Splunk: Basics
Learn the basics of Splunk.
easy
To access material, start machines and answer questions login.
is one of the leading solutions in the market that provides the ability to collect, analyze and correlate the network and machine logs in real-time. In this room, we will explore the basics of and its functionalities and how it provides better visibility of network activities and help in speeding up the detection.
Learning Objective and Pre-requisites
If you are new to , please complete the Introduction to . This room covers the following learning objectives:
- overview
- components and how they work
- Different ways to ingest logs
- Normalization of logs
Continue with the next task.
Room Machine
Before moving forward, deploy the machine. When you deploy the machine, it will be assigned an IP. Access this room in a web browser on the AttackBox, or via the athttp://MACHINE_IP. The machine will take up to 3-5 minutes to start. has three main components, namely Forwarder, Indexer, and Search Head. These components are explained below:
Forwarder
Forwarder is a lightweight agent installed on the endpoint intended to be monitored, and its main task is to collect the data and send it to the instance. It does not affect the endpoint's performance as it takes very few resources to process. Some of the key data sources are:
- Web server generating web traffic.
- Windows machine generating Windows Event Logs, , and data.
- host generating host-centric logs.
- Database generating DB connection requests, responses, and errors.
Indexer
Indexer plays the main role in processing the data it receives from forwarders. It takes the data, normalizes it into field-value pairs, determines the datatype of the data, and stores them as events. Processed data is easy to search and analyze.
Search Head
Search Head is the place within the Search & Reporting App where users can search the indexed logs as shown below. When the user searches for a term or uses a Search language known as Search Processing Language, the request is sent to the indexer and the relevant events are returned in the form of field-value pairs.
Search Head also provides the ability to transform the results into presentable tables, visualizations like pie-chart, bar-chart and column-chart, as shown below:
 Bar
When you access , you will see the default home screen identical to the screenshot below.
Let's look at each section, or panel, that makes up the home screen. The top panel is the Bar (below image).
In the Bar, you can see system-level messages (Messages), configure the instance (Settings), review the progress of jobs (Activity), miscellaneous information such as tutorials (Help), and a search feature (Find).
The ability to switch between installed apps instead of using the Apps panel can be achieved from the Bar, like in the image below.
Apps Panel
Next is the Apps Panel. In this panel, you can see the apps installed for the instance.
The default app for every installation is Search & Reporting.
Explore
The next section is Explore . This panel contains quick links to add data to the instance, add new apps, and access the documentation.
Dashboard
The last section is the Home Dashboard. By default, no dashboards are displayed. You can choose from a range of dashboards readily available within your instance. You can select a dashboard from the dropdown menu or by visiting the dashboards listing page.
You can also create dashboards and add them to the Home Dashboard. The dashboards you create can be viewed isolated from the other dashboards by clicking on the Yours tab.
Please review the documentation on Navigating here (opens in new tab).
can ingest any data. As per the documentation, when data is added to , the data is processed and transformed into a series of individual events.
The data sources can be event logs, website logs, logs, etc.
Data sources are grouped into categories. Below is a chart listing from the documentation detailing each data source category.
In this room, we're going to focus on logs. When we click on the Add Data link (from the Splunk home screen), we're presented with the following screen.
We will use the Upload Option to upload the data from our local machine. Download the attached log file and upload it on Splunk.
As shown above, it has a total of 5 steps to successfully upload the data.
- Select Source -> Where we select the Log source.
- Select Source Type -> Select what type of logs are being ingested.
- Input Settings ->Select the index where these logs will be dumped and hostName to be associated with the logs.
- Review -> Review all the gif
- Done -> Final step, where the data is uploaded successfully and ready to be analyzed.
As you can see, there are A LOT more logs we can add to the Splunk instance, and Splunk supports various source types.
Download the attached log file "VPN_logs" and upload this file into the Splunk instance with the right source type.
Note: In case you are using the AttackBox, the file is available in the /root/Rooms/SplunkBasic/ directory.
Upload the data attached to this task and create an index "VPN_Logs". How many events are present in the log file?
How many log events by the user Maleena are captured?
What is the number of events that originated from all countries except France?
How many VPN Events were observed by the IP 107.3.206.58?
In this room, we explored , its components, and how it works. Please check the following walkthrough and challenge rooms to understand how is effectively used in investigating the incidents.
Ready to learn Cyber Security?
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in