# Splunk Intro

<hr style="border:3px solid black"> </hr>

## What is Splunk?
- Splunk captures, indexes and correlates real-time data in a searchable repository
    - from this... we can generate graphs, reports, alerts dashboards and visuals.
- Splunk is a powerful platform for analyzing and visualizing machine data

---

# Use of Splunk:
- Monitoring System Performance
- Data-informed decisions
- Security Cognizance
- Monitoring System Health
- Improved Quality

<br>

# Why Splunk?
- large amounts of data are created everyday by most people
- Splunk helps to analyze and visualize these large datasets

**enterprises --> sources of data --> copious data --> process and analyze --> increase profits and efficiency**
- data is sourced from all sites (amazon, spotify, netflix, google, etc)

<br>

**data sources --> log files --> Splunk Tool --> Analyze and visualize**

<hr style="border:1px solid black"> </hr>

# Vocab:

- Start with **data**, in these forms:
    - logs
    - csvs
    - databases

<br>

- **Indexes**:
    - how we store the data
    - like: tables in a database

<br>

- **Search Processing Language (SPL)**:
    - how we query the data
    - all data indexed as "events"

<br>

- **End users**:
    - want to see dashboards

<br>

- **Time range**:
    - one of the best ways to improve performance in Splunk
    - limiting time range greatly improves the results

<hr style="border:1px solid black"> </hr>

# Index
- collects data from any source

### How it works
- data enters as raw materials
- matches are found in the data
- matches are labeled with source types
- time stamps are identified and normalized (into consistent format)

<br>

- splunk>index
    - enter query to find events
        - analyze data
        - normalize data
        - classify data
        - save report

<br>

- monitor and alert
    - identify issues and problems
    - monitor for specific conditions and automatically respond
- report and analyze
    - creates dashboards

<hr style="border:1px solid black"> </hr>

# Using Splunk

## Apps:
- preconfigured environments
- workspaces built to solve a specific case
- defined by a Administrator roll

<br>

### Default Apps in Splunk:
Splunk comes with 2 default apps
   - **Home**
       - quick place to explore
       - set custom dashboards
       - Administrators can create new Apps from "Home"
   - **Search and Report**
       - queries can be made here
       - search and analyze data

## 3 Main Roles:
**Roll**: determine what the user is able to see, do and interact with

- **Administrator**
    - most powerful
    - can install apps
    - ingest data
    - create knowledge objects for all users
- **Power**
    - can create and share knowledge objects
    - can do realtime searches
- **User**
    - can only see their own knowledge objects and those shared with them


<hr style="border:1px solid black"> </hr>

# Using Search

If looking for possible security breaches in last week...
- use search and reporting app
- in search bar type "failed"
- then select "last 7 days" in time range picker 
- new search page will open

<br>

### Tabs:
- **events tab**: will show you how many instances of "failed" logins there were
- **patters tab**: shows patters within the data
- **statistics tab**: shows statistical 
- **visuals tab**: shows visuals from gathered data (if any available)

#### Commands that create stats and viz are called "transforming commands"

### Search Time Frames:
- search jobs only stay valid for **10 minutes**
- ***shared*** search jobs stay valid for **7 days**

### 3 Search Modes:
- **Fast**:
    - cuts down on field information return
    - "field discovery" disabled for this mode
        - only returns info on required or default fields
- **Smart**:
    - this is the DEFAULT mode
    - will toggle behavior based on search you are running
    - chooses either fast or verbose mode
- **Verbose**:
    - returns as much field and even data as possible

---

# Search Processing Language (SPL)

### Wider Searches:
- **Wildcards**:
    - use astics (*) to find any word starting with root word
    - when looking for failed log-ins
    - example: "Fail*" will result in might want to search failed, fail, failure, etc

<br>

- **Booleans**:
    - order of operation is followed
    - anything in parenthasis will be first
        - NOT        
        - OR
        - AND

    

<hr style="border:1px solid black"> </hr>

# 5 Components of Splunk Search Language 

**Search Terms**:
- fondation of Splunk design

<br>

**Commands**:
- tell Splunk what we want to do with results
    - create charts
    - compute statistics
    - formating
    
<br>

**Functions**:
- explain how we want to chart, compute and evaluate results

<br>

**Arguments**:
- variables we want to apply to the funcitons

<br>

**Clauses**:
- how we want results grouped in a search

---

### Example Seach:
- soucetype=cisco_wsa_squid usage=Violation | stats count(usage) as Visits

#### Breakdown Components:
   - **Search Terms**: soucetype=cisco_wsa_squid usage=Violation
   - **Command**: stats
   - **Function**: count
   - **Argument**: usage
   - **Clause**: as

<hr style="border:1px solid black"> </hr>

# Best Practices

### Case Sensativity:
- search terms, clauses and commands are **NOT** case sensative
- if using "replace" command, that **IS** case sensative

### Search Effectiveness:
- using time to limit event return is most efficient
- Next efficient are:
    - index
    - source
    - host
    - sourcetype 
    
### Other best practices:
- the more you tell the search, the better the results
    - use "failed password" instead of just "password"
- inclusion is better than exclusion
    - use "access denied" instead of "not access granted"
- use OR or IN operators instead of wildcards (*) when possible
- filter early in your search command

<hr style="border:1px solid black"> </hr>

# Knowledge Objects

- tools that help users discover and analyze the data
- can be created by one user and shared with others
- can be saved and reused in multiple apps and by multiple people

### 5 Categories of Knowledge Objects:
- **Data Interpretation**:
    - fields
    - field extraction
    - calculated fields
- **Data Classification**:
    - even types
    - transactions
- **Data Enrichment**:
    - lookups
    - workflow actions
- **Data Normalization**:
    - tags
    - field aliases
- **Data Models**:
    - hierarchically structured datasets

### Knowledge Managers Responsibilities:
- oversee creation
- implement naming
- create models
- normalize data

<hr style="border:1px solid black"> </hr>

# Creating Reports and Dashboards

- save as report
    - create name 
    - add description if desired

**Dashboards**
- collection of reports compiled into a single document
- can click and drag visuals to put in desired location
- "add panel" to put another visualization on the dashboard

- visualizations tab
    - can be altered using "format"
    - types:  
        - pie
        - graph
        - line
        - etc

<hr style="border:1px solid black"> </hr>

# Splunk Architecture

## Two types of environments:
<br>

- Single-server environment
    - used for individual purposes
    
<br>

- Distributed Environment
    - used for commercial purposes

### Single-server environment
- not used for actual deployments
- used for:
    - Testing
    - Creating proof of concept
    - personal use
    - learning

<br>

- **Testing**:
    - test whether a system is indexing data
    - test whether system has issues

- **Proof of concept**:
    - understand what you will be doing

- **Personal Use**:
    - for your own purpose
    - index your own data
    
- **Learning**:
    - professional growth
    - personal interest
    
### Distributed Environment
- large scale environments
- data collection method
- different components for different tasks 
- scale operation from one system to thousands of systems if desired

<hr style="border:1px solid black"> </hr>

# Splunk Components

## Processing Components
These compondents handle the data
- Forwarders
- Indexers
- Search Heads

### Indexers:
- processes machine data
- stored in indexes as "events"
- enables fast searches and analysis

<br>

- Indexer indexes that data then --> creates a number of files organized in sets of directories by age
    - contains compressed raw data

### Management Components
The components support the activities of the processing components
- deployment server
- indexer cluster master node
- search head cluster deployer
- license master
- monitoring console

<hr style="border:1px solid black"> </hr>