06_Splunk 9 Generating Tailored Searches

 

1 Generating Tailored Searches - Course Overview

1.1 Course Overview

2 Learning About Splunk Searching

2.1 Let’s Learn About Splunk Searching!

2.2 Reviewing Splunk Lookups

2.3 Performing Basic Searches with Lookups

2.4 Learning Additional Lookup Usage

2.5 Using Lookups in Tailored Searches

2.6 Additional Lookup Usage in Splunk

3 Using Statistical Commands

3.1 Using Splunk Statistical Commands

3.2 Stats Command Arguments

3.3 Stats Command Functions

3.3.1 Types of Stats Functions

3.3.1.1 Aggregate Functions

3.3.1.2 Event Order Functions

3.3.1.3 Multivalue Stats and Chart Functions

3.3.1.4 Time Functions

3.4 Using Statistical Calculations in Splunk

3.5 Introducing Splunk Subsearches

3.6 Using Splunk Subsearches

4 Performing Transformative Searches in Splunk

4.1 Eval Commands in Splunk

4.2 Using Eval Commands

4.3 Detailing Eval Functions

4.4 Filtering and Formatting Splunk Search Data

4.5 Wrapping up Evaluating and Filtering

5 Understanding Self-describing Data

5.1 Understanding Self-describing Data

5.2 Using Self-describing Data in Splunk

5.3 Multivalue Fields

5.4 Extracting Structured Data

5.5 Using Structured Data and Multivalue Fields

5.6 Wrapping up Self-describing Data

6 Composing Advanced Searches in Splunk

6.1 Advanced Searches

6.2 Using Transactions in Splunk Searches

6.3 Generating Tailored Searches in Splunk

6.4 Searching Efficiently in Splunk

6.5 Optimizing Splunk Searches

6.6 Wrapping up Tailored Searches in Splunk

1. Generating Tailored Searches - Course Overview

1. Course Overview

2. Learning About Splunk Searching

1. Let’s Learn About Splunk Searching!

• We collect the data and use for security and data analytics

• Ingest the course files

2. Reviewing Splunk Lookups

Lookup tables available in below folder – if not we can create it

C:\Program Files\Splunk\etc\system\lookups

C:\Program Files\Splunk\etc\apps\search\lookups

3. Performing Basic Searches with Lookups

• Create index=pfsense from given exercise file

• Click Add data

• 

Choose upload

Choose the file

??? how to remove the uploaded file

Next

Next

Click create index - 

Click Review

Click Start Searching

Index=pfsense | iplocation dest

Index=pfsense | iplocation dest

index=* 

| stats count(source) by sourcetype

4. Learning Additional Lookup Usage

• If we know ip get host, if we know host get ip

• Index=pfsense |

index=pfsense 

| table _time, dest, dest_ip 

| outputlookup rules.csv 

• Check settings – lookup – we can see this file in app is search

5. Using Lookups in Tailored Searches

6. Additional Lookup Usage in Splunk

Automated lookup

We can create lookup file by opening folder /../lookups/filename.csv and put the data – the same will be available in splunk web.  Then we need to do the lookup table definition in site

?? one lookup table can have multiple definitions?

Automatic lookups

3. Using Statistical Commands

1. Using Splunk Statistical Commands

Good for visualization

Stats used for statistics

https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/SearchReference/SQLtoSplunk

2. Stats Command Arguments

3. Stats Command Functions 

1. Types of Stats Functions 

1. Aggregate Functions

• Avg()

• Count()

• Distinct_count

• Max()

• Min()

• Median()

• Mode()

• Range()

• Sum()

• Var() 

2. Event Order Functions

3. Multivalue Stats and Chart Functions

4. Time Functions

4. Using Statistical Calculations in Splunk

index=main 

| stats count by EventCode

index=main 

| stats avg(linecount)

??? metrics vs event

5. Introducing Splunk Subsearches

Subsearch is filter narrow data – splunk first do subsearch first then do the main search

6. Using Splunk Subsearches

??? how I know how much time splunk takes to process search results

This is taking more time 

Subsearch is not required it takes more resources and slow the splunk process

4. Performing Transformative Searches in Splunk

1. Eval Commands in Splunk

2. Using Eval Commands

3. Detailing Eval Functions

4. Filtering and Formatting Splunk Search Data

- not  more useful 

5. Wrapping up Evaluating and Filtering

5. Understanding Self-describing Data

1. Understanding Self-describing Data

JSON – field: value, nested array

Unstructured data needs processing to ingesting the data

2. Using Self-describing Data in Splunk

JSON Format

Upload the json file with different index name as “globelzeek”

 

3. Multivalue Fields

• Data analyst works Multivalue fields all the time

• 

• JSON will have one field with nested field and values

• Mv

• 

• 
  

4. Extracting Structured Data

Spath is autoextract mode

Either INDEXED_EXTRACTIONS = json OR KV_MODE = JSON

5. Using Structured Data and Multivalue Fields

6. Wrapping up Self-describing Data

values taken from json and create new fields available in interesting fields

6. Composing Advanced Searches in Splunk

1. Advanced Searches

2. Using Transactions in Splunk Searches

--

Transaction is similar to stats command

3. Generating Tailored Searches in Splunk

4. Searching Efficiently in Splunk

Field discovery slows our search

Familiarize with Search Job Inspector

5. Optimizing Splunk Searches

• Filtering as soon as possible

6. Wrapping up Tailored Searches in Splunk