Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Extreme search commands

Search command Description
xsWhere Used to match a concept within a specified context, and determine compatibility.
| xsWhere AirTime IS minimal OR AirTime IS short
xsFindBestConcept Used when evaluating a search count and comparing the count to a context. The closest match returns the term used by the concept. The key security indicators use this command.
| xsFindBestConcept Height FROM MyHeight
xsUpdateDDContext Used to update a data-defined context. A scheduled report that calls "xsUpdateDDContext" builds a context that represents a historical view.
|xsUpdateDDContext in app=<app> name=<context> container=<container> scope=app
xsListContexts Used to list all contexts in a container
| xsListContexts in <container>
xsListConcepts Used to list all concepts in a context
| xsListConcepts from <context> in <container>
xsDisplayContext Used to display the range of values in a context, including the terms used in the concept:
| xsDisplayContext <context> IN <container>
xsDisplayConcept Used to display the range of values used for a concept:
| xsDisplayConcept <concept> from <context> in <container>
| xsDisplayConcept <hedge> <concept> from <context> in <container>

With the Extreme Search app installed, the full command reference is found in the user interface at http://<host>:8000/splunk-es/en-US/app/Splunk_SA_ExtremeSearch/command_reference.

Last modified on 16 October, 2019
Extreme search example in Splunk Enterprise Security  

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters