# SPL command reference + attack detection library

This notebook gives you:
1) **A complete, up-to-date list of Splunk SPL (SPL1) search commands** (with short descriptions)
2) **A repeatable way to pull “attack type” detections (SPL searches) and organize them by MITRE ATT&CK** using Splunk Security Content.

⚠️ **Defensive use only.** The detection queries included/collected here are intended for threat hunting and alerting.


## Part 1 — SPL (SPL1) search command list

The next cells parse Splunk's *Command quick reference* into a table.


In [None]:

        import re
        import pandas as pd

        RAW_COMMAND_TABLE = r"""` 【337†abstract】 ` Produces a summary of each search result. `highlight`
` 【338†accum】 ` Keeps a running total of the specified numeric field. `autoregress, delta, trendline, streamstats`
` 【339†addcoltotals】 ` Computes an event that contains sum of all numeric fields for previous events. `addtotals, stats`
` 【340†addinfo】 ` Add fields that contain common information about the current search. `search`
` 【341†addtotals】 ` Computes the sum of all numeric fields for each result. `addcoltotals`, `stats`
` 【342†analyzefields】 ` Analyze numerical fields for their ability to predict another discrete field. `anomalousvalue`
` 【343†anomalies】 ` Computes an "unexpectedness" score for an event. `anomalousvalue`, `cluster`, `kmeans`, `outlier`
` 【344†anomalousvalue】 ` Finds and summarizes irregular, or uncommon, search results. `analyzefields`, `anomalies`, `cluster`, `kmeans`, `outlier`
` 【345†anomalydetection】 ` Identifies anomalous events by computing a probability for each event and then detecting unusually small probabilities. `analyzefields`, `anomalies`, `anomalousvalue`, `cluster`, `kmeans`, `outlier`
` 【346†append】 ` Appends subsearch results to current results. `appendcols`, `appendcsv`, `appendlookup`, `join`, `set`
` 【347†appendcols】 ` Appends the fields of the subsearch results to current results, first results to first result, second to second, etc. `append`, `appendcsv`, `join`, `set`
` 【348†appendpipe】 ` Appends the result of the subpipeline applied to the current result set to results. `append`, `appendcols`, `join`, `set`
` 【349†arules】 ` Finds association rules between field values. `associate`, `correlate`
` 【350†associate】 ` Identifies correlations between fields. `correlate`, `contingency`
` 【351†autoregress】 ` Sets up data for calculating the moving average. `accum`, `autoregress`, `delta`, `trendline`, `streamstats`
`【352†bin】` (bucket) Puts continuous numerical values into discrete sets. `chart`, `timechart`
` 【353†bucketdir】 ` Replaces a field value with higher-level grouping, such as replacing filenames with directories. `cluster`, `dedup`
` 【354†chart】 ` Returns results in a tabular output for charting. See also, 【335†Statistical and charting functions】. `bin`,`sichart`, `timechart`
` 【355†cluster】 ` Clusters similar events together. `anomalies`, `anomalousvalue`, `cluster`, `kmeans`, `outlier`
` 【356†cofilter】 ` Finds how many times field1 and field2 values occurred together. `associate`, `correlate`
` 【357†collect】 ` Puts search results into a summary index. `overlap`
` 【358†concurrency】 ` Uses a duration field to find the number of "concurrent" events for each event. `timechart`
` 【359†contingency】 ` Builds a contingency table for two fields. `associate`, `correlate`
` 【360†convert】 ` Converts field values into numerical values. `eval`
` 【361†correlate】 ` Calculates the correlation between different fields. `associate`, `contingency`
` 【362†datamodel】 ` Examine data model or data model dataset and search a data model dataset. `pivot`
` 【363†dbinspect】 ` Returns information about the specified index.
` 【364†dedup】 ` Removes subsequent results that match a specified criteria. `uniq`
` 【365†delete】 ` Delete specific events or search results.
` 【366†delta】 ` Computes the difference in field value between nearby results. `accum`, `autoregress`, `trendline`, `streamstats`
` 【367†diff】 ` Returns the difference between two search results.
` 【368†erex】 ` Allows you to specify example or counter example values to automatically extract fields that have similar values. `extract`, `kvform`, `multikv`, `regex`, `rex`, `xmlkv`
` 【369†eval】 ` Calculates an expression and puts the value into a field. See also, 【334†Evaluation functions】. `where`
` 【370†eventcount】 ` Returns the number of events in an index. `dbinspect`
` 【371†eventstats】 ` Adds summary statistics to all search results. `stats`
`【372†extract】` (kv) Extracts field-value pairs from search results. `kvform`, `multikv`, `xmlkv`, `rex`
` 【373†fieldformat】 ` Expresses how to render a field at output time without changing the underlying value. `eval`, `where`
` 【374†fields】 ` Keeps or removes fields from search results based on the field list criteria.
` 【375†fieldsummary】 ` Generates summary information for all or a subset of the fields. `analyzefields`, `anomalies`, `anomalousvalue`, `stats`
` 【376†filldown】 ` Replaces NULL values with the last non-NULL value. `fillnull`
` 【377†fillnull】 ` Replaces null values with a specified value.
` 【378†findtypes】 ` Generates a list of suggested event types. `typer`
` 【379†folderize】 ` Creates a higher-level grouping, such as replacing filenames with directories.
` 【380†foreach】 ` Run a templatized streaming subsearch for each field in a wildcarded field list. `eval`
` 【381†format】 ` Takes the results of a subsearch and formats them into a single result.
` 【382†from】 ` Retrieves data from a dataset, such as a data model dataset, a CSV lookup, a KV Store lookup, a saved search, or a table dataset.
` 【383†gauge】 ` Transforms results into a format suitable for display by the Gauge chart types.
` 【384†gentimes】 ` Generates time-range results.
` 【385†geom】 ` Adds a field, named `geom`, to each event. This field contains geographic data structures for polygon geometry in JSON and is used for the choropleth map visualization. `geomfilter`
` 【386†geomfilter】 ` Accepts two points that specify a bounding box for clipping a choropleth map. Points that fall outside of the bounding box are filtered out. `geom`
` 【387†geostats】 ` Generate statistics which are clustered into geographical bins to be rendered on a world map. `stats, xyseries`
` 【388†head】 ` Returns the first number `n` of specified results. `reverse, tail`
` 【389†highlight】 ` Highlights the specified terms. `iconify`
` 【390†history】 ` Returns a history of searches formatted as an events list or as a table. `search`
` 【391†iconify】 ` Displays a unique icon for each different value in the list of fields that you specify. `highlight`
` 【392†inputcsv】 ` Loads search results from the specified CSV file. `loadjob, outputcsv`
` 【393†inputlookup】 ` Loads search results from a specified static lookup table. `inputcsv`, `join`, `lookup`, `outputlookup`
` 【394†iplocation】 ` Extracts location information from IP addresses.
` 【395†join】 ` Combine the results of a subsearch with the results of a main search. `appendcols, lookup, selfjoin`
` 【396†kmeans】 ` Performs k-means clustering on selected fields. `anomalies, anomalousvalue, cluster, outlier`
` 【397†kvform】 ` Extracts values from search results, using a form template. `extract, kvform, multikv, xmlkv, rex`
` 【398†loadjob】 ` Loads events or results of a previously completed search job. `inputcsv`
` 【399†localize】 ` Returns a list of the time ranges in which the search results were found. `map, transaction`
` 【400†localop】 ` Run subsequent commands, that is all commands following this, locally and not on remote peers.
` 【401†lookup】 ` Explicitly invokes field value lookups.
` 【402†makecontinuous】 ` Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart) `chart, timechart`
` 【403†makemv】 ` Change a specified field into a multivalued field during a search. `mvcombine, mvexpand, nomv`
` 【404†makeresults】 ` Creates a specified number of empty search results.
` 【405†map】 ` A looping operator, performs a search over each search result.
` 【406†mcollect】 ` Converts search results into metric data and inserts the data into a metric index on the search head. `collect`, `meventcollect`
` 【407†metadata】 ` Returns a list of source, sourcetypes, or hosts from a specified index or distributed search peer. `dbinspect`
` 【408†metasearch】 ` Retrieves event metadata from indexes based on terms in the logical expression. `metadata`, `search`
` 【409†meventcollect】 ` Converts search results into metric data and inserts the data into a metric index on the indexers. `collect`, `mcollect`
` 【410†mpreview】 ` Returns a preview of the raw 【411†metric data points†docs.splunk.com】 in a specified metric index that match a provided filter. `mcatalog`, `mstats`, `msearch`
` 【410†msearch】 ` Alias for the `mpreview` command. `mcatalog`, `mstats`, `mpreview`
` 【412†mstats】 ` Calculates statistics for the measurement, metric_name, and dimension fields in metric indexes. `stats`, `tstats`
` 【413†multikv】 ` Extracts field-values from table-formatted events.
` 【414†multisearch】 ` Run multiple 【415†streaming searches†docs.splunk.com】 at the same time. `append, join`
` 【416†mvcombine】 ` Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field. `mvexpand, makemv, nomv`
` 【417†mvexpand】 ` Expands the values of a multivalue field into separate events for each value of the multivalue field. `mvcombine, makemv, nomv`
` 【418†nomv】 ` Changes a specified multivalued field into a single-value field at search time. `makemv, mvcombine, mvexpand`
` 【419†outlier】 ` Removes outlying numerical values. `anomalies`, `anomalousvalue`, `cluster`, `kmeans`
` 【420†outputcsv】 ` Outputs search results to a specified CSV file. `inputcsv`, `outputtext`
` 【421†outputlookup】 ` Writes search results to the specified static lookup table. `inputlookup`, `lookup`, `outputcsv`
` 【422†outputtext】 ` Outputs the raw text field (`_raw`) of results into the `_xml` field. `outputcsv`
` 【423†overlap】 ` Finds events in a summary index that overlap in time or have missed events. `collect`
` 【424†pivot】 ` Run pivot searches against a particular data model dataset. `datamodel`
` 【425†predict】 ` Enables you to use time series algorithms to predict future values of fields. `x11`
` 【426†rangemap】 ` Sets RANGE field to the name of the ranges that match.
` 【427†rare】 ` Displays the least common values of a field. `sirare, stats, top`
` 【428†redistribute】 ` Implements parallel reduce search processing to shorten the search runtime of high-cardinality dataset searches.
` 【429†regex】 ` Removes results that do not match the specified regular expression. `rex`, `search`
` 【430†reltime】 ` Converts the difference between 'now' and '_time' to a human-readable value and adds adds this value to the field, 'reltime', in your search results. `convert`
` 【431†rename】 ` Renames a specified field; wildcards can be used to specify multiple fields.
` 【432†replace】 ` Replaces values of specified fields with a specified new value.
` 【433†require】 ` Causes a search to fail if the queries and commands that precede it in the search string return zero events or results.
` 【434†rest】 ` Access a REST endpoint and display the returned entities as search results.
` 【435†return】 ` Specify the values to return from a subsearch. `format, search`
` 【436†reverse】 ` Reverses the order of the results. `head, sort, tail`
` 【437†rex】 ` Specify a Perl regular expression named groups to extract fields while you search. `extract, kvform, multikv, xmlkv, regex`
` 【438†rtorder】 ` Buffers events from real-time search to emit them in ascending time order when possible.
` 【439†savedsearch】 ` Returns the search results of a saved search.
`【440†script】` (run) Runs an external Perl or Python script as part of your search.
` 【441†scrub】 ` Anonymizes the search results.
` 【442†search】 ` Searches indexes for matching events.
` 【443†searchtxn】 ` Finds transaction events within specified search constraints. `transaction`
` 【444†selfjoin】 ` Joins results with itself. `join`
` 【445†sendalert】 ` invokes a custom alert action.
` 【446†sendemail】 ` Emails search results to a specified email address.
` 【447†set】 ` Performs set operations (union, diff, intersect) on subsearches. `append, appendcols, join, diff`
` 【448†setfields】 ` Sets the field values for all results to a common value. `eval`, `fillnull`, `rename`
` 【449†sichart】 ` Summary indexing version of the chart command. `chart, sitimechart, timechart`
` 【450†sirare】 ` Summary indexing version of the rare command. `rare`
` 【451†sistats】 ` Summary indexing version of the stats command. `stats`
` 【452†sitimechart】 ` Summary indexing version of the timechart command. `chart, sichart, timechart`
` 【453†sitop】 ` Summary indexing version of the top command. `top`
` 【454†sort】 ` Sorts search results by the specified fields. `reverse`
` 【455†spath】 ` Provides a straightforward means for extracting fields from structured data formats, XML and JSON. `xpath`
` 【456†stats】 ` Provides statistics, grouped optionally by fields. See also, 【335†Statistical and charting functions】. `eventstats, top, rare`
` 【457†strcat】 ` Concatenates string values.
` 【458†streamstats】 ` Adds summary statistics to all search results in a streaming manner. `eventstats, stats`
` 【459†table】 ` Creates a table using the specified fields. `fields`
` 【460†tags】 ` Annotates specified fields in your search results with tags. `eval`
` 【461†tail】 ` Returns the last number n of specified results. `head, reverse`
` 【462†timechart】 ` Create a time series chart and corresponding table of statistics. See also, 【335†Statistical and charting functions】. `chart, bucket`
` 【463†timewrap】 ` Displays, or wraps, the output of the 【462†timechart command】 so that every `timewrap-span` range of time is a different series. `timechart`
` 【464†tojson】 ` Converts events into JSON objects.
` 【465†top】 ` Displays the most common values of a field. `rare, stats`
` 【466†transaction】 ` Groups search results into transactions.
` 【467†transpose】 ` Reformats rows of search results as columns.
` 【468†trendline】 ` Computes moving averages of fields. `timechart`
` 【469†tscollect】 ` Writes results into tsidx file(s) for later use by the tstats command. `collect, stats, tstats`
` 【470†tstats】 ` Calculates statistics over tsidx files created with the tscollect command. `stats, tscollect`
` 【471†typeahead】 ` Returns typeahead information on a specified prefix.
` 【472†typelearner】 ` Deprecated. Use `【378†findtypes】` instead. Generates suggested eventtypes. `typer`
` 【473†typer】 ` Calculates the eventtypes for the search results. `findtypes`
` 【474†union】 ` Merges the results from two or more datasets into one dataset.
` 【475†uniq】 ` Removes any search that is an exact duplicate with a previous result. `dedup`
` 【476†untable】 ` Converts results from a tabular format to a format similar to `stats` output. Inverse of `xyseries` and `maketable`.
` 【477†walklex】 ` Generates a list of terms or indexed fields from each bucket of event indexes. `metadata`, `tstats`
` 【478†where】 ` Performs arbitrary filtering on your data. See also, 【334†Evaluations functions】. `eval`
` 【479†x11】 ` Enables you to determine the trend in your data by removing the seasonal pattern. `predict`
` 【480†xmlkv】 ` Extracts XML key-value pairs. `extract, kvform, multikv, rex`
` 【481†xmlunescape】 ` Unescapes XML.
` 【482†xpath】 ` Redefines the XML path.
` 【483†xyseries】 ` Converts results into a format suitable for graphing."""

        def parse_spl_command_table(raw: str) -> pd.DataFrame:
            rows = []
            for line in raw.splitlines():
                line = line.strip()
                if not line:
                    continue
                m = re.match(r"^`\s*【\d+†(?P<cmd>[^】]+)】\s*`\s*(?P<rest>.*)$", line)
                if not m:
                    # Some lines may not match; ignore.
                    continue
                cmd = m.group("cmd").strip()
                rest = m.group("rest").strip()

                # Optional alias like "(bucket)" or "(kv)" or "(run)" immediately after the command.
                alias = None
                m_alias = re.match(r"^\(([^)]+)\)\s*(.*)$", rest)
                if m_alias:
                    alias = m_alias.group(1).strip()
                    rest = m_alias.group(2).strip()

                # Extract backticked segments; later we'll map them to known command names.
                bt_segments = re.findall(r"`([^`]+)`", rest)

                # Remove all backticked segments from description (including code snippets like `n`).
                desc = re.sub(r"`[^`]+`", "", rest)
                desc = re.sub(r"\s+", " ", desc).strip()

                rows.append({
                    "command": cmd,
                    "alias": alias,
                    "description": desc,
                    "backtick_segments": bt_segments
                })

            df = pd.DataFrame(rows).drop_duplicates(subset=["command"]).reset_index(drop=True)

            # Build a set of command names so we can filter related commands accurately.
            cmd_set = set(df["command"].tolist())

            def related_from_segments(segments):
                rel = []
                for seg in segments or []:
                    # split on comma, strip whitespace
                    for token in [t.strip() for t in seg.split(",")]:
                        if token in cmd_set and token != "":
                            rel.append(token)
                # unique, preserve order
                seen = set()
                rel_unique = []
                for r in rel:
                    if r not in seen:
                        seen.add(r)
                        rel_unique.append(r)
                return rel_unique

            df["related_commands"] = df["backtick_segments"].apply(related_from_segments)
            df.drop(columns=["backtick_segments"], inplace=True)

