Navigating Splunk: A Deep Dive into User Interface and Features — Part 2
This blog introduces Splunk, explaining what it is and how it works. It covers the key components of Splunk, guides you through adding data, and provides a walkthrough of its navigation. Whether you’re a beginner or exploring Splunk’s basics, this guide will help you understand its core functionalities step-by-step.
1] What is Splunk?
Splunk is one of the leading SIEM solutions in the market that provides the ability to collect, analyze and correlate the network and machine logs in real-time. Key features include;
1.Data Collection: Ingests data from diverse sources like servers, networks, and applications.
2. Search & Analysis: Offers a powerful query language for uncovering patterns and anomalies.
3. Visualization: Provides dynamic dashboards for real-time monitoring.
4. Alerts: Automates responses based on predefined conditions.
Installation Tutorial:
2] Splunk Components:
1. Splunk Forwarder:
Splunk Forwarder is a lightweight agent installed on the endpoint intended to be monitored, and its main task is to collect the data and send it to the Splunk instance. It does not affect the endpoint’s performance as it takes very few resources to process.
Some of the key data sources are:
- Web server generating web traffic.
- Windows machine generating Windows Event Logs, PowerShell, and Sysmon data.
- Linux host generating host-centric logs.
- Database generating DB connection requests, responses, and errors.
Splunk Forwarders:
Splunk has two primary types of forwarders that can be used in different use cases. They are explained below:
1.1. Heavy Forwarders:
Heavy forwarders are used when we need to apply a filter, analyze or make changes to the logs at the source before forwarding it to the destination.
1.2. Universal Forwarders:
It is a lightweight agent that gets installed on the target host. Its main purpose is to collect logs and send them to the Splunk instance or another forwarder without applying filters or indexing.
2. Splunk Indexer:
Splunk Indexer plays the main role in processing the data it receives from forwarders. It takes the data, normalizes it into field-value pairs, determines the data type of the data, and stores them as events. Processed data is easy to search and analyze.
3. Search Head:
Splunk Search Head is the place within the Search & Reporting App where users can search the indexed logs as shown below. When the user searches for a term or uses a Search language known as Splunk Search Processing Language, the request is sent to the indexer and the relevant events are returned in the form of field-value pairs.
3] Navigating Splunk:
Navigating Splunk is straightforward once you understand its interface. This section will guide you through the key elements, including the search bar, dashboards, and settings, to help you efficiently explore and analyze your data.
1. Apps Dropdown:
Shows all installed apps (e.g., Search & Reporting, Enterprise Security).
Allows switching between apps.
Option to browse for new apps.
2. Health:
This health report displays information from the /health/splunkd/details endpoint.
3. Administrator:
This gives access to account settings, preferences like change time-zones, themes, and more.
4. Messages and Alerts:
Notifications about system updates, errors, or alerts.
5. Settings and User Menu:
Access to account settings, monitoring console, roles, preferences, and system settings.
6. Activity:
This gives access to the jobs manager, triggered alerts section.
7. Help And Find:
Miscellaneous information such as tutorials (Help), and a search feature (Find).
8. Apps:
Manage, find and install apps you need for more efficiency use of your data.
9. Dashboard:
By default, no dashboards are displayed. You can choose from a range of dashboards readily available within your Splunk instance.
4] Adding Data:
The first step in using Splunk effectively is adding your data. In this section, we’ll guide you through importing data from different sources, setting up inputs, and ensuring it’s properly indexed for easy search and analysis.
In Splunk, you can add data from a variety of sources, such as log files, network devices, and cloud services. This section provides an overview of the different types of data sources you can use, helping you understand from where you can bring data into Splunk for further analysis.
4.1. Onboarding Popular Data Sources
Splunk provides specific guides for integrating data from common categories. Each category has examples of typical data sources:
1.1 Cloud Computing
Purpose: Integrate logs and metrics from cloud platforms.
Example Data Sources:
- AWS (CloudTrail, CloudWatch, S3 logs)
- Azure (Activity Logs, Monitor)
- Google Cloud (Stackdriver)
Integration Benefits: Analyze infrastructure usage, billing, and security in the cloud.
1.2 Networking
Purpose: Collect data from networking devices.
Example Data Sources:
- Routers (Cisco, Juniper logs)
- Switches (Syslog, NetFlow)
Integration Benefits: Monitor network traffic, troubleshoot issues, and detect anomalies.
1.3 Operating System
Purpose: Collect logs from server and desktop OS.
Example Data Sources:
- Windows Event Logs
- Linux Syslog
Integration Benefits: Track system health, login events, and performance metrics.
1.4 Security
Purpose: Collect data for monitoring and incident response.
Example Data Sources:
- Firewalls
- Intrusion Detection Systems (e.g., Snort)
- Vulnerability scanners
Integration Benefits: Detect threats, investigate breaches, and generate alerts.
4.2. Onboarding Methods
Splunk provides several ways to get data into the platform. These methods depend on the data’s location and format:
2.1 Upload
Use Case: Manually adding static data files.
Supported File Types:
- Log files (e.g., .log)
- Structured files (e.g., .csv, .json, .xml)
Purpose: Quick adding of data and useful in scenarios where the data source is static or you are working in a controlled environment.
2.2 Monitor
Use Case: Continuously collect data from dynamic sources.
Supported Sources:
- Files and directories on the Splunk instance.
- Open network ports (e.g., TCP, UDP).
Purpose: Ideal for real-time data collection from active systems.
2.3 Forward
Use Case: Transfer data from multiple systems to Splunk.
Method: Use the Splunk Universal Forwarder to:
- Collect files.
- Monitor network traffic.
- Execute scripts for custom logs.
Purpose: Efficient for large-scale, distributed environments.
For more information about data types by category checkout:
https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Listofpretrainedsourcetypes
Summary:
Splunk is a powerful tool that transforms raw data into meaningful insights. Understanding its components, adding data, and navigating the platform are key steps to leveraging its full potential. Whether you’re managing IT operations, enhancing security, or analyzing data for business decisions, Splunk provides the tools you need to work smarter and more efficiently
Hey! If you enjoyed this blog, hop over to my other blogs too! There’s a whole world of interesting content waiting for you to explore. Let’s dive in and soak up knowledge together!