Scribd
Upload
518 views

SplunkFundamentals1 Module4

This document provides steps to ingest three different data sources into Splunk: a web application log file, a web server log file, and a database audit log file. The steps include downloading sample data files, uploading each file and configuring the appropriate source type and host values. The lab also includes logging in as a power user to verify the data is searchable.

Uploaded by

smoothlipz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
518 views

SplunkFundamentals1 Module4

This document provides steps to ingest three different data sources into Splunk: a web application log file, a web server log file, and a database audit log file. The steps include downloading sample data files, uploading each file and configuring the appropriate source type and host values. The lab also includes logging in as a power user to verify the data is searchable.

Uploaded by

smoothlipz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Splunk Fundamentals 1 Lab Exercises

Lab typographical conventions:


[sourcetype=db_audit] OR [cs_mime_type] indicates either a source type or the name of a field.

NOTE: Lab work will be done on your personal computer or virtual machine, no lab environment is
provided. We suggest you DO NOT do the lab work on your production environment.

Lab Module 4 – Ingesting Data


Description
This lab exercise will get data ingested into Splunk from three source types.

NOTE: We will be ingesting static data sources that cover 30 days. For this demo you will not see real-
time data.

Steps
Scenario: You have recently joined the team at Buttercup Games as a Splunk Administrator. You have
been asked to ingest data into your Splunk Enterprise instance for searching.

Task 1: Download log files from the repository.

Open a new browser window and direct it to http://splk.it/f1data


The file Splunk_f1_Data.zip will be downloaded to your system.
Use an archive tool to unarchive the file.
Once unarchived, you will see a folder labeled tmp.

Inside the folder you will see three files.

Return to the browser window for your instance of Splunk Web or open a new one.

Task 2: Ingest web application data into Splunk Enterprise.

Go to the Home app by clicking the Splunk Enterprise logo in the upper left hand of the interface.
© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 1
Click the Add Data icon.

NOTE: You must be logged in as admin to see this icon. If you do not see the icon, log out and back in
with your administrator account.

From the Add Data page, click the upload button.

You will be taken to the Select Source step. Click the Select File button and choose the
access_30Day.log file that you downloaded and unarchived earlier.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 2


Once the file is uploaded, click the Next button.
On the Set Source Type step, you will see that Splunk automatically set the source type correctly as
access_combined_wcookie. Click the Next button.

From the Input Settings step, enter web_application as the Host field value and click the Review
button.

You will be taken to the Review step. Make sure your settings match what is shown below and click the
Submit button.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 3


Splunk will process the file.

When completed, a dialog will appear telling you the file has been successfully uploaded.

Task 3: Ingest web server data into Splunk Enterprise.

Click the Add More Data button.

Click the upload icon and the Select File button.


Select the linux_s_30Day.log file that you downloaded and unarchived earlier and click the Next button.
Notice that this time Splunk was not able to automatically select a source type for the data.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 4


Manually assign the source type by selecting the Source type button and selecting linux_secure from the
Operating System menu.

Click the Next button.


For the Input Settings step, enter web_server as the Host field value and click the Review button.

On the Review step, make sure your settings match what is shown below and click the Submit button.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 5


Task 4: Ingest database server data into Splunk Enterprise.

Click the Add More Data button.

Click the upload icon and the Select File button.


Select the db_audit_30DAY.csv file that you downloaded and unarchived earlier and click the Next button.
Notice that Splunk automatically selected a source type of csv for the data. We want to create a new
source type for this data so we click the Save As button.

In the modal window, give the source type a name of db_audit and a description. Using the Category
menu, select Database and click Save.

Click the Next button to continue to the Input Settings step.


Enter database as the Host field value and click the Review button.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 6


Make sure your settings match what is shown below and click the Submit button.

Task 5: Log in to Splunk Enterprise as a Power User.

Log out of your instance using the Logout link in the User menu.

Log back in using the Power User account you created earlier. If you followed the suggested credentials,
use uname in the Username field and 5p1unkbcup for the Password field.

Select the Search & Reporting app from the sidebar.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 7


You will be asked if you would like to take a tour. Click the Skip button.

You should now see the number of events indexed in your system.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 8

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy