Perform a Query with Splunk
Perform a Query with Splunk
Embedded Files
In this activity, I used Splunk Cloud to upload data and perform searches on the data.
Login to Splunk and Upload data
Login to Splunk and Upload data
I logged into Splunk Cloud Platform and uploaded data using the following steps.
Click Settings and then click Add Data.
2. Click Upload and click Select File to upload the tutorialdata.zip file.
3. Once the file is uploaded, click Next to continue to Input Settings.
4. Click Review and check the details of the upload before submission.
5. After verifying that the details are correct, click Submit.
6. Check the confirmation message stating that the file has been uploaded successfully.
7. Click the Splunk Cloud logo to return to the home page.
Perform a basic search
Perform a basic search
Clicked Search & Reporting and entered the following search query in the search bar.
index=main
This search term specifies the index. An index is a repository for data. Here, the index is a single dataset containing events from an index named main.
Then, I selected All Time from the time range dropdown to search for all the events across all time and clicked the search button.
Evaluate fields
Evaluate fields
When Splunk indexes data, it attaches fields to each event. These fields become part of the searchable index event data. This helps security analysts easily search for and find the specific data they need.
For each event the fields are host, source, and sourcetype.
host: The host field specifies the name of the network host from which the event originated. In this search there are five hosts:
mailsv - Buttercup Games' mail server. Examine events generated from this host.
www1 - This is one of Buttercup Games' web applications.
www2 - This is one of Buttercup Games' web applications.
www3 - This is one of Buttercup Games' web applications.
vendor_sales - Information about Buttercup Games' retail sales.
source: The source field indicates the file name from which the event originates. For example, /mailsv/secure.log, which is a log file that contains information related to authentication and authorization attempts on the mail server.
sourcetype: The sourcetype determines how data is formatted.
Narrow the search
Narrow the search
I explored failed SSH login attempts for the root user account on the mail server by narrowing the search results as follows.
Entered the following query into the search bar and clicked search.
index=main host=mailsv fail* root
This search expands on the search from the previous task and searches for the keyword fail*. The wildcard tells Splunk to expand the search term to find other terms that contain the word fail such as failure, failed, etc. Lastly, the keyword root searches for any event that contains the term root.
To sum up, I used Splunk Cloud to perform a search and investigation. Using Splunk Cloud, I uploaded sample log data, searched through indexed data, evaluated search results, identified different data sources, and located failed SSH login(s) for the root account.
Resources for more information
Resources for more information
Splunk upload data: https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/GetthetutorialdataintoSplunk
Splunk Cloud tutorial: https://www.youtube.com/watch?v=5W7mzW8GATs
Google Sites
Report abuse