Book Image

Data Analytics Using Splunk 9.x

By : Dr. Nadine Shillingford
5 (1)
Book Image

Data Analytics Using Splunk 9.x

5 (1)
By: Dr. Nadine Shillingford

Overview of this book

Splunk 9 improves on the existing Splunk tool to include important features such as federated search, observability, performance improvements, and dashboarding. This book helps you to make the best use of the impressive and new features to prepare a Splunk installation that can be employed in the data analysis process. Starting with an introduction to the different Splunk components, such as indexers, search heads, and forwarders, this Splunk book takes you through the step-by-step installation and configuration instructions for basic Splunk components using Amazon Web Services (AWS) instances. You’ll import the BOTS v1 dataset into a search head and begin exploring data using the Splunk Search Processing Language (SPL), covering various types of Splunk commands, lookups, and macros. After that, you’ll create tables, charts, and dashboards using Splunk’s new Dashboard Studio, and then advance to work with clustering, container management, data models, federated search, bucket merging, and more. By the end of the book, you’ll not only have learned everything about the latest features of Splunk 9 but also have a solid understanding of the performance tuning techniques in the latest version.

Related Content you might be interested in

Current Title:

Small book image
Data Analytics Using Splunk 9.x
Dr. Nadine Shillingford
Jan, 2023 | 336 pages
Small book image
Splunk 7.x Quick Start Guide
James H Baxter
Nov, 2018 | 298 pages
Small book image
Splunk 9.x Enterprise Certified Admin Guide
Srikanth Yarlagadda
Aug, 2023 | 256 pages
Small book image
Mastering Splunk 8
James D Miller
Dec, 2020 | 456 pages
Table of Contents (18 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1: Getting Started with Splunk
Part 1: Getting Started with Splunk
Free Chapter
2
Chapter 1: Introduction to Splunk and its Core Components
Chapter 1: Introduction to Splunk and its Core Components
Splunking big data
Exploring Splunk components
Introducing the case study – splunking the 
BOTS Dataset v1
Summary
3
Chapter 2: Setting Up the Splunk Environment
Chapter 2: Setting Up the Splunk Environment
Technical requirements
Installing Splunk Enterprise
Setting up Splunk forwarders
Setting up Splunk deployment servers
Setting up Splunk indexers
Setting up Splunk search heads
Installing additional Splunk add-ons and apps
Managing access to Splunk
Summary
4
Chapter 3: Onboarding and Normalizing Data
Chapter 3: Onboarding and Normalizing Data
Exploring inputs.conf using the Splunk Add-on for Microsoft Windows
Extracting fields using props.conf and transforms.conf
Creating event types and tagging
Summary
5
Part 2: Visualizing Data with Splunk
Part 2: Visualizing Data with Splunk
6
Chapter 4: Introduction to SPL
Chapter 4: Introduction to SPL
Understanding the Splunk search interface
Dissecting a Splunk query
Formatting and transforming data
Summary
7
Chapter 5: Reporting Commands, Lookups, and Macros
Chapter 5: Reporting Commands, Lookups, and Macros
Exploring more Splunk commands
Enhancing logs with lookups
Simplifying Splunk searches with macros
Summary
8
Chapter 6: Creating Tables and Charts Using SPL
Chapter 6: Creating Tables and Charts Using SPL
Creating and formatting tables
Creating and formatting charts
Creating advanced charts
Summary
9
Chapter 7: Creating Dynamic Dashboards
Chapter 7: Creating Dynamic Dashboards
Adding tables and charts to dashboards
Adding inputs, tokens, and drilldowns
Exploring the dashboard source
Adding reports and drilldowns to dashboards
Experimenting with the new Dashboard Studio
Summary
10
Part 3: Advanced Topics in Splunk
Part 3: Advanced Topics in Splunk
11
Chapter 8: Licensing, Indexing, and Buckets
Chapter 8: Licensing, Indexing, and Buckets
Understanding Splunk indexing and buckets
Exploring Splunk queues
Discussing Splunk licensing models
Summary
12
Chapter 9: Clustering and Advanced Administration
Chapter 9: Clustering and Advanced Administration
Introducing Splunk clusters
Understanding search head clusters
Understanding indexer clusters
Summary
13
Chapter 10: Data Models, Acceleration, and Other Ways to Improve Performance
Chapter 10: Data Models, Acceleration, and Other Ways to Improve Performance
Understanding data models
Accelerating data models
Improving performance
Summary
14
Chapter 11: Multisite Splunk Deployments and Federated Search
Chapter 11: Multisite Splunk Deployments and Federated Search
Exploring multisite Splunk deployments
Configuring federated search
Using federated search
Summary
15
Chapter 12: Container Management
Chapter 12: Container Management
Understanding container management
Deploying Splunk in Docker
Getting started with Splunk Operator for Kubernetes
Exploring container logs using Splunk
Summary
16
Index
Index
Why subscribe?
17
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

