Professional Documents
Culture Documents
Steps
Task:
Direct your web browser to the class lab system, for example:
http://{server-name}.splunk.com
2.
3.
On the Home view, select Search under the Search & Reporting app box.
4.
Take a moment to examine the How to Search and What to Search sections.
Using Splunk 6
Steps
Task:
Task:
Explore some of the menu items of interest to you to familiarize yourself with Splunk navigation.
Change your account settings to reflect your name and local time zone.
2.
Click your user name next to the Messages menu option in the top right corner.
3.
4.
In the Full Name field, modify the existing name and enter your name.
5.
From the Time zone menu, select your local time zone.
6.
7.
8.
Using Splunk 6
Steps
Task:
Task:
Return to the Search & Reporting app, if you are not already there.
2.
Select Search & Reporting from the App menu in the top left of the main navigation bar, also called
the Splunk bar.
3.
4.
Use the time range picker to set the time range to Last 24 hours (located in the Relative section).
When you select a time range, the search begins as if you had pressed the enter key.
5.
Mouse over search results and notice that your search terms are highlighted and that you could page
through to see more results.
Task:
7.
Use the NOT Boolean to remove the ps events. Add NOT sourcetype=ps to your search string.
NOTE: Your search should now be password fail* NOT sourcetype=ps
8.
9.
Task:
Using Splunk 6
Task:
Save and share results. (Extend the default save time and expand default viewing permissions to all.)
15. In the Search Bar, from the Job menu, select Edit Job Settings.
16. Change the Read Permissions of the job. The default is Private. Click Everyone. For important
searches, this allows others to leverage your work. Extend the Lifetime of your search. The default is
10 minutes. Click 7 days.
17. Click Save.
18. To retrieve your search, from the Activity menu, click Jobs and find your search in the list. (It is found
at the top of your browser view.)
19. Delete all of your displayed jobs except the one that you changed to 7 days.
20. Return to the Search view.
Using Splunk 6
Steps
Task:
Task:
Scroll up and click Search in the navigation menu to clear the previous search.
2.
3.
Examine the Fields sidebar. There are some selected fields and a number of interesting fields. How
many fields are not displayed in the fields sidebar? ____
HINT:
Look at the bottom of the fields sidebar.
4.
Search for the sourcetype=access_combined. How many fields are not displayed in the fields
sidebar? _____ Notice the difference in the names of fields associated with the search results.
Notice that the search, by default, ran in Smart mode. Record the number of Selected fields and
Fields not displayed.
Smart mode:
_____ Selected fields _____ Fields not displayed
6.
Rerun the same search in Fast mode and record the results.
Fast mode:
7.
Re-run the same search in Verbose mode and record the results.
Verbose mode: _____ Selected fields _____ Fields not displayed
NOTE: The difference in the speed of queries might not be noticeable on your lab system. However,
you will see the impact the search modes have on reports later today.
Task:
Use Smart mode to search for action=purchase. Keep the time range at the Last 4 hours.
Examine the Fields sidebar Interesting Fields list. Notice that product_name is one of the fields
extracted by Splunk. Click product_name in the Fields sidebar. Notice the pop-up window shows the
top ten best selling products.
9.
Another interesting field is price. This field tells you the prices at which most purchases occur. In the
Fields sidebar, click price.
NOTE: You may need to open the Fields window to find and select it.
10. In order to quickly see values of the price field in your events, click Yes in the upper right corner next
to Selected and close the window. Notice price is now a selected field in the Fields sidebar and is
displayed below each event that contains the field.
11. Back in the Fields sidebar, examine the most frequently occurring value for the price field under
Selected Fields. Click the price field and in the window that opens, click the value with the highest
number of purchases (listed at the top). Notice the field and value have been added to the search bar.
Also, this selection causes a new search to be executed using the new search criteria.
12. Remove the price field from the search and re-run the search.
13. In the Fields Sidebar, click categoryId to see which types of games account for the most
purchases.
Using Splunk 6
Scenario: As a seasoned Splunk power user, you are going to build some knowledge into your Splunk environment.
Hosts named www1, www2, and www3 serve an external e-commerce store in the DMZ. The web team is
specifically responsible for the store hosts. Two teams are interested in these servers, the DMZ team and
web team.
Task:
18. Find the row for the host field. Click the down arrow under the Actions column and select Edit
Tags.
