Searc
Lab typ
{student {server-There are t they repres Store data Firewall da Email dataLab 1 –
Descript
This is a shSteps
Task: Log 1. Direct 2. Login 3. Take a Task: Perfo 4. To the 5. Search 6. Take a 7. Create Result 1 2 3 4 8. Modify 9. Pipe to Result 1 2 3 4ching an
pographic
t number} ind -name} indicate three sourcetyp sent. The data– access_* o ata – cisco_ws
– cisco_esa
– Fields O
tion
hort lab to fami
into Splunk on your web brow with the creden a minute to exa orm basic sear e right of the se h for all events a few moments e a table that in ts Example: clientip 192.1.2.40 192.1.2.40 67.230.13 … y the search to o the rename c ts Example: customer 192.1.2.40 192.1.2.40 67.230.13 …
nd Repo
al conven
dicates you sho es you should pes used in the a types are as for access_com sa*
a
Overview
liarize you with
classroom ser wser to the clas ntials your instr amine the data rches on the sto earch box, set t s with the acce s to examine th ncludes the cl st 0 20 0 20 3 40 … only include ev command to re r st 0 20 0 20 3 40 …
orting wit
ntions
ould replace thi substitute the s e labs. The lab follows:
mbined
h the data used
rver.
ss lab system ( ructor assigned
sources on the ore data. the time range ess_combined he fields that we ientip, and s tatus 00 00 04 … vents where ac ename the cli
tatus 00 00 04 …
th Splun
s with your stu server name as b instructions re d in this course for example, h d. e Summary pa to Last 24 hou d sourcetype (s ere automatica status fields. ction=”purc ientip field tonk 4.2 cl
udent number. ssigned to this efer to these so e. ttp://{serv age. urs. store data). ally extracted. chase”. o customer.lass labs
class. ourcetypes by t ver-name}.sps
the types of da plunk.com:8 ata 8000)Task: Perfo 10. Search 11. Take a 12. Create Result 1 2 3 4 **CHALLE 13. Search 14. Take a 15. Search 16. Add th 17. Add th Result 1 2 3 4
Lab 2 –
Descript
This lab reSteps
Task: Rep 1. Search is not 2. Use th 3. Add th Results 1 2 3orm basic sear h for all events a few moments e a table that d ts Example: cs_userna grumpy@d grumpy@d grumpy@d … ENGE LAB
h for all events a few moments h for the term O he rex comm he top comma ts Example: threat OUTBREA OUTBREA OUTBREA …
– Basic St
tion
inforces the coport on top and h the sourcet *myflowersh he top comma he fields com s Example: referer_do http://www http://www http://www
rches on the fir s in the last 24 s to examine th displays the cs ame us demo.com Bu demo.com Pe demo.com Bu … s in the Last 24 s to examine th OUTBREAK_*. mand to extract nd to display th AK_0002499 has AK_0002476 has AK_0002445 has
tatistics
ommands you l rare values. type=access_ hop*. nd to display th mmand to modi omain w.google.com w.yahoo.com w.bing.com ewall datahours for the c
he fields that we _username an sage usiness ersonal usiness …
4 hours for the
he fields that we a new field cal he top values o
s threat level 3 s threat level 3 s threat level 3
earned for bas
_combined fo he top 3 referre ify the report to
cisco_wsa* s ere automatica nd usage field
cisco_esa s ere automatica led threat for t of the threat count pe 91 2. 91 2. 90 2. … … sic statistics. or all events in t er domains. o remove the p count 2842 154 147 sourcetype (fire ally extracted. s. sourcetype (em ally extracted.
the threat inform field. ercent .199662 .199662 .175489 …
the last 24 hou
ercent field f
ewall data).
mail data).
mation.
urs where the r
rom the results
referer_dom
s.
4. Using hint: u 5. Add th Results 1 2 3 4 6. Search 7. Use th hint: u 8. Add th Results 1 2 3 4 9. Using hint: u Results 1 2 3 4 Task: Use 10. Search hint: a 11. Use th 12. Add th Results 1 2 3 4
the same data use the fields s he sort comm s Example: host www2 www1 www3 … h sourcetype he top comma use the field cs he sort comm s Example: cs_userna grumpy@d happy@de doc@dem … the same data use the field cs
s Example: cs_mime_ application audio/mpe audio/x-ms …
e the stats com h sourcetype action=”purc he stats comm he sort comm s Example: productId AV-CB-01 AV-SB-02 FI-FW-02 …
a, find the top s status and ho and to sort by status 200 200 400 … e=cisco_wsa nd to display th s_username and to sort by ame usa demo.com Pe emo.com Pe mo.com Un … a, find the most s_mime_type.
_type
n/x-elc eg
s-wma
mand and asso e=access_co chase” mand to count and to sort by d status codes fo ost.
the count field
count
907 900 774 … * for all events he top usage ty the count field
age coun rsonal 5189 rsonal 4590 known 3926 … t rare mime ty . count 1 1 1 … ociated functio mbined for pu t the events by the count field
count 533 230 119 … or each web ho d in descendin percent 77.987962 78.809107 8.168530 … s in the last 24 ypes, grouped d in descendin nt percent 57.19166 66.91937 58.18882 … ypes. percent 0.003685 0.003685 0.003685 … ns. urchase events y productId. d in descendin st. g order. hours. by user. g order. 68 76 25 in the last 24 g order. hours.
13. Search 14. Use th Results 1 2 3 15. Modify Results 1 2 3 16. Use th Results 1 2 3 4 17. Modify Results 1 2 3 4 18. Create hours 19. Use th Results 1 h sourcetype he stats comm s Example: host www1 www2 www3 y the report to g s Example: host www1 www2 www3 he stats comm s Example: file cart.do category.s product.sc … y the report to g s Example: file cart.do category.s product.sc … e a new search s. he stats comm s Example: values(x_ "AntivirusX "Paypopup "Trojan-Ba "Trojan-Do "Trojan-Do "Unknown "Virus-Otw "zhongsou - e=access_co mand to get a d dc(JSESSIO 464 557 488 get a distinct c dc(clientip) 20 21 21 mand to create sum(by 951390 screen 976233 creen 827834 … get an average avg(by 2111.48 screen 2160.55 creen 2097.27 … h for events in s
mand to list all
_webroot_threat XPPro Fakealert" p Cookie" ackdoor-Zbot" ownloader-Suurc ownloader.Gen" " wycal" u zztoolbar" mbined to view distinct count ONID) count of clien ) e a new report t ytes) 0 3 4 e instead of a s ytes) 88069 52463 79805 sourcetype= the values of t_name) " ch"
w all the activit
t of JSESSIONI
ntip for each
that gets a sum
sum.
=cisco_wsa* f the x_webroo
ty for the online IDs for each h
host.
m of bytes bei
that include the ot_threat_n
e flowershop in ost.
ng served for e
e term BLOCK_ name field with
n the last 24 ho
each file.
_* in the last 2 hin the results.
ours.
Task: Use 20. Search 21. Use th Results 1 2 3 4 22. Add th Results 1 2 3 4
Lab 3 –
Descript
This lab reSteps
Task: Use 1. Search 2. Use th hint: Results 1 2 3 4 3. Add th MB fiel hint: the eventstats h sourcetype he stats comm s Example: usage Borderline Business Personal … he eventstat s Example: usage Borderline Business Personal …– Calculat
tion
inforces the evthe eval comm h sourcetype he stats comm
use the sc_by
s Example: cs_userna grumpy@d bashful@d doc@dem … he eval comm d. the format is … command. e=cisco_wsa mand to get a c count e 2962 5995 23505 … s command to count e 2962 5995 23505 …
ting and F
val and where
mand to convert e=cisco_wsa mand to get a s ytes and cs_u
ame tot demo.com 227 demo.com 175 mo.com 185 … and to set a ne | eval <new
* for all events count of all ev o add a sum of to 44 44 44 …
Formatting
e commands. t field values. * for all eventssum of bytes g username field talBytes 72853 5084 5035786 ew field called M w field> = ( s in the last 24 vents grouped
the count fiel
otal 4588 4588 4588 …
g
s in the last 24 grouped by use ds. MB. Divide the (<field>/10 hours. by usage. ld to each even hours. er name as a fie totalBytes 048576) nt in a field calleld called total
field by 104857 ed total.
lBytes.
Results 1 2 3 4 4. Save t Task: Rou 5. Using decim Results 1 2 3 4 6. Save t Task: Com 7. Search 8. Use th avera 9. Add th popula 10. Create fields. Results 1 2 3 4 11. Save t Task: Form 12. Modify s Example: cs_userna grumpy bahsful doc … the search and und field values the search you al points. s Example: cs_userna - bashful@de doc@demo … the search and
mpare field valu h sourcetype he eventstat agePrice he eval comm ate the differ e a table of th s Example: product_n Sweet Spl Sweet Dre Birthday B … the search and mat field values y the report you
ame totalBy 227285 175084 185035 … d name it {stud s u just created, me tota 0 emo.com 1750 o.com 1850 … d name it {stud ues. e=access_co s command to and to set a ne rence field. he results that i name endor Bouquet eams Bouquet Bouquet d name it {stud s. u just created t ytes M 53 2 40 1 5786 17 … dent number} B
modify the eva
lBytes
0840 035786
dent number} M
mbined for ac o add the avera ew field called d includes the pr av 15 15 15 … dent number} P o round the av MB .1765342 .669744 76.463877 … Bandwidth Us al command to MB 0 1.75 176.46 … MB Per User ction=”purch age value of the difference. roduct_name veragePrice 53.771429 53.771429 53.771429 … Product Price veragePrice sage by User.
o round the fiel
hase” produ e price field to Subtract the a , averagePri price 49 89 299 Scale e and differe
d value for the
uctId=”*”. o each event in averagePric ice, price, an difference -104.77142 -64.771429 145.228571 … ence fields to 2 MB field to 2 n a field called e from the pri nd differenc 29 9 1 2 decimal point ice to ce s.
Results 1 2 3 4 13. Modify decim hint: Results 1 2 3 4 Task: Use 14. Search 15. Use th with st hint: 16. Add th Results 1 2 Task: Filter 17. Run th 18. Add th Results 1 2 3 4 s Example: product_n Sweet Spl Sweet Dre Birthday B … y the report to f al and trailing z Add an additio s Example: product_n Sweet Spl Sweet Dre Birthday B … conditional sta h sourcetype he eval comm tatus=”200” you must inclu he stats comm s Example: reqPerfor ok failed r results with th he saved searc he where comm s Example: cs_userna doc sleepy happy … name endor Bouquet eams Bouquet Bouquet
format the valu zeroes (.00) onal eval comm
name endor Bouquet eams Bouquet Bouquet atements. e=access_co and to set a ne ” into a value c de the quotes mand to get a c rmance co 71 25 he where comm ch you created mand to only d ame totalBy 185035 608961 413877 … av 15 15 15 … ues of the price mand before cr av 15 15 15 …
mbined for all ew field called r alled “ok”, an around "ok" an count by reqP ount 12 566 mand. {student num isplay results if ytes M 5786 17 1848 58 7926 39 … veragePrice 53.77 53.77 53.77 … field to prepen reating the tab
veragePrice 53.77 53.77 53.77 … events in the l reqPerforma nd all other eve
nd "failed" Performance mber} MB Per U f the value of th MB 76.46 80.75 94.70 … price 49 89 299 nd with a dollar ble, and use th
price
$49.00 $89.00 $299.00
last 24 hours. ance. Use the ents into a value e. User he MB field is g difference -104.77 -64.77 145.23 … r sign ($) and a he tostring difference -104.77 -64.77 145.23 … if function to e called “fail greater than 1. append with a function.
group all even led”.
Lab 4 –
Descript
Use the AdSteps
Task: Crea 1. Naviga 2. Create the las events 3. Set the Chart E 4. Save t Task: Crea 5. Create hours Chart E 6. Chang 7. Under 8. Under 9. Chang– Charting
tion
dvanced Chartiate a basic colu ate to the Adva e a report for so
st 24 hours. S
s by product_ e Chart type to
Example:
the search and ate a multi-seri e a report for so
s. Use the char
Example: ge the Stack M r Format, click r Format, retur ge the Chart ty
g
ng view to crea umn chart. anced Charting ourcetype=a earch for acti _name.o column.
d name it {stud ies chart and w ourcetype=c rt command to
Mode to Stacke
the x-axis link n to General o
ype to bar.
ate charts and
g view. Select V access_combi ion=”purchas
dent number} D
work with forma cisco_wsa* th o display a cou ed. k to display opti options. timecharts. Views > Adva
ined that disp se”, and use t
Daily Product
atting options. hat displays ea unt of events w
ions for the X-a
nced Charting
lays how many the chart com
Sales
ach user’s Inter with cs_usern
axis. Enter a tit
g.
y of each produ mmand to displa
rnet usage type name as the
X-tle for the X-ax
uct was purcha ay a count of es in the last 2 -axis, split by u xis. ased in 4 sage.
10. Under Chart E 11. Save t Task: Crea 12. Create for the 13. Set the Chart E 14. Create display 15. Renam 16. Toggle apply Task: Crea 17. Return 18. Search 19. Use th hint: r Legend Place Example:
the search and ate a basic time e a timechart e last 24 hours e Chart type to Example: e a timechart ys a sum of the me the X-axis t e the Multi-ser when changin
ate a report tha n to the Search h sourcetype he bucket com bucket <fie ement, select B d name it {stud echart. t for sourcet s.
o line and the
t with a line ch e price field b
to revenue.
ries mode betw
g the multi-ser at buckets value h view. e=access_co mmand to sort t eld> <span> Bottom. dent number} I ype=cisco_w Multi-series m
hart type for so by product_na ween split and
ies mode.
es.
mbined for pu the results by t
Internet Usage
wsa* that displ
mode to combi
ourcetype=ac ame for the las
combined and
urchase event the _time field
e by User
ays a count o
ined.
ccess_combi
st 24 hours.
d note the disp
ts in the last 24 d in 1 hour span of Internet usag ined action= play difference. 4 hours. ns. ge types over t =purchase tha Remember to time at o click
20. Use th the res hint: Results 1 2 3
Lab 5 –
Descript
Reinforce cSteps
Task: Crea 1. Return 2. Search 3. Add th transa 4. Add th Task: Crea 5. Search 6. Create minute 7. Add thLab 6 –
Descript
Create and data.Steps
Task: Add 1. Save t 2. Go to 3. Click N 4. Verify 5. Click B 6. In the 7. Click S he stats comm sults by the _t stats sum(< s Example: _time 11/7/10 9: 11/7/10 10 11/7/10 11 …– Correlat
tion
creating, searc ate a transactio n to Search. S h for all events he transacti actions.he search com
ate a transactio h for all store d e a transacti es.
he stats comm
– Creating
tion
d use a new loo
d a lookup table the file browse
Manager >> L New to display the Destinatio Browse to loca Destination fi Save. mand to get a s ime field. <field>) as 00:00.000 AM 0:00:00.000 AM 1:00:00.000 AM
ting Event
ching, and repo
on using comm Select Last 4 h s in the email da on command t mmand to searc on using comm data in the last ion based on t mand to count
g and Usin
okup that will id
e file.
er_lookup.cs
Lookups >> Lo
the Add New
on app is Sear
ate and upload
lename field, t
sum of the pri (<newField hourlySale 712 12356 22633 …
ts
orting on transa on fields.ours for the tim
ata. (sourcet to the search, a ch within the tr on fields and m 24 hours. the clientip by useragent
ng Lookup
dentify a brows sv to your comookup table fil
page.
rch.
browser_loo type browser_
ice field and po d>) by <grou
es
actions.
me range. ype=”cisco_ and use the mi ransactions for maxspan, maxp p field with a ma t
ps
ser, version, an mputer. (Provide les. okup.csv _lookup.csv opulate a new upingField> _esa”) Note th id, dcid, and iREJECT. pause. ax span of 10 m d os based on ed by your inst v
field called hou
he number of e icid fields to c minutes and m the useragen tructor) urlySales. G events. create the ax pause of 2 nt field in the s Group store
Task: Crea 8. Naviga 9. Click L 10. Click N 11. Verify 12. In the 13. Verify 14. From t 15. Click S Task: Use 16. Return 17. Search 18. Add th OUTPU Note t 19. Add th Results 1 2 3 4 Task: Conf 20. Naviga 21. Click N 22. Verify 23. In the 24. From t 25. Verify 26. In the 27. In the 28. In the 29. Click A 30. Type v 31. Click A 32. type o 33. Click t 34. Click S Task: Use 35. Return 36. Search 37. Exami ate a lookup de ate back to the
Lookup definit
New to display the Destinatio
Name field, typ
the Type is Fi the Lookup file
Save.
e the lookup in a n to Search.
h for all events he lookup comm UT the browse he new fields a he top comma s Example: browser MSIE Safari Googlebot … figure the looku ate to Manage
New to display
the Destinatio
Name field, typ
the Lookup ta that sourcetyp Named field, t Lookup input Lookup outpu Add another fi version in left f Add another fi os in the left fie
the Overwrite f
Save.
the automatic n to Search.
h sourcetype ine the fields l
efinition. e main Lookup
tions.
the Add New
on app is Sear pe browser_l le-based. e menu, select a report. s in sourcetyp mand to call br er, version, a are now availab
nd to display th
t
up to run autom
r >> Lookups
the Add New
on app is Sear
pe browser_L
ble menu, sele pe is selected ype access_c t fields, type us ut fields, type ield. field. ield. ld. field values ch lookup e=access_co
ist and notice t s page. page. rch. lookup. browser_look pe=access_c rowser_looku and os fields.
ble in the field p he top browser co 97 88 48 … matically >> Automatic page. rch. LOOKUP ect browser_lo in the Apply to ombined. seragent in the browser in the heckbox.
mbined for all that browser, kup.csv. combined for th up and referen picker. rs. ount 70 82 82 … c lookups. ookup. o menu. e left field. e left field. events in the l os, and vers
he last 24 hou nce the userag
percent
30.152341 27.416874 14.389651
last 24 hours.
ion fields are
urs.
gent field as th
now automatic
he input field.
