# Splunk


## Splunk Bar
    * Messages
    * Settings
    * Activity
    * Help
    * Find 

## Search & Reporting
* Tip: If you want to land into the Search app upon login automatically, you can do so by editing the user-prefs.conf file. 
```sh
C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf
/opt/splunk/etc/apps/user-pref/default/user-prefs.conf
```
* [Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Aboutthesearchapp)
* [Start searching](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Startsearching)
* [Time range picker](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Aboutthetimerangepicker)
* [Field to search](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Usefieldstosearch)
* [Use field lookups](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Usefieldlookups)
* [Search field lookups](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Searchwithfieldlookups)
* [Splunk Regex](https://docs.splunk.com/Documentation/Splunk/8.1.2/Knowledge/AboutSplunkregularexpressions)

* Tabs
    * Event
    * Patterns
    * Statistics
    * Visualization
 
## Adding Data
* [Adding Data Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/Getstartedwithgettingdatain#Use_apps_to_get_data_in)

* `Settings > Data > Data Inputs` contains further sources
* Add data after that via `Add Data`

## Queries
* [Metadata](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata)
* [Metalore](https://www.splunk.com/blog/2017/07/31/metadata-metalore.html)
```sh
| metadata type=sourcetypes index=botsv2 | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | sort - totalCount
```

* Examples
    * Filtering HTTP sites visited for found IP
    ```sh
    index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" | dedup site | table site
    ```

## Sigma 
* [Sigma Repo](https://github.com/Neo23x0/sigma)
* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches)
* [Conversion](https://uncoder.io/)
    * E.g. : `sigma: APT29` as input

## Dashboard
```sh 
source="<source>" | top limit=5 EventID
```
* Visualization > choose Chart > "Save As" (top right) > DashboardName 

## Alerting
* [Workflow](https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Alert/AlertWorkflowOverview)