Introduction to Splunk

00:00

Hello. My name is Dustin, and welcome to monitoring network traffic.

00:04

All right, so let's go ahead and start our Splunk free demo. So, like I said, you will need to download and install *** free, which you can get from Splunk dot com. You just need to create a quick account. Um, and the free version does have that index limited to 500 megabits per day.

00:22

So let's go ahead and hop in our window. Seven virtual machine.

00:26

As you can see, I have already downloaded it and ran through the installer. So now we're gonna go ahead and launch the browser with the Splunk Enterprise Edition

00:35

and you click finish,

00:39

and it'll pop right up.

00:47

And it is running on the local host on Port 8000.

00:52

So let's go.

00:54

All right, so the first this is our first time signing in. So it tells you right there. The user name is admin, and the password is changed me.

01:03

So we will sign in

01:07

and we're gonna change the password, and we're just going to do something real quick. Als do Sai Buri.

01:15

It's Sai Buri.

01:25

All right. And so here it pops in. So we're gonna use the free license, so that's no problem there. Go ahead and hit Save.

01:36

And this is an older version. So it may cause some issues with the licensing. But let's go ahead and restart,

01:44

because we do need to do that in order for it to update the license,

01:48

we are going to restart.

01:53

And it maintained just a quick minute here.

02:08

All like, the restart was successful. So we'll go ahead and log back into your

02:15

We're gonna skip the update.

02:28

All right, So you can see it did log us right in. This is kind of how it will look like we need first look at it. So first, we're gonna choose a home dashboard

02:38

and we'll do one of their pre built ones.

02:42

Right? Let's see one information we've got here. You've got a lot of stuff.

02:47

Let's go ahead and just do

02:53

see, we're not gonna have a lot of data going into it just yet,

02:57

So let's, um well, just click the instance one

03:08

and it'll load that dash word. But the nice thing about Splunk that does have a link to the documentation right here. So that's definitely good. But let's go and get some data added in here, so we're gonna add data.

03:45

All right, so we're going to actually upload Splunk story Aled data. That way we can add that. So we go ahead and click the upload button here, and we're gonna select our file

03:58

and this you can get from the Splunk website. It's just called the tutorial data.

04:10

All right, See?

04:13

So go to computer

04:15

an idea have in that shared folder.

04:19

There we go with tutorial data dot zip. And as you noticed, I didn't unzip the file. That is for the *** instructions. So looks lying. Selected file. We are good. So good hit next.

04:35

Gonna modify the host, which actually right here, segment in path. And again, this is according to Splunk tutorial, which I will add a link to

04:48

We're gonna type one for the segment number.

04:55

It looks like everything else should be corrected. Is double checking everything here since quitting. Review that

05:01

upload file with Semitic.

05:06

All right, so we have got some data into our Splunk system now,

05:13

so we're gonna go ahead and search. Let's go to, um, start searching,

05:24

and this is where *** will really start to get more useful when you when you got that data in there. So, as you can see, we do have the source command. And the source for data is the tutorial data. Does it? That's that file that we uploaded.

05:40

You can, if you had other sources, is where you can specify the if you're only looking for data from

05:45

one source.

05:49

Okay, Now that we've got our data in here, what we're going to do is go over just a couple of those helpful commands that I mentioned in the slideshow. So first, let's go ahead and just see what data we've got. So over here on the left, you can see we've got one host, eight sources and three different source types.

06:10

And then here's all the different data that we've got so saying, Let's see what we have a lot of for.

06:20

Let's do a table

06:24

based on the date underscore. Second. So up here, we've got our sources that tutorial data and will use the pipe symbol on immune LeBeau table, and then you're in a duty date. Underscore second, and this will organize our results based on the date second field,

06:45

so we'll let it load

06:47

this feels particularly, um,

06:51

useful. But you can see here it is just the date. 2nd 1 And you can add different columns if you'd like. So if we go back to the original data,

07:05

What a load again.

07:13

All right? And so say maybe we were looking for the accounting I d um, And the vendor i d so again type. And he will do

07:25

a C c t i d.

07:29

And then also the vendor I d.

07:33

There we go.

07:38

Oops.

07:40

Make sure you take in the

07:42

correct information. There's we want table with the accounting I d in the vendor. I d.

07:47

Okay, so now we've got our table with the account I d in the vendor I d. And you can see. Um Do you have duplicates there? Doesn't look like you've got any duplicates.

08:00

So let's actually go back. We'll find something with duplicates and go back to your original data.

08:24

So let's do a

08:35

looking through here to see what we've got.

08:37

Looks like gettable

08:39

table. You are. I

08:43

and I think it was underscore query.

09:07

All right, So you can see we've got a lot of stuff here, so let's when pipe it one more time

09:13

and do our stats command.

09:28

And as you can see, you've got quite a bit in the count. And it will actually account for each time that that that field is matched.

09:35

All right, so now, with better data in here, we've done some queries. Let's see what else we've got. So there is the reporting tab, as you can see here. And this is where you can actually create reports based on the data that's in here. Um, so it does have it Looks like some pre built reports here, so let's see. Um

09:54

not sure if we're gonna have any, but let's do

09:58

What's this Do? Um,

10:00

we'll do Splunk errors in the last 24 hours and see if we've got any errors. So you just click the report that you want to generate,

10:07

and it will go through pretty quickly here.

10:13

All right, so it looks like we do have some errors over the last 24 hours, and here you can actually print report exported into, like, a CSP file or pdf, whatever is easier for you and, um, so it's really easy to generate reports on any of the data that you have

10:31

and let's go back here.

10:35

And so our next option we have is alerts,

10:41

and this is where it doesn't look like it's available with my license. But this is where you can actually set alerts based on certain things with data. So if you wanted to see, um, a specific call out Teoh, a command control server that you're aware of you can set an alert for that. So if you're passing on your network traffic into it,

11:01

you can see when a computer calls out to that domain.

11:05

And then, of course, you do have your dashboards. And this is where you can build a ton of different dashboards based on the data that is, in your ***, things. So it looks like, um, we've only got the one right now.

11:18

Let's see here, and you can't edit all of them. It tells you who the owner is. So if you had different users, they can each have their own dashboards,

11:31

and it doesn't look like we've got any orphan schedule, searches, reports or alerts right now. Um,

11:37

but that is all there. So it's pretty easy to use. Its got a nice, gooey interface. Um the query kit, the ***, *** language can be a little confusing at first, but the more you use it, the easier it gets. And there's a ton of information out there, um, to kind of go over different queries that you should know where, how to format data.

11:56

And then

11:58

there's also people share stuff that they've they've done before. So if they've created a specific query for, like, um

12:05

ah, a new vulnerability that just came out,

12:07

they can share that and a lot of different Simms used the ***, query language or something really similar to it. So you can actually just plug that query in and you're good to go.

12:18

That is all for this Splunk demo. It was just a quick demo and how to get it up and running in a VM. And then we're just using that demo data,