LSI Learn Splunk India Splunk blog

Splunk blog · SPL

Splunk SPL Tutorial: 15 Essential Commands for Log Analysis & SIEM (2026)

SPL (Search Processing Language) is the core of Splunk's power. It is a pipe-based query language that lets you search, filter, transform, and visualize machine data in real time. Whether you are a SOC analyst investigating an incident or a DevOps engineer troubleshooting an outage, SPL is the skill that separates casual users from Splunk experts.

Updated June 2026 · ~7 min read

What Is SPL in Splunk?

SPL is a proprietary search language that combines elements of SQL, shell scripting, and pipeline processing. Commands are chained together using the pipe (|) symbol, where the output of one command becomes the input of the next. This makes it intuitive to build complex queries step by step.

15 Essential SPL Commands Every Analyst Must Know

1. search — The Starting Point

Every SPL query begins with an implicit or explicit search. Use keywords, field names, and booleans to find data.

index=web status=404 host=webserver01

2. stats — Aggregate Data

The stats command calculates statistics like count, average, sum, max, and min.

index=firewall | stats count by src_ip, dest_ip

3. timechart — Visualize Over Time

Create time-series charts for trend analysis.

index=web | timechart span=1h count by status

4. top and rare — Find Common and Uncommon Values

index=auth | top user
index=auth | rare src_ip

5. eval — Create and Modify Fields

index=network | eval total_bytes = sent_bytes + received_bytes
index=web | eval severity = if(status>=500, "Critical", "Normal")

6. rex and regex — Extract Fields with Regular Expressions

index=app | rex field=_raw "user=(?<username>\w+)"

7. where — Filter Results

index=network | stats sum(bytes) by src_ip | where sum(bytes) > 1000000

8. sort and reverse — Order Results

index=web | stats count by url | sort -count

9. join — Combine Results from Subsearches

Join results from two searches on a common field (use sparingly, subsearches have limits).

index=firewall | join src_ip [search index=dns | stats values(domain) by src_ip]

10. transaction — Group Related Events

index=web | transaction session_id maxpause=30m

11. lookup — Enrich Data with External Tables

index=auth | lookup ip_location.csv ip AS src_ip OUTPUT city, country

12. rename and fields — Clean Output

index=web | stats count by url | rename count as "Page Views" | fields url, "Page Views"

13. dedup — Remove Duplicate Events

index=auth | dedup user

14. append and appendcols — Combine Multiple Searches

index=web status=200 | stats count | append [search index=web status=404 | stats count]

15. macro — Reusable Search Blocks

Define reusable search snippets using macros to standardize queries across your team.

SOC Analyst SPL Use Cases

Brute Force Detection

index=auth action=failure | stats count by src_ip | where count > 10

Lateral Movement

index=windows EventCode=4624 | stats dc(ComputerName) by AccountName | where dc(ComputerName) > 5

Data Exfiltration

index=proxy | stats sum(bytes_out) by src_ip | where sum(bytes_out) > 1073741824

Tips for Writing Efficient SPL

  1. Narrow early: Use index, sourcetype, and time range selectors before expensive commands.
  2. Avoid join when possible: Use stats with values() or eventstats instead.
  3. Limit transaction: It is memory-intensive. Use stats with range(_time) as an alternative.
  4. Use macros: Standardize common queries and reduce human error.
  5. Test incrementally: Build queries one pipe at a time to catch errors early.

FAQ

Frequently asked questions

What is SPL in Splunk?

SPL (Search Processing Language) is Splunk's proprietary query language used to search, filter, aggregate, and visualize machine data. It uses a pipe-based syntax similar to shell commands.

What is the difference between SPL and SQL?

SPL is designed for time-series, unstructured log data and uses pipe-based chaining. SQL is designed for structured relational data and uses declarative statements. SPL is more flexible for ad-hoc log analysis.

How do I learn SPL quickly?

Start with the Splunk Search Tutorial (free on Splunk's website). Practice with stats, timechart, and eval daily. Use Splunk's Job Inspector to analyze query performance.

What is the most common SPL command?

stats is the most commonly used SPL command for aggregation. It is used in nearly every dashboard and alert.

Can SPL queries be saved and reused?

Yes. SPL queries can be saved as Reports, Dashboard Panels, Alerts, or Macros. Macros support parameters for dynamic reuse.

Conclusion

SPL is the single most important skill for anyone working with Splunk. Mastering these 15 commands will enable you to perform 90% of daily analysis tasks in security, IT operations, and application monitoring. Consistent practice and incremental query building are the fastest paths to SPL proficiency. Want guided practice? Book a free demo.