Splunk® Enterprise Security

Administer Splunk Enterprise Security

Download manual as PDF

Download topic as PDF

Extreme search commands

Search command Description
xsWhere Used to match a concept within a specified context, and determine compatibility.
| xsWhere AirTime IS minimal OR AirTime IS short
xsFindBestConcept Used when evaluating a search count and comparing the count to a context. The closest match returns the term used by the concept. The key security indicators use this command.
| xsFindBestConcept Height FROM MyHeight
xsUpdateDDContext Used to update a data-defined context. A scheduled report that calls "xsUpdateDDContext" builds a context that represents a historical view.
|xsUpdateDDContext in app=<app> name=<context> container=<container> scope=app
xsListContexts Used to list all contexts in a container
| xsListContexts in <container>
xsListConcepts Used to list all concepts in a context
| xsListConcepts from <context> in <container>
xsDisplayContext Used to display the range of values in a context, including the terms used in the concept:
| xsDisplayContext <context> IN <container>
xsDisplayConcept Used to display the range of values used for a concept:
| xsDisplayConcept <concept> from <context> in <container>
| xsDisplayConcept <hedge> <concept> from <context> in <container>
Extreme search example in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters