Scribd
Upload
71 views

Splunk Basics

The document provides an overview of the Splunk software platform, including what it is, why it is used, its architecture and components. It discusses installing Splunk and describes the forwarder, indexer and search head components. It also provides examples of Splunk queries.

Uploaded by

akshat jain
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
71 views

Splunk Basics

The document provides an overview of the Splunk software platform, including what it is, why it is used, its architecture and components. It discusses installing Splunk and describes the forwarder, indexer and search head components. It also provides examples of Splunk queries.

Uploaded by

akshat jain
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

Basics of Splunk

What is Splunk?
• Splunk is a software platform to search, analyze and visualize the
machine-generated data gathered from the websites, applications,
sensors, devices etc.
Why we use Splunk?
Splunk Architecture
Splunk Installation
• Download splunk visit the splunk website (https://www.Splunk.Com/)
and navigate to the downloads section.
• Choose the appropriate version of splunk for your operating system
and download the installer package.
• Once the installer package is downloaded, locate the file and run it to
start the installation process.
• After installation, splunk will prompt you to configure the instance.
You will need to set up an administrator username and password, as
well as other configuration settings such as the data inputs and
indexes. Splunk is running on (http://localhost:8000) localhost use
port 8000.
Splunk Components
Splunk Component - Forwarder
• Splunk enterprise instances that consume and send data to the
index.
• It require minimal resources and have little impact on performance.
• It is the primary way data is supplied for indexing.
Splunk Component - Indexer
• Indexer processes machine data, storing the results in indexes as
events, enabling fast search and analysis.
• As the indexer indexes data, it creates a number of files organized in
sets of directories by age.
Splunk Component – Search Head
• Allows users to use the search language to search the indexed data.
• Distributes user search requests to the indexers.
• Consolidates the result and extracts field value pairs from the events
to the user.
Some Splunk Queries
1. Query to specify the index to search
Index=web_logs
2. Query to initiates a search for events based on specified criteria
Index=web_logs status=200
3. Query to filters events based on the specified sourcetype
sourcetype=apache_access
4. Query to filter events based on conditions
Index=logs | where status = “error”
5. Query to identify failed login attempts:
sourcetype=auth* "authentication failure”
| Stats count by user
| Sort –count
4. Query to identify potential security threats:
sourcetype=access_* method=post status=200 |
Rex field=_raw "password=(?[^&]+)"
| Eval password_length=length(password)
| where password_length >= 8
5. Query to identify privilege escalation attempts:
sourcetype=linux_secure su*
| where user!=Root AND user!="
7. Query to identify failed SSH attempts:
sourcetype=linux_secure "failed password for"
| stats count by src_ip
| Sort -count
8. Query to identify successful SSH attempts:
sourcetype=linux_secure "accepted publickey for”
| Stats count by src_ip
| sort -count
9. Query to identify network port scans:
sourcetype=network_traffic
| Stats count by src_ip, dest_port
| where count > 100
Thank you

You might also like