# Splunk ## Splunk Bar * Messages * Settings * Activity * Help * Find ## Architectural Components * __Forwarder__, as an agent * __Indexer__, receives data from forwarder, normalizes it * __Search Head__, look into indices ## Search & Reporting The bread and butter of Splunk. Events can be found and searched here. * Tip: If you want to land into the Search app upon login automatically, you can do so by editing the user-prefs.conf file. ```sh C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf /opt/splunk/etc/apps/user-pref/default/user-prefs.conf ``` * [Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Aboutthesearchapp) * [Start searching](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Startsearching) * [Time range picker](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Aboutthetimerangepicker) * [Field to search](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Usefieldstosearch) * [Use field lookups](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Usefieldlookups) * [Search field lookups](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Searchwithfieldlookups) * [Splunk Regex](https://docs.splunk.com/Documentation/Splunk/8.1.2/Knowledge/AboutSplunkregularexpressions) * Tabs * Event * Patterns * Statistics * Visualization ## Adding Data Multiple different log sources can be added as events. * [Adding Data Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/Getstartedwithgettingdatain#Use_apps_to_get_data_in) * `Settings > Data > Data Inputs` contains further sources * Add data after that via `Add Data` ## Queries * [Metadata](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata) * [Metalore](https://www.splunk.com/blog/2017/07/31/metadata-metalore.html) ```sh | metadata type=sourcetypes index=botsv2 | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | sort - totalCount ``` * Examples * Filtering HTTP sites visited for found IP ```sh index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" | dedup site | table site ``` ## Sigma * [Sigma Repo](https://github.com/Neo23x0/sigma) * [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) * [Conversion](https://uncoder.io/) * E.g. : `sigma: APT29` as input ## Dashboard Create visualizations and group them. ```sh source="" | top limit=5 EventID ``` * Visualization > choose Chart > "Save As" (top right) > DashboardName ## Alerting * [Workflow](https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Alert/AlertWorkflowOverview)