Splunk

Introduction

  • What is Splunk?
  • About SIEM and Why SIEM
  • Introduction to Splunk
  • Splunk Components
  • Downloading and Installing Splunk
  • Splunk Deployment overview
  • Splunk event Lifecycle – Input, Parsing, Indexing and Searching
  • Customizing your user settings
  • Learn basic navigation in Splunk

Search Language Fundamentals

  • Run basic searches
  • Use autocomplete to help build a search
  • Set the time range of a search
  • Identify the contents of search results
  • Refine searches
  • Use the timeline
  • Work with events
  • Control a search job
  • Save search results
  • Understand fields
  • Use fields in searches
  • Use the fields sidebar
  • Review basic search commands and general search practices
  • Examine the search pipeline
  • Specify indexes in searches
  • Use autocomplete and syntax highlighting
  • Use SPL search commands to perform searches:

Transforming Commands and Reporting and CIM

  • The top command
  • The rare command
  • The stats command
  • Save a search as a report
  • Edit reports
  • Create reports that include visualizations such as charts
  • and tables
  • Create a dashboard
  • Add a report to a dashboard
  • Edit a dashboard
  • What are datasets?
  • What is the Common Information Model (CIM)?

Basics of Lookups, Reports, Alerts and Pivots

  • Describe lookups
  • Create a lookup file and create a lookup definition
  • Configure an automatic lookup
  • Describe scheduled reports
  • Configure scheduled reports
  • Describe alerts
  • Create alerts
  • View fired alerts
  • Describe Pivot
  • Understand the relationship between data models and pivot
  • Select a data model object
  • Create a pivot report
  • Create an instant pivot from a search
  • Add a pivot report to a dashboard

Advanced Searching and transforming commands:

  • Search Case sensitivity
  • Using the job inspector to view search performance
  • Explore visualization types
  • Statistical analysis commands
  • Visualisation Commands
  • Create and format charts and timecharts
  • The iplocation command
  • The geostats command
  • The geom command
  • The addtotals command
  • The eval command
  • Using the search and where commands to filter results
  • The filnull command

Correlating Events

  • Identify transactions
  • Group events using fields
  • Group events using fields and time
  • Search with transactions
  • Report on transactions
  • Determine when to use transactions vs. stats

Knowledge Objects

  • Identify naming conventions
  • Review permissions
  • Manage knowledge objects

Creating and Managing Fields

  • Perform regex field extractions using the Field Extractor(FX)
  • Perform delimiter field extractions using the FX

Creating Field Aliases and Calculated Fields

  • Describe, create, and use field aliases
  • Describe, create and use calculated fields

Creating Tags and Event Types

  • Create and use tags
  • Describe event types and their uses
  • Create an event type

Creating and Using Macros

  • Describe macros
  • Create and use a basic macro
  • Define arguments and variables for a macro
  • Add and use arguments with a macro

Creating and Using Workflow Actions

  • Describe the function of GET, POST, and Search workflow actions
  • Create a GET workflow action
  • Create a POST workflow action
  • Create a Search workflow action

Creating Data Models

  • Describe the relationship between data models and pivot
  • Identify data model attributes
  • Create a data model
  • Use a data model in pivot

Using the Common Information Model (CIM) Add-On

  • Describe the Splunk CIM
  • List the knowledge objects included with the Splunk CIM
  • Add-On
  • Use the CIM Add-On to normalize data

Module 1 - Splunk Developer Overview

  • Splunk overview
  • Identify Splunk components
  • Identify Splunk system administrator role

Module 2 - License Management

  • Identify license types
  • Describe license violations
  • Add and remove licenses

Module 3 -  Splunk Apps

  • Describe Splunk apps and add-ons
  • Install an app on a Splunk instance
  • Manage app accessibility and permissions

Module 4 - Splunk Configuration Files

  • Describe Splunk configuration directory structure
  • Understand configuration layering process
  • Use btool to examine configuration settings

 

Module 5 - Splunk Indexes

  • Describe index structure
  • List types of index buckets
  • Create new indexes
  • Monitor indexes with Monitoring Console

Module 6 - Splunk Index Management

  • Apply a data retention policy
  • Backup data on indexers
  • Delete data from an index
  • Restore frozen data

Module 7 - Splunk User Management

  • Describe user roles in Splunk
  • Create a custom role
  • Add Splunk users

Module 8 - Splunk Authentication Management

  • Integrate Splunk with LDAP
  • List other user authentication options
  • Describe the steps to enable Multifactor Authentication in Splunk

Module 9 - Getting Data In

  • Describe the basic settings for an input
  • List Splunk forwarder types
  • Configure the forwarder
  • Add an input to UF using CLI

Module 10 - Distributed Search

  • Describe how distributed search works
  • Explain the roles of the search head and search peers
  • Configure a distributed search group
  • List search head scaling options

Module 2 - Getting Data In - Staging

  • List the four phases of Splunk Index
  • List Splunk input options
  •     Describe the band settings for an input

 

Module 3 - Configuring Forwarders

  • Understand the role of production Indexers and Forwarders
  • Understand the functionality of Universal Forwarders and Heavy Forwarders
  • Identify additional Forwarder options

Module 4 - Forwarder Management

  • Explain the use of Forwarder Management
  • Describe Splunk Deployment Server
  • Manage forwarders using deployment apps
  • Configure deployment clients
  • Configure client groups
  • Monitor forwarder management activities

Module 5 - Monitor Inputs

  • Create file and directory monitor inputs
  • Use optional settings for monitor inputs
  • Deploy a remote monitor input

Module 6 - Network and Scripted Inputs

  • Create network (TCP and UDP) inputs
  • Describe optional settings for network inputs
  • Create a basic scripted input

Module 7 - Agentless Inputs

  • Identify Windows input types and uses
  • Understand additional options to get data into Splunk
  • HTTP Event Collector
  • Splunk App for Stream

Module 8 - Fine Tuning Inputs

  • Understand the default processing that occurs during input phase
  • Configure input phase options, such as sourcetype fine-tuning and character set encoding

Module 9 - Parsing Phase and Data

  • Understand the default processing that occurs during parsing
  • Optimize and configure event line breaking
  • Explain how timestamps and time zones are extracted or assigned to events
  • Use Data Preview to validate event creation during the parsing phase

 

Module 10 - Manipulating Raw Data

  • Explain how data transformations are defined and invoked
  • Use transformations with props.conf and transforms.conf to:
  • Mask or delete raw data as it is being indexed
  • Override sourcetype or host based upon event values
  • Route events to specific indexes based on event content
  • Prevent unwanted events from being indexed
  • Use SEDCMD to modify raw data

Module 11 - Supporting Knowledge Objects

  • Create field extractions
  • Configure collections for KV Store
  • Manage Knowledge Object permissions
  • Control automatic field extraction

Module 12 - Creating a Diag

  • Identify Splunk diag
  • Using Splunk diag