18.3 Splunk Reports and Alerts Flashcards
What are the three primary methods for accessing data in Splunk?
- Monitoring logs from a system, device, or application that it has direct access to.
- Forwarding logs from devices into Splunk.
- Uploading logs directly into your Splunk repository.
What is Splunk’s primray feature?
Searching
Splunk uses ______ search.
Splunk uses time-based search
Splunk has the ability to display search results in an easy-to-read format using the ______ feature.
Splunk has the ability to display search results in an easy-to-read format using the **Statistics** feature.
- Splunk uses the Statistics feature to display specific data points from your search results in a simple spreadsheet.
- The
statscommand is the most basic Splunk command to create a statistical report, though there are other commands and methods we can use to create statistical reports.
The _____ command creates additional fields to be added to a statistical report.
The eval command creates additional fields to be added to a statistical report.
Explain the follwong SPL query:
source=”statsreport.csv” | eval BruteForce = if(‘EventCode’=”4740”,”Potential Brute Force”, “Not Brute Force”)
-
source="statsreport.csv": Searches through all the results from thestatsreport.csvfile.
-
-
eval BruteForce: Creates a new field calledBruteForce. -
if('EventCode'="4740",: States the expression, If the event code field has a value of 4740. -
"Potential Brute Force",: Continues the statement with, If true, name this valuePotential Brute Force. This is the value to display if the expression for the event is true. -
"Not Brute Force": Continues the statement with, If false, name this valueNot Brute Force.
The _____ and _____ commands can display data in an easy-to-consume format, similar to a spreadsheet.
The stats and top commands can display data in an easy-to-consume format, similar to a spreadsheet.
