Splunk Enterprise — Q&A — Fields

Table of Contents

https://discord.com/invite/7g9PrxVcc4

1. Preface

2. Splunk Sidebar

Where are selected fields displayed?

What are the default fields?

What fields have values in at least 20% of the events?

What does the letter ‘a’ denote?

What does a hash mark denote?

What is shown when you click on a field?

How do you add a field value pair?

How do you create a transforming search?

What happens when you add a field to the selected fields list?

Where can you see all fields for the search?

What can you do in the “All Fields” and “more fields”?

3. Splunk Search

How do you limit events returned?

Is case sensitivity an issue with field names or values?

Explain the field operators = and !=

Explain > , <, <=and >=

How can fields be added to your search?

Using !=, filter out fail*

Use NOT to achieve the same result

What is nesting search terms in parenthesis?

For fields containing an IP address, explain wildcards

What is the difference between != and NOT

What is an alternative to chaining together several operators?

What command can be used to exclude or include fields from your search?

Display a field stats command

Display an additional fields command

What does the fields command use in order to include or exclude a field

Explain | rename

4. Splunk Fields in Results

When Splunk ingests data into the index, a select number of fields are automatically extracted. What does this include?

At search time, field discovery extracts additional fields from raw event data. Explain

Explain temporary fields

What is the eval command used for?

Write a basic search of what sites were being misused during business hours they have added a new web access policy

Use the stats command to fins the sum of all bytes used

Convert the bytes to megabytes (a megabyte is 1024 to the power of two bytes)

Explain Field extractor

While fields extracted with the field extractor are persistent across searches, there might be times where you want to extract values temporarily for the duration of a search. When would be a time this would happen?

Give an example of this situation

What happens when it is run?

What does erex look for?

Using the where command with the isnull function, we can see some character names were missed, how can this be fixed?

Where can you view the regular expression?

What information in the job menu suggests using the rex command with the generated regex?

Extract both the User and Character name values from our beta data and using the field of _raw as the field to match on

Enter the regular expression created earlier inside double quotes and run the search

Continue the expression to return a Character field, behind our capture group, add an apostrophe, followed by a \s to match the white space, to match the character name in the data add a character class of upper and lower case letters and a colon, and use a plus quantifier to match all characters within the class followed by an apostrophe, and create another capture group named Character, inside this group match one or more of a character class that include upper and lower case letters and digits along with period and dash symbols

Explain using erex versus rex

5. Splunk Knowledge Objects

Calculated fields storing an eval command in a calculated field Splunk will do what?

One thing to keep in mind when creating a calculated field is calculated field can only reference fields that are already present in the events returned by a search, earlier our search the byte field is created by another command in the search, in order to perform correctly make sure they are configured to reference a field that has already been extracted

Explain Field Aliases

Explain lookups

What is the order of the search time operations?

5. Debrief

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dante E. Mata

Dante E. Mata

Experienced Cyber Intelligence Analyst with a demonstrated history of working in the US Military and IT industry with a focus in Cyber Security.