Scribd
Upload
90 views

Splunk Installation and Working - v1.1

Uploaded by

womonoc807
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
90 views

Splunk Installation and Working - v1.1

Uploaded by

womonoc807
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 11

Splunk Installation and Working

1. Project Statement

This project focuses on the installation and initial configuration of Splunk Enterprise on a
Windows Server 2022 environment. Participants will follow a structured process to download,
install, and set up Splunk, then upload a sample dataset for analysis. The objective is to provide
hands-on experience with data ingestion and querying within Splunk, allowing users to gain
insights into Splunk’s data indexing and search capabilities.

Scenario-Based Questions:

1. After installing Splunk Enterprise, you encounter an issue where the uploaded dataset doesn’t
appear in the search results. What steps would you take to troubleshoot and identify the problem?

2. Imagine you’re tasked with analyzing a CSV file containing application logs. Describe how
you would configure Splunk to ingest this file and prepare it for efficient querying.

3. A security alert has been triggered, and you need to quickly search the logs for events that
occurred on August 27. How would you construct your Splunk query to locate relevant data
efficiently?

4. Suppose the dataset you’re working with is over 500 MB, which exceeds the upload limit in
Splunk. What are alternative methods you could use to analyze large datasets within Splunk?

5. During the initial setup, you created a custom username and password. If you forget your
credentials, what steps can you take to recover access to your Splunk instance?

2. Lab Requirements:

Windows server 2022 and Splunk Enterprise software

3. The steps for installation of splunk :

Procedure:

● Go to https://www.splunk.com/ and click on free splunk.

● Fill the form and click on create account


● Go to https://www.splunk.com/en_us/download.html
● Click on Get My Free Trial under Splunk Enterprise

● Agree to the terms and conditions and click access program.

● Double click the installer setup.


● Click the checkbox to accept the agreement and click Next.
● Create a username and password of your choice. Password should have 8 minimum
characters.
● Click Install
● After Completion of the setup the following link will open in the browser:
http://127.0.0.1:8000/en-US/account/login?return_to=%2Fen-US%2F
● Sign in with the username and password set during the installation
● In order to analyze data we have to add data sources first. Click on Add Data

● Firstly download splunk dataset and click on upload. Dataset download link : GitHub -
splunk/botsv1 .

● From the above link choose any CSV datafile.

● For using the csv in the provided document. “WinEventLog:Application”

● Visit link:
“https://s3.amazonaws.com/botsdataset/botsv1/csv-by-sourcetype/botsv1.WinEventLog
%3AApplication.csv.gz”

● This provided link is present in the botsv1 github repository.


● Click on select file . Remember maximum file which can be uploaded is of 500 MB.
● After successful file upload click on NEXT.

● Click on NEXT and then Submit.


● The file is now successfully uploaded. Click on start searching.
Query: source="botsv1.WinEventLog_Application.csv" host="predatorPC" sourcetype="csv"
date_second=27 date_month=august
Change the hostname to your PC name.

Query 2:

source="botsv1.WinEventLog_Application.csv" host="predatorPC" sourcetype="csv"


date_second=27 date_month=august date_year=2020 date_mday=23
● In order to explore more click on datasets and select the dataset of your choice and start
querying.

1. Troubleshooting Missing Dataset in Search Results:


If the uploaded dataset doesn’t appear in Splunk search results, first verify
that the data source was successfully added. Check the indexing status
under "Settings > Indexes" to ensure the data was properly indexed. Confirm
the correct sourcetype and hostname settings in the query. If issues persist,
inspect the data upload logs for errors or permissions issues. You may also
restart the Splunk instance to refresh the index. Lastly, verify that your
search query matches the data fields precisely (e.g., correct source, host, or
date format) to retrieve accurate results.

2. Configuring Splunk to Ingest a CSV File:


To ingest a CSV file in Splunk, start by clicking on "Add Data" from the
Splunk home screen. Select "Upload" and choose the CSV file. Specify the
sourcetype as "csv" to ensure Splunk recognizes the data structure. Assign a
unique source and host for easier identification during searches. After
upload, review the data preview to ensure fields are parsed correctly, then
complete the ingestion. You can now query the file using the assigned source
and host attributes, making it ready for analysis and efficient querying in
Splunk.

3. Querying Logs for Events on a Specific Date:


To locate events that occurred on a specific date in Splunk, such as August
27, construct a query with filters for date and time. For example:
```
source="your_source.csv" host="your_hostname" date_month="august"
date_mday=27
```
Add additional filters for year or specific time if needed. Splunk's search
language allows for flexible date formatting, so you can refine the results
further. This query approach enables you to pinpoint data efficiently,
especially when dealing with large datasets or time-sensitive investigations.

4. Handling Datasets Over the 500 MB Limit:


For datasets exceeding 500 MB, consider alternative methods to analyze
data in Splunk. One option is to split the file into smaller parts, each under
500 MB, and upload them sequentially. Alternatively, set up a data forwarder
on the source machine to stream the data directly into Splunk, bypassing the
upload limit. You could also configure a network share or database
connection if the dataset is hosted elsewhere, allowing Splunk to access it
without manual uploads.

5. Recovering Access if You Forget Splunk Credentials:


If you forget your Splunk credentials, locate the `passwd` file in the Splunk
`etc` directory (typically `etc/system/local/passwd`). Rename or delete the
file, then restart Splunk. This action resets the password, allowing you to log
in with default credentials (admin:changeme). After logging in, immediately
set a new, secure password. Alternatively, if LDAP or SSO integration is
configured, use those credentials or contact your system administrator for
assistance with account recovery without directly resetting files.

You might also like