            # Add internal commands (not in the public SPL command list table)
            internal = ['collapse', 'dump', 'findkeywords', 'makejson', 'mcatalog', 'noop', 'prjob', 'redistribute', 'runshellscript']
            for c in internal:
                if c not in cmd_set:
                    df = pd.concat([df, pd.DataFrame([{"command": c, "alias": "internal", "description": "Internal command (may be unsupported/undocumented).", "related_commands": []}])], ignore_index=True)

            df = df.sort_values(by=["command"]).reset_index(drop=True)
            return df

        spl_commands_df = parse_spl_command_table(RAW_COMMAND_TABLE)
        spl_commands_df


In [None]:

# Quick checks
print("Total commands:", len(spl_commands_df))
print("Example rows:")
display(spl_commands_df.head(10))


## Part 2 — “Attack type” SPL detections (MITRE ATT&CK)

Splunk publishes a large set of detections (SPL searches) in **Splunk Security Content**.
The next section shows two ways to pull *all available* detections and organize them by ATT&CK:

### Option A (API)
Use the Splunk Research content API (if reachable from your environment).

### Option B (Git)
Clone the `splunk/security_content` repo and parse the YAML detections.


In [None]:

# --- Option A: Pull detections via Splunk Research content API (preferred when available) ---
#
# This API has historically exposed endpoints like:
#   https://content.splunkresearch.com/detections
#   https://content.splunkresearch.com/stories
#
# If your environment blocks outbound internet, this won't work.

import json
import requests
import pandas as pd

BASE = "https://content.splunkresearch.com"

def try_fetch_json(url: str, timeout=30):
    r = requests.get(url, timeout=timeout)
    r.raise_for_status()
    return r.json()

detections_df_api = None

try:
    root = try_fetch_json(BASE)
    print("API root keys:", list(root.keys())[:20])
    # Try common endpoints
    detections = try_fetch_json(f"{BASE}/detections")
    # Expected: list/dict JSON; normalize
    detections_df_api = pd.json_normalize(detections)
    print("Fetched detections via API:", len(detections_df_api))
    display(detections_df_api.head(5))
except Exception as e:
    print("API method failed:", e)
    print("Try Option B (git clone + YAML parsing) instead.")


In [None]:

# --- Option B: Clone Splunk Security Content and parse YAML detections ---
#
# This pulls the latest content from GitHub.
# If you don't have 'git', you can download the repo ZIP and point REPO_DIR to the extracted folder.

import os
import subprocess
from pathlib import Path

REPO_URL = "https://github.com/splunk/security_content.git"
REPO_DIR = Path("security_content")

if not REPO_DIR.exists():
    try:
        subprocess.run(["git", "clone", "--depth", "1", "--branch", "develop", REPO_URL, str(REPO_DIR)], check=True)
    except Exception as e:
        print("git clone failed:", e)
        print("You can manually download the repo ZIP and extract to ./security_content")
else:
    print("Repo already present:", REPO_DIR.resolve())


In [None]:

# Parse YAML detections into a DataFrame

from pathlib import Path

try:
    import yaml
except ImportError:
    import sys
    !{sys.executable} -m pip install pyyaml
    import yaml

import pandas as pd

def safe_list(x):
    if x is None:
        return []
    if isinstance(x, list):
        return x
    return [x]

def flatten_tags(tags):
    # tags is typically a dict; keep it as dict but also extract common MITRE fields if present
    if not isinstance(tags, dict):
        tags = {}
    out = {"tags": tags}
    for key in ["mitre_attack_id", "mitre_attack_tactic", "mitre_attack_technique", "analytic_story", "security_domain", "kill_chain_phases"]:
        out[key] = tags.get(key)
    return out

def load_detection_yaml(path: Path) -> dict:
    with path.open("r", encoding="utf-8") as f:
        return yaml.safe_load(f)

def build_detections_df(repo_dir: Path) -> pd.DataFrame:
    det_root = repo_dir / "detections"
    paths = list(det_root.rglob("*.yml")) + list(det_root.rglob("*.yaml"))
    rows = []
    for p in paths:
        try:
            d = load_detection_yaml(p) or {}
            tags = d.get("tags", {})
            tag_flat = flatten_tags(tags)

