Starts With (Only for strings.) (No quoted values.) (Not supported for URL field by threat intelligence platforms like VirusTotal.)_	\| queryai search="hostname = mac" \| queryai search="user.name = sam"
Ends With (Only for strings.) (No quoted values.) (Not supported for URL field by threat intelligence platforms like VirusTotal.)_	\| queryai search="hostname = mac" \| queryai search="user.name = anand"
Contains (Only for strings.) (No quoted values.) (Not supported for URL field by threat intelligence platforms like VirusTotal.)_	\| queryai search="hostname = mac" \| queryai search="user.name = ana"
Boolean NOT	\| queryai search="NOT (user.name=ana OR user.email_addr=[email protected] )" \| queryai search="NOT user.name IN (ana, ava, 'abc xyz', 'abc pqr')"
Logical AND (When AND-ing multiple conditions, you must use the same Event types - like "user_inventory" - between the conditions.)	\| queryai search="user_inventory.user.name=al AND user_inventory.user.email_addr=[email protected]" (AND can also be used implicitly, as below.) \| queryai search="user_inventory.user.name=al user_inventory.user.email_addr=[email protected] "
Logical OR (It is valid to do OR-ing across multiple event types.)	\| queryai search="user_inventory.user.name=ana OR user_inventory.user.email_addr=[email protected]" \| queryai search="user_inventory.user.name = abc OR network_activity.device.ip=1.1.1.1"
IN	\| queryai search="username IN (ana, ava, 'abc xyz', 'abc pqr')" \| queryai search="network_activity.src_endpoint.ip IN (1.1.1.1, 1.2.3.4)"
ALL	\| queryai search="authentication.logon_type_id = " \| queryai search="authentication = " (You can use this type of search to identify records with NULL values, too, as below.) \| queryai search="NOT user.email_addr = *"
JSON (Viewing or extracting sub-fields from fields having an embedded JSON hierarchy.)	\| queryai search="ip = 172.16.16.10" \| eval _raw=myjsonfield \| queryai search="ip = 172.16.16.10" \| spath input=myjsonfield \| fields a, b, c, d (Assign the field to_raw to view as JSON. Then to extract your desired sub-fields, use spath and fields commands.)

Search Condition

Examples

With connectors parameter

(Connection aliases are configuration-specific.)

| queryai search="ip = 172.16.16.10" connectors="S3, elastic, sentinel"

Equals

| queryai search="ip = 8.8.8.8"

| queryai search="file_hash = b5045d802394f4560280a7404af69263"

Not Equals

| queryai search="user.devices.domain != xyzdomain"

| queryai search="email != *@xyz.com"

Starts With

(Only for strings.)
(No quoted values.) (Not supported for URL field by threat intelligence platforms like VirusTotal.)_

| queryai search="hostname = mac*"

| queryai search="user.name = sam*"

Ends With

(Only for strings.)
(No quoted values.) (Not supported for URL field by threat intelligence platforms like VirusTotal.)_

| queryai search="hostname = *mac"

| queryai search="user.name = *anand"

Contains

(Only for strings.)
(No quoted values.) (Not supported for URL field by threat intelligence platforms like VirusTotal.)_

| queryai search="hostname = mac"

| queryai search="user.name = ana"

Boolean NOT

| queryai search="NOT (user.name=ana OR user.email_addr=[email protected] )"

| queryai search="NOT user.name IN (ana, ava, 'abc xyz', 'abc pqr')"

Logical AND

(When AND-ing multiple conditions, you must use the same Event types - like "user_inventory" - between the conditions.)

| queryai search="user_inventory.user.name=al AND user_inventory.user.email_addr=[email protected]"

(AND can also be used implicitly, as below.)

| queryai search="user_inventory.user.name=al user_inventory.user.email_addr=[email protected] "

Logical OR

(It is valid to do OR-ing across multiple event types.)

| queryai search="user_inventory.user.name=ana OR user_inventory.user.email_addr=[email protected]"

| queryai search="user_inventory.user.name = abc OR network_activity.device.ip=1.1.1.1"

| queryai search="username IN (ana, ava, 'abc xyz', 'abc pqr')"

| queryai search="network_activity.src_endpoint.ip IN (1.1.1.1, 1.2.3.4)"

ALL

| queryai search="authentication.logon_type_id = *"

| queryai search="authentication = *"

(You can use this type of search to identify records with NULL values, too, as below.)
| queryai search="NOT user.email_addr = *"

JSON

(Viewing or extracting sub-fields from fields having an embedded JSON hierarchy.)

| queryai search="ip = 172.16.16.10" | eval _raw=myjsonfield

| queryai search="ip = 172.16.16.10" | spath input=myjsonfield | fields a, b, c, d

(Assign the field to_raw to view as JSON. Then to extract your desired sub-fields, use spath and fields commands.)

Usage Notes

Entity searches allow for a maximum of one entity condition. Give multiple values for that type via an IN condition.
All field names are case-sensitive (always lowercase_snake_case) but values are generally case-insensitive. (Exception: enum attribute values are uppercase. So rather than an enum value of ‘Informational,’ use ‘INFORMATIONAL.’)
For enum values, although the QDM documentation shows both values and an internal numeric code, use only the uppercase style values. (Rather than a scan_activity.severity_id value of "1," use "INFORMATIONAL.")
Values containing reserved keywords (like AND, OR, NOT, IN) or whitespaces should be enclosed inside single quotes.
Nested parentheses are not supported. However, you can use multiple parentheses to associate separate condition sections.

📘TL;DR Splunk App Quick Reference

Command Syntax

Searchable Entities and Events

Conditional Operators

Example Searches

Usage Notes

📘
TL;DR Splunk App Quick Reference