The first step of using splunk is to upload data. In this screenshot you can see I have successfully uploaded the tutorial data being used. 

In this screenshot I typed in index=”main” to the search bar and changed the time range to “all time” . After doing this I received thousands of events. The search term specific the index and an index a repository for data. This index is a single dataset containing events from an index named main

Splunk attaches fields to an event. By default the selected fields show host, source and source type. Utilizing these fields help security analysts easily search for and find specific data they need. The Host field specifies the name of the network host which the event originated. In the search there are 5 hosts including web applications, information about vendor sales and an email server. The source field indicates where the event originates and there are 8 of them. The source type field determines how the data is formatted and there are 3 of them. Below is an example of selecting a specific field and its results. 

From the default fields selected along with the search performed it generated 109,864 results. Since I am looking for any failed SSH logins for the root account I need to narrow the search results for events from the mail server. After selecting the host field and selecting the mailsv host field the results dropped to 9,829 events making it much easier to look at. 

To search specifically for failed login for root we have to add to the search bar. After  host=mailsv we must now add “fail* root”. The full search bar would be index=”main” host=mailsv fail* root. This search expands on the search from previous tasks and searches for the keyword fail*. The wildcard tells splunk to expand the search term to find other terms that contain the word fail. The Keyword root is used to search for any event that contains the term root. This new search narrowed the results down to 346 making it much easier to evaluate.