Time
1 hour 59 minutes
Difficulty
Beginner
CEU/CPE
2

Video Transcription

00:00
Ron module for talking about the different weights to get data in the ***.
00:05
In this video,
00:06
we'll discuss some examples of the many data surface Blanc can work with.
00:11
We'll talk about ways to get data
00:13
go through, creating that index.
00:15
Add some data by uploading a file,
00:18
talk about source types and create some field extractions. Then we'll finish off with the quiz.
00:26
Here's a nice
00:27
image of examples of what *** can index from *** dot com. This highlights different types of data, such as Windows event logs,
00:36
linens, command
00:38
results.
00:39
Events from cloud service is weblogs database quarries, net flow data, click stream data, power consumption information and more.
00:48
Done at the bottom. Here
00:51
are some common sources of data, and in the middle we see
00:55
popular forms of data. For example, you might retrieve metrics on Web logs or in just
01:00
data from tickets open by intrusion detection systems.
01:06
All these types
01:07
of information could be transformed into events that are searchable, unusable in different ways.
01:15
There are many ways to get these types of data.
01:17
You can, for example, monitor files and directories,
01:21
upload data,
01:23
run scripts and collect the results
01:25
with a lot of network ports, including listening for sis like messages,
01:29
collect events. Eugene W. M. I. Run quarries against connected databases. Perform a P I. Calls and other methods
01:38
will be uploaded a file for a simple demonstration in this video
01:44
as a review,
01:45
a Splunk index is a data repositories.
01:48
When raw data is turned into events, it gets put into an index.
01:53
These indexes are helpful for running efficient searches.
01:57
When you're able to search across the specific index that can speed up your searches,
02:01
for example, you might have an index called Cisco Essay that just contain Cisco Essay logs.
02:07
When you're looking for A S A logs, you wouldn't want to search across all your Windows event logs while trying to find something.
02:15
Indexes can also help you apply more control to your data.
02:19
For example, if you know you need to keep authentication logs for six months, but I only need to keep application locks for one month. You can apply those different kinds of retention policies by index.
02:30
Additionally, you could easily limit users to certain types of data, but only allowing them to search across specific indexes apply to their jobs.
02:40
Source types are used to identify the structure of events, and Splunk uses these to form at the data. While indexing,
02:47
you might have multiple source types in the same index. For example, you might collect all your WebSphere logs and an index called WebSphere. But WebSphere activity logs are formatted differently and are marked with a different source type,
03:00
then WebSphere system era logs.
03:04
You can also use source type to narrow down. Your search is in sports.
03:07
Field extraction is pulling out fields from event data.
03:12
Splunk automatically recognizes fields for some source types, and you can also manually extract fields on your data.
03:19
In this example, we have a net screen firewall event and that we have lots of potential fields, including an action field.
03:29
In this case, the field name could be action in the field. Value would be deny. In another event, the field name would still be action, but the field value could be allow.
03:39
The field name does not have to be specified. In the event
03:44
This
03:45
J. U N at the beginning could be extracted and have a feel name of month and feel value of J. R. N or June.
03:53
With that, we're going to jump into a basic example.
04:00
I have my Splunk server up and on it. I have a file filled with some example exchanging mail logs.
04:06
Normally, we probably wouldn't want to upload a file to get these type of events, But we'll do it for this example.
04:13
Going to my Splunk Web interface, I'm going to click on settings
04:17
Aditya.
04:18
I also have the option on my main page here.
04:26
From here.
04:27
I'm going to scroll down and click upload.
04:34
Then I'm going to select the file. We were just looking at
04:40
Click Next
04:46
*** automatically did a good job of breaking these events out and identifying the time stamps.
04:51
If I click on source type here,
04:56
I can try some of the pre trained source types one cast under email, for example.
05:00
Um, if I click Prock male as a source type,
05:04
it no longer breaks out into events and leaves them in a club. That's obviously not the right source type for this. I'm gonna go back to the default here and make my own source type.
05:16
