Basic search The search assistant provides a nice way to begin looking up for something in particular. At this stage, you can determine a few different search criteria, such as a term in particular or search directly into a specific Index. The search assistant lets you be flexible and presents you with different options. Before the first pipe 9|), it will look at any matching term.
After the (|) sign you have the ability to start using a list of commands to help you search data, once you hover your mouse over the commands the Assistant will provide you with high-level information on how to use the command.
Splunk - Indexer This is the engine that is in charge of processing machine data, stores the results in indexes as events. This is what allows enabling fast searches and analysis
As data is indexed, Splunk creates files organized in sets of directories by age.
Splunk - Search Head Splunk has its own Search language, which we will be documenting here in the series as it progresses, in this case, the Search head allows users to search the indexed data. Distributes user search requests to the indexers, and helps consolidate the results based on Field Value Pairs. There is a multitude of different commands and functions that can be used to extract data or put it in a format that can be understood easily.
Splunk Index Time Process Data ingestion for Splunk is broken down into 3 different phases
Input Phase - Data is handled at the source and is usually done by a forwarder
Parsing Phase - Handled by the indexer or Heavy Forwarders, the data is broken into events
Indexing Phase - The license meter runs as data is been written to disk, this happens before the compression of the data. After this process runs the data cannot be changed
Fields are searchable key/value pairs in your event data Fields can be searched by their name, for example:
area_code=404 action=purchase status=200
When you look for multiple items in the editor an implied AND will be implied unless specified otherwise (AND, OR, NOT) to the search as follows
action=purchase AND status=200
Field Discovery Splunk automatically discovers many fields based on the sourcetype and key/value pairs in the data
Prior to the search as explained before, some fields are stored with the event in the index
What is Splunk Splunk is many things to different groups in an organization, but mostly is an engine that looks you to visualize data in a way that could be understood by the business, what are few of the things that Splunk can help with:
Application Management
Operations Management
Security and Compliance
Splunk allows you to aggregate, analyze and get answers from your machine data
What Data can Splunk work with? There are multiple sources of data that can be fed into any Splunk installation, few examples are:
Every search is also a job, which can be paused, stopped, saved and exported.
Here are some interesting things you need to know about Search jobs:
Jobs are available for 10 Minutes (By Default)
Jobs can have the following permissions as part of the configuration when they are saved
Private - Only the creator can access them
Everyone - All app users can see the report
Lifetime - The default is 10 Minutes - Can be extended to live for 7 days, in order to keep your searches for longer you have to schedule a report
How is the syntax used in the Search editor To better explain the syntax of a search is by using the following diagram The components of the Search Search Terms –> What you are looking for
Commands –> What do you want to do with the results, chart, statistics, format and so on
Functions –> How do you want to chart, compute or evaluate your result, for example, get a sum, get an average or transform the values, amongs many other functions
Addition Splunk Components There are additional components for a Splunk deployment, here is a list
Deployment Server
Cluster Master
License Master
Standalone Deployment This deployment is only in 1 server, and all functions needed for this deployment reside on the same server
Searching
Indexing
Parsing
Input
It is recommended to have 1 test or dev set up at your site
A basic Splunk deployment This setup includes the Splunk Server which will be handling the same functions as a Standalone deployment, however, in this case, all the input is ingested from the Forwarders
As with any certification that I attempt I go into it with a mindset of learning by reading, watching videos and doing… Being doing the strongest one in my list of things to do. I want to make sure all the things that I have seen listed in the PCNSE Study Guide I can do, with the exception of the High Availability piece, which I will have. Bait of a hard time using since I only have access to 1 VM.
As the new year hits, I have new resolutions, and these entail getting my feet wet with Palo Alto Networks, due to my job and many other factors I’m open to learning and get certified on the PCNSE, which stands for Palo Alto Networks Certified Network Security Engineer
The Certification Requirements This exam contains 75 questions and over 80 minutes - The intended audience are engineers that currently work with Next-generation firewalls and would like to take their knowledge to the next level. They recommend having 3 to 5 years of experience
