General Flashcards
3 Roles in Splunk Enterprise
Admin, Power, and User
Admin role responsibilities
- Install Apps
- Ingest Data
- Create Knowledge Objects for users of an app
Power role responsibilities
- Create Knowledge Objects for users of an app
- Create real time searches
User role responsibilities
- Only able to see their own knowledge objectives
Source_Type
Classification of data
data comes into the indexer and is classified
Default search job time limit
10 minutes
Shared search job time active time
7 days
3 types of search modes
Fast, smart, verbose
Search mode differences
Fast - Field discovery OFF for event searches. NO Event or field data
Smart - Field discovery ON for event searches. NO Event or field data
Verbose - All event and field data
Wildcard
Adding a * to the end of a word like: failed*
Boolean operations order
- NOT
- OR
- AND
() can be used to go out of order
Splunk Search language components
- Search Terms - foundation of search queries
- Commands - tell splunk what we want to do with results liek charts or formatting
- Functions - explain how we want to chart, compute and evaluate results
- Arguments - variables we want to aply to the function
- Clauses - explain how we want results grouped or defined
Splunk search language example
index=network sourcetype=cisco_wsa_squid usage=Violation | stats count(usage) as Visits
Search Terms = everything till |
| = tells splunk to pass search terms to next component
Command = stats
Function = count
Argument = (usage)
Clause = as
Visits = stores the field in Visits
Most efficient way to filter results
time
then index, source, host, and sourcetype
Knowledge objects categories
Data Interpretation - fields, field extractions, calculated fields
Data Classification - Event types, transactions
Data Normalization - Tags, field aliases
Data Models - Hierarchically structed datasets
Data Enrichment - Lookups, workflow actions