There are some other options under here that you can play with, but I'm just gonna click save as and I'm gonna call this exchange logs and put it in the email category.
05:30
Now, if I want to upload the same type of file in the future, I can pick the source type,
05:38
and I'm gonna click next on this
05:41
from here. I have to decide what the hostess, since I uploaded the file leave me as my hosting makes sense. So I'm just gonna keep that as is.
05:50
It's also currently set to go to the default index.
05:55
It's often a good idea to put things into the default index until you make sure things are working. But I'm gonna create a new index for this data just by clicking here
06:04
for next name. I'm gonna call it exchange,
06:09
leave as events and leave all the rest of the saint the default for now.
06:14
And I'm going to save this
06:16
click revue up here
06:19
and submit
06:23
from here. I can run a search across my new data.
06:31
It's already, um, picked out my index here that I assigned it. We've got all these events. If you notice here's kind of the timeline of these events,
06:42
I can look at one of these and it's broken out. Some of the fields such as the source type
06:48
and along the site here, it's got things like hour and day and minute broken out.
06:57
But I'd like to have more fields, so are merely click here in extract new fields.
07:04
So here I'll just select a sample
07:09
event to work with
07:11
click Next.
07:13
And now I can decide between using a regular expression or
07:17
the limiters to break out my field.
07:21
The limiters would be a good option if my fields were separated by something like a tab or a special character. So in this case, I'm gonna pick regular expression and hit next.
07:33
You have the option of writing your own rejects here or by trying to make a point to do the work.
07:40
Try to get an extraction. I'm gonna highlight a field. So we look at this first I p
07:46
and click on it,
07:47
and I'm going to name this field I p and hit at extraction.
07:53
Now down at the bottom. We can go and see how this works with other events.
08:00
If we see here, um, on different events, it's pulled out this I p field.
08:05
Even with different values,
08:07
I can click here to see if there's anything that doesn't match,
08:09
which leaves nothing. And I think we're in pretty good shape for this
08:15
now, for one another field,
08:18
I can do the same thing.
08:20
So I'm gonna look at this to email address,
08:24
and I'm gonna call this recipient
08:28
and add the extraction.
08:31
Now, if I look at the sample events
08:35
groups,
08:37
I'm gonna remove that. I got a notification that failed.
08:43
I'm gonna try and select. I think I missed that first letter there. So let's see if this does better
08:48
recipient
08:52
that worked. But if I scroll down here, there's a problem.
08:58
So I called it recipient,
09:00
um, because it said to hear and it made sense for the sample event I had. But now I'm also getting it for from so I probably wanna work more on this field extraction. If I wanted to, I could click, show regular expression and write my own,
09:16
but I'm just gonna remove it to keep this video short.
09:22
And we'll keep this I p field
09:26
click next
09:28
I'll review it. And this all looks good. Point out the I p s on all these different events. Click next.
09:37
Everything looks good here and finish
09:41
now I can explore the field. I just created search. So now if we were to rerun that search, there should be a new field value there
09:50
that we could use to.
09:54
So we had. Index
10:03
Index equals exchange,
10:07
and
10:09
I need all times since there were events that were older than the last 24 hours.
10:13
So now if I look on the left side here, there's a new field that's R I. P field
10:20
and, like it gives us account. So we've got
10:22
12 counts of this 205 i p.
10:26
We could also do other things, like specifically, search for a result and see the events related to list. So if I just wanted to see events for that,
10:37
we could pull that out. Or I could do things like run statistics,
10:41
Bye I p and a lot of other types of searches that will get into in the next module.
10:48
Now that we've successfully added data to our *** index is quiz time
10:56
true or false? You should keep all of your data in the same index.
11:03
The answer is false. Breaking out your data into different indexes can help you run searches more efficiently and apply different rules, two different types of data
11:13
and our next video.
11:13
Well, I'd even more data to Splunk by modifying a conflict file on the machine where we installed the Universal Foreigner.

Up Next

Introduction to Splunk

This Splunk training class is designed to quickly introduce you to Splunk and its many capabilities.

Instructed By

Instructor Profile Image
Natasha Staples
Incident Response Security Engineer at Arrow Electronics
Instructor