Splunk Cookbook Lab Workshop Cookbook Lab 1 1. Splunk installation 2. First time login 3. Set the port-number to port 80. a. Please select menu Manager System settings General settings b. Change port from 8000 to 80 c. Save.
Cookbook Lab 2 1. Select Data Input Apache Access Log a. Please select menu Manager Data inputs Files & directories New b. Browse server on Preview data c. Select access.log d. Select auto-detected sourcetype : access_combined_wcookie
2. Select Data Input Radius Log a. Please select menu Manager Data inputs Files & directories New b. Browse server on Preview data c. Select radius.log d. Select Start a new sourcetype e. Type radius in Name your new sourcetype *
3. Radius log Field Extraction. a. Search sourcetype=radius b. Select Extract Fields c. Splunk popup new window d. Copy and paste example data to input box e. Select Save f. Type Field Name authen_status in text box g. Repeat this instruction for field user
4. Report sourcetype radius Report radius events in table format (Fields : _time, user, authen_status) sourcetype= radius table _time user authen_type Report user lists and number of login to radius by authentication type Sourcetype= radius stats values(user) as User count by authen_status eval count=tostring(count, commas )
Report Top user authentication incorrect sourcetype="radius" authen_status="login incorrect" top user
5. Upload Flower_Item.csv and make automatic lookup with sourcetype access_combined_wcookie a. Please select menu Manager lookups Lookup table files b. Select New c. Select Flower_item.csv and upload to Splunk, Type Flower_item.csv on Destination filename * text box
d. Make lookup definitions, Please select menu Manager lookups Lookup definitions e. Select New f. Define lookup definitions name flower_lookup on Name * text box g. Click Advanced options h. Type 1 on Minimum matches text box i. Type Unknown on Default matches text box j. Click Save
k. Make automatic lookup definitions, Please select menu Manager lookups Automatic lookups l. Select New m. Define lookup definitions name flower_lookup on Name * text box n. Select lookup table flower_lookup o. Select Apply to sourcetype and access_combined_wcookie p. Lookup input fields itemid q. Lookup input fields itemname and Price r. Click Save
Cookbook Lab 3 1. Report Authentication over time (Line Chart) sourcetype="radius" timechart count 2. Report Authentication Status over time (Area Chart with Stack) sourcetype="radius" timechart count by authen_status
3. Report Authentication Status by User (Column Chart) sourcetype="radius" chart count over user by authen_status 4. Report Percent Authentication Success (Gauge) sourcetype="radius" stats count by authen_status eventstats sum(count) as total eval percent = round(count/total*100,2) gauge percent
Cookbook Lab 5 1. Percentage of Purchases vs Viewed sourcetype="access_combined_wcookie" action="view" OR action="purchase" stats count by action eventstats max(count) as total eval percent = round(count/total*100,2) gauge percent 2. Catalog Views by item over time sourcetype="access_combined_wcookie" action="view" timechart count by itemname useother=f
3. Popular purchases Item and total prices sourcetype="access_combined_wcookie" action="purchase" stats count sum(price) as Total_Price by itemname sort - Total_Price eval Total_Price = tostring(total_price,"commas") head 10 4. Top 10 Referer domain to view www.myflowershop.com sourcetype="access_combined_wcookie" NOT referer_domain="http://www.myflowershop.com" top limit=10 referer_domain
5. Web Access Count by Status over time sourcetype="access_combined_wcookie" NOT referer_domain="http://www.myflowershop.com" top limit=10 referer_domain