Introducing the case study – splunking the 
BOTS Dataset v1

In this section, we will introduce the case study that we will use throughout this book. We will explore logs in BOTS Dataset v1. Boss of the SOC (BOTS) is a blue-team capture-the-flag competition held during the annual Splunk .conf conference (https://tinyurl.com/39ru8d4b). Participants are given access to realistic network security logs to investigate real-world cybersecurity attacks. The nature of the attacks or the exact attack sequence is beyond the scope of this book. However, the dataset is a collection of data that we can use to explore some of the rich features of Splunk. BOTS Dataset v1
was compiled by Ryan Kovar, David Herrald, and James Brodsky in 2016.

The setup

A fictional company, ABC Inc., has observed unusual activity on its network. They think that the problem is centered around three Windows devices (we8105desk, de9041srv, and we1149srv). The very cyber-conscious ABC Inc. also has several network security solutions installed on their network as part of their security infrastructure:

The company would like you to investigate an incident that occurred in August 2016. What abnormal activity will you discover?

Our solution is to use Splunk to investigate the logs generated in August 2016. To get the full experience of installing Splunk, we will first deploy a Splunk environment to simulate the environment that generated BOTS Dataset v1. The environment will consist of the following components:

  • Three Splunk forwarders running on Windows devices (we8105desk, de9041srv, and we1149srv) deployed using AWS instances
  • A dedicated indexer (Splunk Enterprise installed on an AWS instance running Red Hat Linux)
  • A dedicated search head (Splunk Enterprise installed on an AWS instance running Red Hat Linux)
  • A deployment server (Splunk Enterprise installed on an AWS instance running Red Hat Linux)

This will give us an environment that we can use to explore the important process of setting up and configuring Splunk in Chapter 2, Setting Up the Splunk Environmentment. This case study will require access to an AWS account, so you should sign up for an account using the AWS Management Console (https://aws.amazon.com/console/) if you do not have one. This case study does not require advanced knowledge of AWS, but it may be helpful to read a tutorial on AWS Cloud such as Learn the Fundamentals (https://tinyurl.com/2p8aj7b7) or watch a YouTube video (https://www.youtube.com/watch?v=r4YIdn2eTm4). You will also need a Splunk account to download the Splunk installation file and Splunk apps (https://www.splunk.com).

BOTS Dataset v1 is available for download from the Splunk Git repository (https://github.com/splunk/botsv1). We will use the dataset containing only attack logs due to space limitations of the free license of Splunk Enterprise. The dataset comes in the form of a Splunk app, which will install on our dedicated search head. Once we have installed and configured the Splunk deployment, we will design a series of Splunk queries, dashboards, reports, and alerts as we investigate the logs.

For this case study, we are assuming that Alice has an established security infrastructure that includes firewalls and other security devices. However, monitoring those devices does not fall under the scope of the project.

Once we have deployed and configured the Splunk environment, we will install BOTS Dataset v1 as an app on the search head and continue our exploration on the search head. The dataset consists of various machine and network logs generated by the appliances mentioned in the The setup section.

Now, let’s summarize what we have learned in this chapter.

Previous Section
End of Section 4
Next Section