Learning Splunk

Explore Splunk logs, the usefulness of these logs, and what you can do once you capture them.

   •  Explore the origin of the logs

   •  Discuss what the logs tell us

   •  Discuss why someone might want to search logs

Include first hands-on activity, where you deploy the underlying system and OS, and configure it to support the rest of the labs in the course.

   •  Deploy an Ubuntu Linux system in AWS

   •  Configure networking and security groups to allow for sample data

   •  Prepare the OS for the installation of Splunk

Explore the Splunk installation process on your Linux machine.

   •  Discuss the lab deployment methodology for Splunk

   •  Install Splunk on your lab system

   •  Confirm your Splunk installation is working with a search

Understanding Splunk terminology and exploring definitions of unfamiliar Splunk-related terms.

   •  Describe what Splunk Splexicon is

   •  Learn where to explore definitions of Splunk terms

   •  Preview the rest of the section

Understanding what an “event” in Splunk is.

   •  Understand an event as a single piece of data in Splunk

   •  Learn what metadata every event has

   •  Demonstrate an event in the Splunk UI

Understanding the concept of search and the primary way users navigate data in Splunk.

   •  Understand what can be done in the search interface

   •  Identify the time range picker

   •  Identify the search bar

Understanding reports, which are saved searches.

   •  Understand that a report is simply a saved search

   •  Understand that reports can be scheduled

   •  Explore reports in the search interface

Exploring dashboards, which are the user interface to your data.

   •  Understand the dashboard terminology

   •  Understand that dashboards are powered by searches

   •  Explore a sample dashboard

Exploring SPL, the Splunk search processing language.

   •  Understand the structure of SPL syntax

   •  Understand the types of operations SPL supports

   •  Explore a sample SPL query

Understanding sourcetypes or how the structure of data in events is identified.

   •  Understand the importance of sourcetypes

   •  Understand some common sourcetypes

   •  Learning how to use sourcetypes to quickly find the data you need

Exploring indexes or how data is stored in Splunk.

   •  Understand what an index is

   •  Understand why different indexes are used

   •  Understand how indexes are stored in Splunk

Understanding knowledge objects and fields, which help make your data understandable.

   •  Identify sample knowledge objects

   •  Identify fields and why they are useful

   •  Explore sample fields in a search

Exploring lookup tables, a way to enrich the data in your logs.

   •  Learning what a lookup table does

   •  Identify why a lookup table is useful

   •  Understand an example lookup table

Understanding how to work with time in Splunk, and how to leverage Splunk’s relative time syntax in searches to consistently locate the data you are looking for.

   •  Learn how Splunk uses relative time syntax (and how you have been working with it so far)

   •  Experiment with the earliest and latest search commands

   •  Explore the Splunk’s relative time syntax

Understanding the roadmap for onboarding data into Splunk and preparing you for the hands-on activities in the next video.

   •  Learning how to approach data onboarding

   •  Learning what information you need when onboarding data

   •  Understanding the value of experimenting with your data

Onboarding Linux authentication logs into Splunk.

   •  Collect the required information to onboard data

   •  Configure Splunk to monitor a log file

   •  Search for the newly onboarded data

Understanding how to use Splunk apps to assist with field extractions for your authentication logs.

   •  Identify Splunk apps associated with your data source

   •  Install a Splunk app

   •  Observe the benefits of using a Splunk app with your data

Understanding tips for approaching data onboarding when an app doesn’t already exist.

   •  Understand the value of existing apps

   •  Learn that apps are not required, they just make it easier

   •  Identify situations where a custom app may be required

Exploring how Splunk configurations are recorded in configuration files.

   •  Learn how Splunk configuration settings are stored

   •  Find the inputs.conf setting associated with your authentication logs

   •  Using btool to find the configuration location

Understanding the core infrastructure behind a distributed Splunk environment: the indexers and search heads.

   •  Learn what a Splunk indexer does

   •  Learn what a Splunk search head does

   •  Understand requirements and deployments of indexers and search heads

Exploring forwarders, which are supporting infrastructure that assist with getting data into Splunk.

   •  Understand the use of forwarders

   •  Learn about the two main types of forwarders

   •  Learn where universal forwarders are deployed and why

Understanding how syslog data is ingested into Splunk using a syslog receiver.

   •  Learn why direct TCP or UDP inputs should not be used

   •  Learn the best practices for ingesting syslog

   •  Identify a file structure that works well for this data

Exploring the deployment server, which is Splunk’s configuration enforcement mechanism.

   •  Understand the role of the deployment server

   •  Learn about the deployment apps and their uses

   •  Observing a sample deployment server in action

Understanding an overview of Splunk’s licensing model.

   •  Learn how Splunk is licensed

   •  Learn what happens when a license violation occurs

   •  Investigat your license utilization and usage

Exploring the various clustering mechanisms that exist in Splunk.

   •  Learn about indexer replication clustering

   •  Learn about multisite clustering

   •  Learn about search head clustering

Understanding an example of a larger Splunk distributed environment and how the components we’ve reviewed throughout this section work together.

   •  Learn what a larger Splunk deployment looks like

   •  Understand how clustering is deployed for better availability

   •  Understand that a larger Splunk deployment typically consists of many separate systems

Understanding Splunk apps and how they’re used to customize and configure Splunk.

