Table of Contents
- Preface
- Why Splunk?
- Splunk in General
- Splunk Search
- Debrief
1. Preface
I only made this blog in order to provide common Q&A information to anyone interested in using Splunk. It is also great as a reference. Please visit splunk for the official learning courses
Splunk Q&A Study Guide
2. Why Splunk?
What is Splunk?
Helps make machine data accessible, usable, and available to everyone in the ogranization
What are the main functions of Splunk enterpise?
Index Data, Search and Investigate, Add Knowledge, Monitor & Alert, Report and Analyze
What is Index Data?
Collects data from any source, labels the data, and breaks it into single events
What is Search and Investigate?
A query using the splunk search language to analyze events
What is Add Knowledge?
Provides classification to data to change its interpretation and save reports
What is Monitor & Alert?
Monitors all your infrastructure in real time to identify issues, problems, and attacks before they impact your customers and services. Create alerts to monitor for specific conditions and automatically respond with a variety of actions
What is Report and Analyze?
Splunk allows you to collect reports and visualizations into dashboards, empowering groups in your organization, by giving them the information they need, organized into a single pane of glass
3. Splunk in General
What are roles?
Roles determine what a user is able to see, do, and interact with
What are the 3 main roles and their description?
Admin, Power, and User
Admin can install apps and create knowledge objects for all users.
Power can create and share knowledge objects for users of an app and do realtime searches
User will only see their own knowledge objects and those shared with them
What two apps come by default with Splunk Enterprise?
The home app and the search and reporting app
The search and reporting app provides a default interface for searching and analyzing data
What are the main components of the searching and reporting apps’ interface?
There are eight —
- The Splunk bar that appears on every page in Splunk enterprise
- The app bar to navigate the application
- The search bar used to run searches
- The time range picker is used to retrieve events over a specific time period
- The How To Search panel with links to documentation and a search tutorial
- Data Summary you get a data indexed beakdown by host, source, and sourcetype
- Table Views in order to provide a UI-driven way to explore and prepare your data without using Splunk’s SPL(search processing language)
- The Search History menu allows you to view and re-run past searches
What can you type into the search bar to look for failed login attempts?
failed — since it is not a string, no quotations are necessary
What can you do to narrow your search if responding to a recent alert?
Reduce the time in the time ranger picker. It is also faster and is a best practice
What new options does search interface gain after running a search command?
Save As menu, search results tabs, search action buttons, search mode selector, and timeline
What does the Save As Menu do?
Allows us to save our results as a knowledge object
Explain in detail the search results tab.
The events tab will display the events returned for your search and the fields that were extracted from the the events
The patterns tab allows you to see patterns in your data to better understand what is happening in your data
The statistics tab will help you view stats for the search
The visualization tab will have links for instant pivot, quick reports, and search command documentation
What are transforming commands?
Commands that create statistics and visualizations are called transforming commands. Transform event data into data tables
Explain the search action buttons.
Edit, Send to background, Inspect, and Delete search jobs
There are icons to pause, stop, share, print or export and search job
How do you share a search job?
Using the link from the share icons in search action buttons.
You are able to share with others or bookmark for your own use
By default, how long will a search job remain active?
10 minutes
How long will a shared search job remain active for?
7 days, and will be readable by everyone it is shared with, seeing the exact same results
What formats can you export search results?
Raw Events, CSV, XML, JSON
Explain the 3 search modes.
Chosen from the search mode selector:
Fast mode to cut down the field information that is returned
Verbose returns as much field and event data as possible
Smart mode will toggle behavior based on the type of search you are running
Explain the timeline.
Visual represenation of events segmented over time by the time you chose in the time range picker and are able to pick a specific time in the time line to investigate by updating our event list. You can also use the zoom link to zoom in and out of a selection
5. Debrief
I hoped this helped answer some general starter questions for anyone just learning Splunk. I really enjoyed doing and this and will be making more in the future as it is also helping me study the basics.