19. Tag host www1 with the values dmz and webteam.
20. Repeat steps 16-19, but change the search to host=www2.
21. Repeat steps 16-19 again, this time using the search host=www3.
Task:
Task:
Using Splunk 6
Steps
Scenario: For security reasons, you need to monitor failed login attempts into our servers in the DMZ. We are only
interested in failed logins from known user accounts.
Task:
Task:
Using tags, search for the Linux secure logs on all web servers in the Last 60 minutes.
HINT: Search for tag=dmz sourcetype=linux_secure
Add the keywords failed AND password NOT invalid. Re-run the search.
Scenario: This search identifies login attempts to existing user accounts on the servers. You need to track these
because they can be more dangerous than unknown users. To gain access, attackers need a user name
and a password. With a valid user name, they are partially there! Create an alert that triggers when there
are more than one failed login attempts within one minute.
Task:
4.
5.
6.
Next to Trigger condition, click the drop down button that says Per-Result and select Number of
Results.
7.
The Number of Results is button is already set to Greater than. In the field next to it is already set
where you want it, at 0. (This setting triggers the alert for every failed login.)
8.
9.
Click Next.
Using Splunk 6
Task:
Using Splunk 6
Task:
2.
Search for password fail* root NOT sourcetype=ps over the last 24 hours.
3.
4.
Name the report {user name} Failed Logins for Root Last 24 hours
5.
Select No for the time range picker option, then click Save.
6.
From the Edit menu, select Open in Search. Explore search modes and visualizations.
NOTE: When you run a saved report, it runs in Smart Mode.
8.
In the Fields sidebar, click the host field and select the report type: Top values by time and click
Save.
Notice In the Events tab that the timeline and fields sidebar do not display. You also see an error
message notifying you that your search did not return any events because you are in Smart Mode.
Since the search string includes the tImechart command, you must change search modes to see
events.
9.
10. Select the Events tab. Neither Smart nor Fast mode return events in the events tab when a
reporting command is present.
11. Change the search mode to Verbose and re-run the search. Switch to the Events tab.
NOTE: Now in the Events tab, you see the timeline and fields sidebar.
Task:
Create a report using the Fields sidebar, view it in statistics and visualization tabs, and save it as a
dashboard.
12. Search for status>=400 AND status<=600 (action=purchase OR action=addtocart) in
Smart mode over the Last 7 days.
13. Click the host field in the fields sidebar, then select the chart Top values by time. A timechart
displays in the Visualization tab.
14. Click the Statistics tab to see another view of your results.
15. Click the Visualization tab to return to the timechart.
16. From the Save As menu, select Dashboard panel.
17. In the Dashboard Title field, enter a name for the entire dashboard {student name} Ops
Dashboard.
18. Select Shared in App.
19. In the Panel Title field, enter a name for your panel: Incomplete Sales - Previous 7 Days and click
Save.
20. In the confirmation dialog, click View Dashboard to display the dashboard you created.
21. Click the Edit button and click Edit Panels.
22. In the dashboard panel, click the middle of the three upper right dropdowns. Click Done.
Using Splunk 6
Task:
26. Select the Report Content Type icon. This is the 3 icon in the row.
27. Click the report title to display the reports you can use in this panel. Select your Failed Logins for
Root report from the list.
28. Click Add Panel to add the panel to the dashboard.
29. Drag the Failed Logins for Root panel and position it to the right of the top panel. The panels should
display side-by-side.
30. Change the visualization to Line.
31. In the upper right, click Done to save your changes. Your dashboard may look something like this:
Using Splunk 6
10
Create a pivot from an existing data model and save it as a dashboard panel.
1.
2.
3.
Select the object: failed request. The Pivot interface opens with a count of failed requests.
NOTE: These are events where the http status returned was an error code.
4.
5.
From the Split Rows selector, add action as a Split Rows field. Give the action field a label of
Customer Action. Keep the defaults, then click Add to Table.
6.
From the Split Columns selector, add the host field. Keep the defaults, then click Add to Table.
7.
From the visualization selector along the left, select Bar Chart.
8.
Filter the report to exclude accessories. From the Filter section, select Add Filter.
9.
10. From the Match menu, choose is not, then select ACCESSORIES.
11. Save the pivot as a Dashboard panel.
12. From the Dashboard selector, choose Existing, then select your dashboard.
13. Name the panel Errors on Customer Action Games Only Week to Date.
14. Click Save, and then click View Dashboard to view your dashboard.
15. From the Edit menu, select Edit Panels.
16. Drag the new panel to the top right, then move the Failed Logins panel to the bottom so that it spans
both top panels.
17. Click Done and admire your work! Your pivot may look something like this:
Using Splunk 6
11