Learning Splunk

Learning Splunk

by Tom Kopchak
Released March 2020
Publisher(s): Packt Publishing
ISBN: 9781789801002

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Video description

Maybe you've heard about Splunk, but don't know how to use it to take control of big data? Have you used Splunk, but want to learn how to set it up and use it properly? If so, this course is for you.

In this course, you will work with Splunk from the ground up. You'll learn the basics of Splunk terminology, and how to use the Splunk web interface to find data. You'll also build your own Splunk environment, add data to the Common Information Model (CIM), create dashboards, and find events within data. Finally, you'll master advanced searching techniques that are especially useful to those in network, security, and system administration roles.

The course also covers the latest additions brought in for Splunk 8 and helps you quickly perform an upgrade. By the end of the course, you will be confident about using Splunk and will be well on the road to becoming a proficient Splunk architect and administrator as quickly as possible!

What You Will Learn

  • Build your own Splunk development environment from scratch on a Linux server—and use it!
  • Onboard and index multiple types of data into your Splunk instance
  • Understand the importance of the Splunk Common Information Model (CIM), and why data models make Splunk a powerful tool for managing logs at volume
  • Normalize data using Splunk apps
  • Develop basic reports and dashboards using your new Splunk instance and the data from your Linux system
  • Understand why leaving systems exposed to the internet is a bad idea

Audience

This course is for IT professionals and data analysts who want to get started with Splunk and rapidly take their skills to the point where they can get hands-on and fully proficient with its features and benefits.

Requirement: No prior knowledge of Splunk is needed for taking this course, but a Splunk account (free of charge) will be required for the lab activities. Knowledge of Unix/Linux command line will be helpful.

About The Author

Tom Kopchak: Tom Kopchak is the Director of Technical Operations at Hurricane Labs, where he pretends to manage a team of network and Splunk engineers but is still an engineer and technology geek at heart. Tom is a Splunk Certified Architect and Accredited Consultant and has several years' experience building, designing, and managing Splunk deployments; he also manages teams of Splunk engineers, designing Splunk deployment strategies, and developing Splunk training materials.

He holds a Masters degree in Computing Security from the Rochester Institute of Technology and has spoken at numerous Infosec conferences around the country (including Splunk .conf and DEFCON). You will often find him researching digital forensics topics or tinkering with any and all forms of computer hardware. When he is not working with computers, Tom enjoys composing, music improvisation (Acts of Music), and playing both the piano and organ.

Table of contents

  1. Chapter 1 : Introduction to Splunk
    1. Course Overview
    2. What Is Splunk
    3. What Are Logs and Why They Matter
    4. Setting Up an AWS Environment
    5. Splunk Installation
  2. Chapter 2 : Splunk Terminology
    1. Splunk - Splexicon
    2. What Data Looks Like in Splunk - Events
    3. Getting Data Out of Splunk - Search
    4. Saved Searches - Report
    5. Visualizing Data - Dashboard
    6. Splunk's Search Language - Search Processing Language
    7. What Type of Data Do We Have - Sourcetype
    8. How is Data Stored - Index
    9. Making Data Useful with Knowledge Objects and Fields
    10. Enriching Data - Lookup Table
  3. Chapter 3 : Data Onboarding
    1. How to Approach Data Onboarding
    2. Hands-On Lab: Onboarding Linux Authentication Logs
    3. Field Extractions Using Splunk Apps
    4. What If There Is Not an App Available
    5. Splunk Configuration Files
  4. Chapter 4 : Splunk Deployment Components
    1. Core Splunk Infrastructure - Indexes and Search Heads
    2. Supporting Infrastructure - Forwarders
    3. Supporting Infrastructure - Syslog Receiver
    4. Supporting Infrastructure - Deployment Server
    5. Splunk Licensing - How It Works and How to Investigate Your License Utilization
    6. Splunk Clustering - Building Splunk for Fault Tolerance
    7. Distributed Splunk Environments
    8. Splunk Apps - The Building Blocks of Any Splunk Deployment
  5. Chapter 5 : Data Normalization and Data Models
    1. Onboarding Iptables Logs
    2. Normalizing Data Using the Splunk Common Information Model (CIM)
    3. Applying the Common Information Model to Your Firewall Logs
  6. Chapter 6 : Using Your Splunk Environment
    1. Overview of Splunk UI
    2. Using Fields
    3. Hands-on Lab: Working with the Splunk UI
    4. Splunk Search Models
    5. Hands-On Lab: Splunk Search Modes
    6. The Search Pipeline
    7. Hands-On Lab: Search Pipeline
  7. Chapter 7 : Visualizing Data
    1. Reporting Log Data - Tables
    2. Hands-On Lab: Tables - Displaying Search Results
    3. Advanced Searching Concepts - Chart - Graphing Search Results
    4. Advanced Searching Concepts - Timechart - Results Over Time
    5. Advanced Searching Concepts - Geostats and IP Location
    6. Advanced Searching Concepts: Eval - Manipulating and Reformatting Data
    7. Advanced Searching Concepts: Rename – Making Table Headers More Accessible
    8. Advanced Searching Concepts: Relative Time Syntax
    9. Advanced Searching Concepts: Search Performance - Gotchas to Avoid
    10. Advanced Searching Concepts: Time to Experiment – Expanding Your Splunk Knowledge
    11. Creating Splunk Dashboards
    12. Hands-On Lab: Dashboards
  8. Chapter 8 : Upgrading Splunk
    1. Splunk Release Cycles
    2. What's New in Splunk 8.0
    3. Planning for an Upgrade
    4. Backing up Your Splunk Instance
    5. Performing a Splunk Upgrade
    6. Hands-on Lab: Upgrading Your Lab System

Product information

  • Title: Learning Splunk
  • Author(s): Tom Kopchak
  • Release date: March 2020
  • Publisher(s): Packt Publishing
  • ISBN: 9781789801002