38. Use th Results 1 2 3 4
Lab 7 –
Descript
Search and NOTE: Fo summary inSteps
Task: Sea 1. Search hint: 2. Use th 3. Chang Task: Unde The search sourcety 4. Would index | eva 5. Create • pr • to 6. Save t search NOTE not sch he stats com s Example: browser Firefox Googlebot MSIE …– Summa
tion
d create a repo or this lab a sumndex using a s
arch a summary h the summary
syntax is inde he stats comm ge the time fram
erstand the pop h used to popu ype="access_ d the following s x="summary" al revenue = e a summary se roduct name an otal revenue for
the search as { hes as a class. E: The purpose hedule or confi mmand to create t
ry Indexin
ort from a summ mmary index an earch named p
y index. y index for the l ex=<indexNam
mand to count me to last 30 d
pulating summ late the summa _*" action=" search generat
search_nam = "$" + pri earch that capt nd productId r each product
{student numb
e of steps 5 and figure the searc
e a report that os W N/ W …
ng
mary index. nd summary se purchasedProlast 7 days usi
me> search_ t by product_ days.
ary search ary index is: "purchase" te a report? Wh me="purchase ice + ".00" tures: ber} Summary d 6 are to allow ch to populate a displays a cou s Windows /A Windows …
earch have alre
oducts. ng the purcha _name=<searc _name. | sistats c hy or why not? edProducts" y Sales. Set pe w you to practic a summary ind
nt for each bro
count
505 557 593 …
eady been crea
asedProducts chName> count by pr ? | stats co ermissions so ce forming usef dex. owser / os com
ated. You will
search. roduct_name ount by prod everyone can R ful summary se mbination. be searching th duct_name Read. Compa earches. You w he are will
Lab 8 –
Descript
Create andSteps
Task: Crea 1. Naviga 2. Select 3. Verify 4. Name 5. In the sourc 6. Save t Task: Use 7. Return 8. Set the 9. In the 10. Add th durat hint: hint: 11. Add th Results 1 2 3 4 Task: Crea 12. Naviga 13. Name 14. Enter hint: 15. Add th 16. In the hint: 17. Save t Task: Use 18. Return 19. Use th hint: `– Creating
tion
d use macros.ate a basic mac ate to Manage t Add new nex the Destinatio the macro we Definition field cetype="cisc the macro. a basic macro n to the Search e time range to search bar, typ he where comm tion > 0.
enclose each a You must use he table comm s Example: duration 3.02 3 6.21 …
ate a macro wit ate to Manage the macro act a search string Format is fiel he stats comm Arguments fie argument, argu the macro.
the macro with n to the Search he macro, and `macroname(v
g and Usin
cro r >> Advanced xt to the Search on app is set to busage.d, type the follo co_wsa*" | h app. o Last 24 hour pe `webusage mand. Filter th argument for th quotes when in mand to create usage Business Business Business … th arguments. r >> Advanced tivityByHost(2 g that searches ldname=$arg mand to get a c eld, enter the a
ument (no $’s)
h arguments in
h app.
pass the argum value, valu
ng Macros
d search. h macros item o Search. owing search s transaction rs.e` and hit Ente he results to on he where comm
ndicating the fie e a report that d c s h d … d search >> S 2) s sourcetype gument$ count by prod arguments, sep a search ments action= ue)`
s
. string: n s_hostnamer. Examine the
nly return transa mand in parent eld/value usag displays durat cs_username sleepy happy doc … Search macros =access_com duct_name. parated by a co =purchase an me, cs_usern e transactions. actions where u
hesis, and sep e="Business" tion, usage, a
s >> Add new
mbined for var
omma.
nd host=www2 name
usage=”Busi parate with AND and cs_usern riable action a 2 iness” and D. name.
20. Run th Results 1 2 3 4 he search again s Example: product_n Birthday B Day Spa C Tulip Bouq …
n with the follow
name Bouquet Certificate quet wing argument count 25 12 18 … ts remove andd www1
