- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk Search String
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi! I'm new to splunk, I'm just learning it now because I need to understand the splunk search string given to me by the client (i'm an auditor)
So I have a few questions with this splunk search string, I hope you could maybe help me 🙂
1. what does "index=*", in the index=* sourcetype=WinEventLog:Application OR source=WinEventLog:Application SourceName="Application Name". And also I understand that in the source type, it is how the splunk will read the data (is that right?), I was also wondering why there is no "OR" before the SourceName?
2. Also if I fetch data from the event logging of the application, do I get the "Message" of that application?
3. How do I know which host the data is from?
I did my research but I can't fully grasp the concept just yet.
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. Indexes can be viewed as a named repository for data. There are multiple reasons you would want to store certain data in one index and other data in another. These include
- Access controls - assign permissions to certain indexes to certain users
- Performance - data that your routinely search against and want fast results from can be stored separately from noisy data that you do not regularly search. Also you can specify how much (or how old) data is stored in faster storage before it transitions to slower storage.
- Retention - data in one index can "expire" before other data that needs stored long term
index=* simply means search all indexes that the user has access to (if your account is limited, you will only see the indexes which you have been given permission to see)
sourcetypes are used in Splunk to identify the type of data and how fields within that data should be extracted - there's more to it than that, but that's the gist of it.
When there is no 'OR' an 'AND' is implied.
2. The short answer is yes, the message is included. Splunk generally splits Windows events into two parts where the Message field begins. Splunk does this based on sourcetype and it allows Splunk to properly extract field value pairs (e.g. AccountName=john.smith).
3. There are several fields in the data that should identify the host. The first and fastest method is simply the host field. This is valid when the environment uses the Universal Forwarder to retrieve data from the hosts. It is possible to manually load evtx files into Splunk and specify another system as the host.
If the host field doesn't match up with what you expect, you can probably refer to the Computer field.
Hope that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. Indexes can be viewed as a named repository for data. There are multiple reasons you would want to store certain data in one index and other data in another. These include
- Access controls - assign permissions to certain indexes to certain users
- Performance - data that your routinely search against and want fast results from can be stored separately from noisy data that you do not regularly search. Also you can specify how much (or how old) data is stored in faster storage before it transitions to slower storage.
- Retention - data in one index can "expire" before other data that needs stored long term
index=* simply means search all indexes that the user has access to (if your account is limited, you will only see the indexes which you have been given permission to see)
sourcetypes are used in Splunk to identify the type of data and how fields within that data should be extracted - there's more to it than that, but that's the gist of it.
When there is no 'OR' an 'AND' is implied.
2. The short answer is yes, the message is included. Splunk generally splits Windows events into two parts where the Message field begins. Splunk does this based on sourcetype and it allows Splunk to properly extract field value pairs (e.g. AccountName=john.smith).
3. There are several fields in the data that should identify the host. The first and fastest method is simply the host field. This is valid when the environment uses the Universal Forwarder to retrieve data from the hosts. It is possible to manually load evtx files into Splunk and specify another system as the host.
If the host field doesn't match up with what you expect, you can probably refer to the Computer field.
Hope that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! This is really helpful 🙂
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
