What is Splunk

Is splunk enterprise on premise or cloud?

on premises.

what are the main functions of splunk? (RISKA)

1. Report and analyze

2. Index Data

3. Search and Investigate

4. Add knowledge

5. Monitor and alert

What is a Data indexer and how does it work?

It's a splunk instance that indexes data

Transforms raw data from servers, network and applications, categorises them, labels and gives a source_type. Source_type tells Splunk the kind of data it is so Splunk can structure the data

What is the Search and analyse function and how does this work?

Its the search head on the Splunk platform. Enter a query and you can search data from many data sources.

Analyse and run statistics on events using the Splunk Search Language (SPL)

What is the "knowledge data set called data model" function in Splunk and how does it work?

User can quickly visualise data and pivot without having to write custom searches.

What is the monitor and alert function and how does it work?

set custom triggers so you are notified and can respond to incidents as they occur

What is the report function and how does it work?

Search results can be saved as reports

What are apps in your Splunk enterprise environment?

Apps are preconfigure environments like workspaces used to solve a specific use case.

who defines what for a specific app and/or environment?

the would be a user with an administrator role.

what are Splunk roles?

These determine what a user is able to see, do and interact with.

What are the main roles in Splunk

admin, power, user

What can the administrator role do?

Can install apps, and create knowledge object for all users.

what can the power user role do?

can create and share knowledge object for users of an app and do realtime searches.

what can a regular user do?

Will only see their own knowledge objects and those shared with them.

Splunk enterprise come with two apps by default, what are they?

The home app and the search and reporting app.

what capabilities are you allowed to perform on the home app?

you launch other Splunk Apps and/or set custom dashboard or find documentation.

What further capabilities can an admin run on the home app?

They can add apps or data.

Can you build your own app and are other apps available?

you can search on Splunk base for other apps or just create your own.

What are the 8 main components you can find in a Splunk Search and reporting interface section?

1. Splunk bar

2. app bar

3. search bar

4. Time range bar

5. how to search

6 data summary

7. table views

8. Search history.

What options are available on the Splunk bar?

1. apps (for switiching apps)

2. name (edit account)

3. messages (view system level messages)

4. setting (manage and edit Splunk configurations)

5. activity (monitor progress of searches

6. help

what is the app bar used for?

allows you to navigate the application.

What does the time range picker used for?

gives your events over a specific time period.

What is the how to search component used for?

gives you search tutorial and documentation.

Under the "How to search" component what do you get when you click on "data summary?"

you get an index break down by host, sources, or source types.

What are source types under data summary?

they are classification of your data.

What are the "source" under data summary

Sources are the file and directory path, network port, or script from which the event originated.

what are the "host" option under data summary?

its the host, IP, or domain name of the endpoint device.

What is the "Table Views" option under data summary?

provides a UI driven way to explore an prepare your data without using processing searchi lanage SPL

What does the Search History option allow you to do and what pickers are available?

search the history of your searches on the search bar.

today

over the last 7 days or

over the last 30 days.

When performing a search, once you have your search query loaded. What does the "patterns" tab provide you?

Allows you to see patterns to get a better understanding.

If you your search query contains visualizations or statistics, where are they displayed?

what is not display is available what will display in the visualization tab?

under the search query next to pattern.

you will see pivots, quick reports, and search command documentation.

What are the three "search mode" you can select in the search selector?

1. FAst Mode

2. Smart Mode

3. Verbose mode

How does "fast mode" work when searching for information?

it disables field discovery which return information on default fields, and field required for your search.

How does the "verbose mode" work when searching for information?

It returns as much fields and events as possible. helps with discovery.

How does the "smart mode" when searching for information?

will toggle based on type of search running.

What is the difference in Timestamps when events are populated in a search?

One time stamp is populated by Splunk when performing the search

One time stamp is populated by indexer. Which can be seen on the event.

When a search is performed, in the bottom of a populated event what will you see?

selected fields which are default

When searching what does an "*" do?

its a wildcard the provides further search.

What does the boolean "NOT" provide?

it provides results without the requested information

i.e. "Loggin" NOT "failed" will return event without the word failed but with the word logging

What does the boolean "AND" provide?

it allows you to provide or aggregate results.

i.e. "password" AND "FAILED" will return password and failed in conjunction

What does the "OR" boolean provide in your search results?

it will allow you to search either event even if they aren't associated.

What is the order of evaluation with booleans?

What can you use to control the order of the operations?

1. NOT

2. OR

3. AND

parathensis

what if you need to escape a character?

you will use the "\" to escape.

What are the 5 components of search query lanaguage?

1. Search terms

2. Commands

3. functions

4. arguments

5. clauses

What does the component "search term" provide in the search query?

it's the foundation search query created by user.

What does the component "commands" provide in a search query?

Tell Splunk what do with results like charts, statistics, or formatting.

What does the component "functions" provide in a search query?

explain how we want compute, evaluate, chart the results

What does the component "arguments" provide in a search query?

variables applied into a function

What does the component "clause" provide in a search query?

explain how we want results group and defined.

name the search components conditions inside this search query below

sourcetype=cisco_was_squid usage=Violation | stats count(usage) as Visits

Search term:

sourcetype=cisco_was_squid usage=violation

Command: "stats"

Function: "count"

argument: "(usage)"

clause: "as"

Once you have concluded your query, how can you use the "search" command?

at the end you can use it to further filter your search by certain criteria.

What are best practice when searching.

1. case sensitivity

2. time

3. index

4. source

5. host

6. sourcetype

What are knowledge objects?

tools that help you and user discover and analyze data

knowledge object are grouped in to what 5 groups?

1. Data interpretation

2. Data classification

3. Data normalization

4. Data Models

5. Data enrichment

Why is knowledge object important?

they can be shared by other users, app, and be searched which can be powerful tools for your environment.

who are responsible for knowledge objects and what are their responsibility?

Knowledge Managers.

responsibilities:

1. oversee knowledge object creation

2. Implement naming convention

3. create data models

4. normalize event data

What does the data group "data interpretation" provide?

While searches already provide default fields you can further create field by extracting fields above the defaults. calculated events can also be added to field which add calculations to the search.

What does the data group "data classifcation" provide?

provide event types that categorize events based on search terms and create transaction that are group that are conceptually related events spanned over time.

What does the data enrichment group provide?

provide lookups allows you to add other field and values not included in your index. and Work flow actions allow you to create link that interact with external resources or narrow search

What does the "Data Normalization" group provide?

provide tags allow you to designate descriptive names for key value pairs. which allow you to look for specific value. Field Aliases allow you to normalize data over multiple sources.

What does the "data models" group provide?

provide hierarchically structured data sets which can consist of events, searches, or transactions.

if you need to share a search query what option do you have and if you need to retrieve that information where can you search for it?

Save as report. and you can go to the search

What is a great thing about saving reports?

They aren't static, you can run back to the reports tabs and choose the report to run, edit, and revise. These reports are saved queries.

When viewing a report, what does the "display for" options allow you to do?

It will allow report to run for everyone and apps but only an admi can set that option

When viewing a report, what does the "Rus as" option allow you to do?

set it as Owner or User

this section allows you to run the app as an owner or you can choose "user" which allows the app to run with the permissions a user has.

when saving reports what options above saving a query do you have?

1. schedule report

2. finish custom query then save as report.

3. save as a visualization

if you need to transfer a dashboard over what options to you have?

You can transfer the source code