Welcome to the fascinating world of Splunk, a robust tool that converts machine data into insights that can help guide operational intelligence and business decisions. This post is designed for beginners eager to expand their Splunk knowledge.

Getting Started with Splunk

Splunk is a software platform used for searching, monitoring, and analyzing machine-generated data via a web-style interface. Setting up Splunk is straightforward:

• Download and install the free version from their official website.
• Launch the program and navigate through the setup, including creating an admin account.

Fundamental Splunk Commands

Splunk’s power is in its search capabilities, powered by the Splunk Processing Language (SPL). Here’s a basic command example:

To search for threats in firewall logs using Splunk, you need to craft a search query that looks for common indicators of malicious activity. Here’s a basic example to get you started:

1. Open Splunk and navigate to the Search & Reporting app.
2. Enter the search query.

A typical search query for firewall logs might look like this:

index=firewall_logs sourcetype="firewall"
| search action=blocked OR action=denied OR action=dropped
| table _time src_ip dest_ip action signature
| dedup src_ip, dest_ip, signature
| sort _time

This query does the following:

A common Splunk question I am asked is what is the easiest way to determine the duration for an account logged into Windows. While there are many opportunities for erroneous data because a user may be logging into several services on different machines at the same time, a report can be generated along the following lines:

sourcetype=WinEventLog:Security
(EventCode=4624 OR EventCode=4634)
| eval day=strftime(_time,"%m/%d/%Y")
| stats earliest(_time) AS logon latest(_time)
 AS logoff by user host day
| eval logon=strftime(logon,"%m/%d/%Y %H.%M.%S"),
 logoff=strftime(logoff,"%m/%d/%Y %H.%M.%S")

To limit the results to a particular machine, you can either adjust the search to include the particular machine you are looking for or conversely exclude common machines from the report.