5.2 Searches
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hello, we're on Module 5 talking about Splunk searches.
00:00
Being able to run goods searches in Splunk is probably
00:00
the most important skillset you can develop in Splunk.
00:00
Not everyone needs to be able to onboard
00:00
new data types and modify config files,
00:00
but many people in different jobs
00:00
have to be able to run searches.
00:00
Searches can range from extremely
00:00
simple to very long and complex.
00:00
To get started with a search,
00:00
you can log in to the Splunk web interface
00:00
and go to the search and reporting app.
00:00
You can run searches using
00:00
the command line interface or the rest API,
00:00
but we'll stick to the app on
00:00
the web interface for this course.
00:00
Here's a great image from Splunk.com that
00:00
illustrates the different parts
00:00
of the search and reporting app.
00:00
The example searches we'll talk about in
00:00
this video would be entered into the search bar here.
00:00
You can easily change the time over here
00:00
next to the search button and then if you
00:00
want to save your search, you could go up here.
00:00
If you want to download the results of your search,
00:00
you can go down to these search action buttons
00:00
and click this one here.
00:00
You'll probably see the letters SPL a lot in forums.
00:00
It stands for Splunk Search Processing Language,
00:00
it means the language around running Splunk searches.
00:00
Splunk searches can just be
00:00
about retrieving events for you to look at and
00:00
review, but Splunk searches
00:00
>> can also be about transforming
00:00
>> searches that transform the retrieved data,
00:00
such as by performing calculations on them.
00:00
There are six general categories of search commands.
00:00
We won't go too much into these,
00:00
but we will use examples that could
00:00
fit under different categories.
00:00
Here are good things to remember when running searches.
00:00
The more specific, the better.
00:00
When you have a small environment like we have,
00:00
running searches across all
00:00
>> events isn't such a big deal.
00:00
>> In a production environment,
00:00
it can take a lot of time and
00:00
processing power to check across lots of events.
00:00
Good ways to limit searches are by time,
00:00
index and other fields.
00:00
Limiting the timeframe you are
00:00
searching across is one of
00:00
the best ways to run an efficient search.
00:00
Knowing which index you need to
00:00
check is a good way not to waste
00:00
time and resources searching unrelated events.
00:00
If you're working in an environment, you don't manage,
00:00
it's possible you won't be able to search across
00:00
all indexes because of how
00:00
>> your account roles are set up.
00:00
>> Other fields are also good to
00:00
narrow down your search
00:00
to find just what you're looking for.
00:00
Like we learned in the last module,
00:00
fields are searchable name and value pairings.
00:00
Specifying known fields and
00:00
their values can help bring up the searches you want.
00:00
There are some things to remember
00:00
when searching for fields.
00:00
Field names are case-sensitive,
00:00
but field values are not.
00:00
This means, if you're searching for a field name
00:00
called Username and it has a capital
00:00
>> U at the beginning,
00:00
>> you need to type it this way.
00:00
If you're looking for username equals Sarah,
00:00
it doesn't matter if the S is
00:00
capitalized in Sarah or not.
00:00
You can also use wildcards when searching.
00:00
If you know, for example,
00:00
that the username you're looking for starts with SA,
00:00
you can put a wildcard.
00:00
That's the asterisks or star-looking
00:00
thing at the bottom there after
00:00
the first two letters
00:00
and you'd be able to get results for things
00:00
like Samantha and Sandy in addition to Sarah.
00:00
If you have a space in the field values,
00:00
you should put quotation marks around it.
00:00
If you're looking for name equals Sarah Smith,
00:00
you need to format it as name
00:00
equals Sarah Smith with quotation marks.
00:00
When searching, you can use
00:00
Boolean operators like and, or and not.
00:00
For example, username equals Sarah and machine equals
00:00
host3 will bring up results
00:00
where events match both of these fields.
00:00
Username equals Sarah or machine equals
00:00
host3 will bring up events that match either field.
00:00
Username equals Sarah not machine equals
00:00
host3 will bring up events where
00:00
the username is Sarah when
00:00
the machine does not equal host3.
00:00
Using an exclamation mark in
00:00
front of the equal sign means does not equal,
00:00
but it's not the same as using the Boolean not.
00:00
When you specify that the field does not equal a value,
00:00
it requires that value to show up in search results.
00:00
When you're using the not before the field name,
00:00
you can get results that don't have that field.
00:00
You can also use parentheses
00:00
to group values for searches.
00:00
You can use pipes to transform
00:00
and filter your retrieved events.
00:00
On my keyboard, I can make a pipe by holding
00:00
the "Shift" key while pushing the "Backslash" key.
00:00
Some examples of transforming searches might be things
00:00
like index equals Windows,
00:00
stats count by host, sort by count.
00:00
This we're able to perform
00:00
>> statistics on the results and sort it so that the
00:00
>> largest number displays at the top.
00:00
In the second example, we have results in
00:00
a table that would show the list of hosts and
00:00
then the dedup command removes
00:00
duplicate hosts in the results.
00:00
There are so many other examples and we don't
00:00
have time to go into them all in this course.
00:00
You can do many things like,
00:00
look at standard deviations or compare
00:00
results into lists in a lookup table.
00:00
You can look for outliers in your results and
00:00
evaluate and display events in many different ways.
00:00
Getting used to using
00:00
the search language in Splunk takes practice.
00:00
Check the supplemental materials for
00:00
some lists of other useful example searches.
00:00
For our last topic in this video,
00:00
we'll briefly talk about search modes.
00:00
When you run a search, you can select the search mode.
00:00
If you want faster results,
00:00
you guessed it, you can run in fast mode.
00:00
If you want to be able to make sure that you're looking
00:00
at all event data relating to your search,
00:00
you can run the slower verbose mode search.
00:00
There's obviously more to this,
00:00
but that should be enough to get you started.
00:00
That was a lot in a short amount of time.
00:00
For our quiz, please fill in the blank.
00:00
If you're searching for a field value with
00:00
a space in the middle,
00:00
you should use
00:00
>> quotation marks.
00:00
>> In the example in this video,
00:00
if you're searching for a field name of name and
00:00
a field value of Sarah Smith
00:00
>> with a space in the middle,
00:00
>> you should put quotation marks around it.
00:00
Great job making it through all of that.
00:00
In our next video, we'll be using
00:00
our search knowledge to create alerts.
Up Next
Similar Content
