Splunk

Overview

Indexer

Splunk indexer processes data it receives from the forwarder and organizes it, then stores them as events

Search Head

Search head is used to search through the indexed logs, you can also use it to create visualizations of the data

Forwarder

Splunk forwarder is used to collect data and send it to Splunk.

Key data sources
- Web server generating traffic
- Windows machine generating event logs, Powershell and Sysmon data
- Linux host generating host-centric logs
- Database generating responses

Splunk Navigation

Splunk Bar

Messages
- System-level messages
Settings
- Configuration settings
Activity
- Progress of jobs
Help
- Tutorials/Documentation
Find
- Search feature

Apps Panel

Installed applications can be listed and accessed here (Default app is "Search & Reporting")

Explore Splunk

Quick access links to add data to splunk (Apps, data, documentation, etc.)

Splunk Dashboard

Visualizations of data in Splunk

Splunk Searches

Splunk's searches can be accessed via the search tab. Example page is below:

As you can see above, a basic search page is shown. You can change the timeline using the dropdown menu to adjust accordingly. Within the search bar, you can enter your search terms.

Splunk has a query language called "Search Processing Language" and follows the syntax as such. This query language follows a structure where searches are made extremely easy (similar to Kibana Query Language), but also incorporates a lot of functionality through the use of commands (similar to Structured Query Language) and fields. Splunk searches can take a bit to complete, wait about a minute or so before moving on from a potential search

Splunk's commands can be found here: Splunk commands

An example search query is:

index="MyIndex" src_ip=192.168.0.1 dst_ip=192.168.0.2 sourcetype="stream:smtp" Gerald

The above search uses the index "MyIndex", the "MyIndex" index has the fields "src_ip" and "dst_ip" configured. The sourcetype field identifies an SMTP (Simple Mail Transfer Protocol) stream, and we are searching for the string "Gerald"

To simplify: We are searching for e-mail traffic between the two hosts above which contain the string "Gerald" in "MyIndex"

Helpful Splunk Query Language Commands:

dedup - Remove duplicates | dedup Image
contains - Search for a string within a field Image contains Gerald
AND - Search for a term that must be true along with another term that must be true Image CONTAINS Gerald AND dst_ip=192.168.0.2
OR - Search for a term that must be true or another term that must be true Image CONTAINS Gerald OR dst_ip=192.168.0.2
table - Generate a table based on a set of fields | table src_ip,timestamp

FIELDS ARE PER INDEX, NOT ALL INDEXES WILL HAVE THE SAME FIELDS BASED ON THE DATA THEY CONTAIN