            rows.append({
                "file": str(p.relative_to(repo_dir)),
                "name": d.get("name"),
                "id": d.get("id"),
                "version": d.get("version"),
                "status": d.get("status"),
                "type": d.get("type"),
                "description": d.get("description"),
                "search": d.get("search"),
                "data_source": d.get("data_source"),
                "how_to_implement": d.get("how_to_implement"),
                "known_false_positives": d.get("known_false_positives"),
                "references": d.get("references"),
                **{k: tag_flat.get(k) for k in tag_flat if k != "tags"},
                "tags": tag_flat.get("tags"),
            })
        except Exception:
            continue

    df = pd.DataFrame(rows)
    # Normalize some common tag fields to lists
    for col in ["mitre_attack_id", "mitre_attack_tactic", "analytic_story", "kill_chain_phases"]:
        if col in df.columns:
            df[col] = df[col].apply(safe_list)
    return df

detections_df = None
if REPO_DIR.exists():
    detections_df = build_detections_df(REPO_DIR)
    print("Loaded detections:", len(detections_df))
    display(detections_df.head(5))
else:
    print("Repo directory not found; please clone or download it first.")


In [None]:

# Build a MITRE ATT&CK “attack type” index (tactic -> detections, technique ID -> detections)

import pandas as pd

if detections_df is not None and len(detections_df):
    # Explode tactics and technique IDs for easier grouping
    tactics = detections_df.explode("mitre_attack_tactic")
    techniques = detections_df.explode("mitre_attack_id")

    tactic_counts = tactics.groupby("mitre_attack_tactic")["name"].count().sort_values(ascending=False)
    technique_counts = techniques.groupby("mitre_attack_id")["name"].count().sort_values(ascending=False)

    print("Detections by MITRE tactic (top 15):")
    display(tactic_counts.head(15))

    print("Detections by MITRE technique ID (top 15):")
    display(technique_counts.head(15))
else:
    print("No detections loaded yet.")


In [None]:

# Helper: fetch all searches for a given tactic or technique and export to files

from pathlib import Path

def export_spl_for_tactic(df: pd.DataFrame, tactic: str, out_dir: Path = Path("exported_spl")):
    out_dir.mkdir(parents=True, exist_ok=True)
    tactic_dir = out_dir / f"tactic={tactic}".replace(" ", "_")
    tactic_dir.mkdir(parents=True, exist_ok=True)

    subset = df[df["mitre_attack_tactic"].apply(lambda xs: tactic in (xs or []))].copy()
    print(f"Detections for tactic '{tactic}':", len(subset))

    for _, row in subset.iterrows():
        name = (row.get("name") or "unnamed").strip().replace("/", "_")
        file_path = tactic_dir / f"{name}.spl"
        search = row.get("search") or ""
        file_path.write_text(search, encoding="utf-8")

    return subset

def export_spl_for_technique(df: pd.DataFrame, technique_id: str, out_dir: Path = Path("exported_spl")):
    out_dir.mkdir(parents=True, exist_ok=True)
    tech_dir = out_dir / f"technique={technique_id}".replace(" ", "_")
    tech_dir.mkdir(parents=True, exist_ok=True)

    subset = df[df["mitre_attack_id"].apply(lambda xs: technique_id in (xs or []))].copy()
    print(f"Detections for technique '{technique_id}':", len(subset))

    for _, row in subset.iterrows():
        name = (row.get("name") or "unnamed").strip().replace("/", "_")
        file_path = tech_dir / f"{name}.spl"
        search = row.get("search") or ""
        file_path.write_text(search, encoding="utf-8")

    return subset

# Example usage (uncomment and set a tactic you see above):
# subset = export_spl_for_tactic(detections_df, "discovery")
# subset = export_spl_for_technique(detections_df, "T1033")


## Notes for adapting detections to your environment

- Most searches assume certain **data sources** (Windows Security logs, Sysmon, EDR, DNS, proxy, cloud audit logs, etc.).
- Adjust `index=...`, `sourcetype=...`, and field names to match your environment.
- Prefer `tstats` / data models when using Splunk ES + accelerated data models for performance.


## Appendix — Internal commands

Internal commands exist but may be unsupported/undocumented. They are listed here for completeness.


In [None]:

internal_commands = ['collapse', 'dump', 'findkeywords', 'makejson', 'mcatalog', 'noop', 'prjob', 'redistribute', 'runshellscript']
internal_commands