   •  Learn what constitutes a Splunk app

   •  Understand that apps can be very simple or very complex

   •  Learn about the Enterprise Security Suite – a Splunk premium app

Exploring Splunk search and understanding the steps that will result in poor search performance. Explore some common pitfalls when writing Splunk searches.

   •  Understand the ordering of search commands and its significant performance impact

   •  Identify possible options for improving the performance of a search

   •  Learn a few resource-intensive search commands to avoid

Exploring collection of iptables logs into your Splunk installation.

   •  Enable iptables logging on your Linux machine

   •  Modify inputs.conf to collect the firewall logs

   •  Search for the iptables logs in Splunk

Understanding the common information model (CIM). This is one of the most effective mechanisms for getting the most out of Splunk and working with all different types of data in a consistent way.

   •  Understand why data normalization is important

   •  Discuss the value of consistency and how it enables event correlation

   •  Explore some of the data models available in Splunk

Understanding how to use a Splunk app to apply CIM to your newly onboarded firewall logs.

   •  Identify a candidate app with the CIM version supported

   •  Install the candidate app

   •  Observe the changes in the search interface and new fields created

Understanding the Splunk UI and search interface.

   •  Learn what you can search in Splunk

   •  Identify when case sensitivity matters

   •  Recognize supported Boolean operations in search

Exploring fields, which help make your data more accessible.

   •  Identify the default fields for every event: host, source, and sourcetype

   •  Recall the field names are case sensitive; values are not

   •  Understand how to use wildcards and CIDR notation in search

Exploring some searching exercises in the Splunk WebUI.

   •  Search your firewall logs

   •  Practice using the time range picker and logical operators

   •  Share and export your search results

Exploring different search modes available in Splunk and common pitfalls when the wrong mode is used.

   •  Identify the search mode selector in the Splunk WebUI

   •  Understand differences between fast mode, smart mode, and verbose mode

   •  Understand how fields may not display as expected when fast mode is used

Understanding the differences in the Splunk search modes in a hands-on activity.

   •  Observe the results of running searches in each search mode

   •  Identify the different field extraction behaviors in each mode

   •  Recognize the performance impact of field extractions

Understanding many of the powerful reporting functions available within the Splunk search pipeline.

   •  Understand usage of options in the WebUI to automatically add statistical functions to searches

   •  Run searches with basic statistical functions, such as top values

   •  Experiment with various visualization options

Understanding the use of the Splunk search pipeline in a hands-on activity.

   •  Create a search using your firewall logs

   •  Experiment with different visualizations for your data

   •  Save your results as a report that can be viewed later

Understanding the culmination of the course material and learn to create tables in Splunk.

   •  Identify popular use cases for tables in Splunk

   •  Explore available fields and identifying relevant ones

   •  Create a table from search results

Understanding the use of tables in a hands-on activity.

   •  Explore your firewall and authentication logs, and identify useful fields

   •  Create tables using your data

   •  Save these searches as reports to be used later

Understanding another reporting command in Splunk: chart.

   •  Discuss the usage of the chart command

   •  Identify the similarities between the chart and table command

   •  Create a chart using data in Splunk

Understanding Splunk’s ability to create a time-series chart using the timechart command.

   •  Understand when timechart is the best representation for your data

   •  Identify some of the available options

   •  Learn the differences between the timechart and chart commands

Understanding how Splunk can automatically associate geographic information to IP addresses.

   •  Learn the Ip Location and geostats commands

   •  Understand use of both the Ip Location and geostats commands

   •  Create tables and maps with geographic information for IP addresses

Exploring the most powerful command in the Splunk search interface – eval.

   •  Understand the use of eval command and some of the available functions

   •  Review the Splunk documentation for the eval command

   •  Experiment with the eval command in your search results

Understanding the rename command to make tables more presentable and user-friendly.

   •  Learn when to use the rename command

   •  Learn how to use quotes in the search interface to achieve the correct results

   •  Create a table and modify the headers using rename

Exploring some of the search commands and experiment with how they are used.

   •  Create a chart using your firewall or authentication logs

   •  Create a table using these same logs and use commands to modify the results

   •  Save these tables and charts as a report to be used later

Exploring dashboards, understanding how to create a dashboard, and how dashboards work in Splunk.

   •  Learn some basic dashboard terminology

   •  Create a dashboard and add a panel from a report

   •  Add additional panels to your dashboard

Creating your own dashboards in your Splunk instance.

   •  Create a new dashboard and adding reports created earlier

   •  Add additional panels to your dashboard

   •  Adjust the look and feel of your dashboards

Exploring release cycles for new versions of the Splunk software.

   •  Discuss the release of new versions, on a bi-annual basis

   •  Understand the maintenance releases and their purpose

   •  Identify the supported lifecycle for Splunk versions

Understanding the process for planning a Splunk upgrade.

   •  Understand the known issues and upgrade recommendations in the Splunk documentation

   •  Understand configuration and apps for possible incompatibilities

   •  Understand app compatibility with different Splunk versions

Exploring the process of backing up the configuration of an existing Splunk instance.

   •  Learn how to back up the Splunk kvstore

   •  Learn how to back up Splunk

   •  Watch a demonstration of the backup process

Exploring the process of upgrading an existing Splunk installation.

   •  Learn the process of upgrading Splunk

   •  Upgrade Splunk apps in your environment

   •  Execute the Splunk upgrade

Learning to perform an upgrade of your Splunk environment.

   •  Back up your Splunk environment

   •  Perform the Splunk upgrade

   •  Validate Splunk functionality after the upgrade