Module 3 Lab Exercise: Working with Field Aliases and Calculated Fields

Description
This lab exercise walks you through the process of creating field aliases and calculated fields.

Steps

Task 1: Create a field alias to change cs_username to user.

1. Search for sourcetype=cisco_wsa_squid over the last 24 hours.
2. Note the cs_username field.
3. Go to Settings > Fields > Field aliases. Create a field alias with the following values:
Destination app: search
Name: cisco_wsa_squid_user
Apply to: sourcetype
Named: cisco_wsa_squid
Field aliases: cs_username = user
4. Click Save.
5. Return to the Search & Reporting app. Re-run your search and examine the user field and values.
Results Example:

6. Perform a search on the cisco_firewall sourcetype and use the fields sidebar to examine the
Username field.
7. Create a field alias for sourcetype cisco_firewall with the following values:
Destination app: search
Name: cisco_firewall_aliases
Apply to: sourcetype
Named: cisco_firewall
Field aliases: Username = user
8. Perform the following search: sourcetype=cisco* user=*
9. Do you receive results from the cisco_wsa_squid and cisco_firewall sourcetypes?

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects April 11, 2016 1
Task 2: Create a calculated field that converts bytes to MB.
10. Search for all events in the last 24 hours for the cisco_wsa_squid source type.
11. Note the sc_bytes field. This field displays the amount of bytes used during that event.
12. Go to Settings > Fields > Calculated fields.
13. Create a calculated field named bandwidth that converts the value of sc_bytes to MB with the
following values:
Destination app: search
Apply to: sourcetype
Named: cisco_wsa_squid
Name: bandwidth
Eval expression: sc_bytes/(1024*1024)
14. Return to the Search & Reporting app. Perform a search on the cisco_wsa_squid source type that
shows the total bandwidth by usage.

sourcetype=cisco_w* | stats sum(bandwidth) as "Bandwidth (MB)" by usage

Results Example:

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects April 11, 2016 2
Creating Splunk 6.3 Knowledge Objects Lab Exercises
There are a number of source types used in these lab exercises. The lab instructions refer to these source types by
the types of data they represent:

Type Sourcetype Interesting Fields

AD/DNS winauthentication_security bcg_ip, bcg_workstation, fname,

(corporate network) lname, location, rfid, splunk_role

WinEventLog:Security Account_Domain, Account_Name, action,

(engineering network) app, Authentication_Package, Type,
User

Badge reader history_access Address_Description, Department,

Device, Email, Event_Description,
First_Name, last_Name, Rfid, Username

BI server sales_entries AcctCode, CustomerID, TransactionID

Email data cisco_esa dcid, icid, mailfrom, mailto, mid

Web appliance data cisco_wsa_squid action, bandwidth, cs_method,

cs_mime_type, cs_url, cs_username,
sc_bytes, sc_http_status,
sc_result_code, severity, src_ip,
status, url, usage,
x_mcafee_virus_name, x_wbrs_score,
x_webcat_code_abbr

Online transactions access_combined action, bytes, categoryId, clientip,

itemId, JSESSIONID, price, productId,
product_name, referer,
referer_domain, sale_price, status,
user, useragent

Retail sales vendor_sales AcctID, categoryId, product_name,

productId, sale_price, Vendor,
VendorCity, VendorCountry, VendorID,
VendorStateProvince

Web server linux_secure action, app, COMMAND, dest, process,

src_city, src_country, src_ip,
src_port, user, vendor_action

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects May 12, 2016 1
Module 2 Lab Exercise: Creating Lookups
Description
In this lab exercise, you create a new automatic lookup that provides additional information for the web appliance
data.

Steps
Task 1: Set your name and time zone.
1. Click your student ID (455-xxxxxxx) on the navigation bar and select Edit Account.
2. In the Full Name field, enter your name.
3. From the Time zone menu, select your local time zone.
4. Un-check Restart backgrounded jobs.
5. Click Save.
6. Click the splunk> logo at the top left of the window to return to the Search & Reporting app.

Task 2: Search the web appliance data.

1. Search the web appliance data [sourcetype=cisco_wsa_squid] over the last 24 hours
2. Examine the fields in the fields sidebar. In the next task, you will create an automatic lookup to add
the department and location fields to the results.

Task 3: Create an automatic lookup definition.

3. Navigate to: Settings > Lookups > Automatic lookups
4. Click New.
5. Create the automatic lookup with these values:
Destination app: search
Name: SEC_lookup_web_employees
Lookup table: employee_lookup
Apply to: sourcetype
named: cisco_wsa_squid
Lookup input fields: EMAIL = cs_username
Lookup output fields: DEPT = DEPT
LOCATION = LOCATION

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects May 12, 2016 2
 6. Click Save.

Task 4: Search the web appliance data to verify the automatic lookup is working.
7. Search sourcetype=cisco_wsa_squid over the Last 24 hours.
8. In the fields sidebar, click the DEPT, and LOCATION fields to examine the field values.

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects May 12, 2016 3
Module 3 Lab Exercise: Working with Field Aliases and Calculated Fields
Description
This lab exercise walks you through the process of creating field aliases and calculated fields.

Steps

Task 1: Create a field alias to change cs_username to user.

1. Search for sourcetype=cisco_wsa_squid over the last 24 hours.
2. Note the cs_username field.
3. Go to Settings > Fields > Field aliases. Create a field alias with the following values:
Destination app: search
Name: cisco_wsa_squid_user
Apply to: sourcetype
Named: cisco_wsa_squid
Field aliases: cs_username = user
4. Click Save.
5. Return to the Search & Reporting app. Re-run your search and examine the user field and values.
Results Example:

6. Perform a search on the cisco_firewall sourcetype and use the fields sidebar to examine the
Username field.
7. Create a field alias for sourcetype cisco_firewall with the following values:
Destination app: search
Name: cisco_firewall_aliases
Apply to: sourcetype
Named: cisco_firewall
Field aliases: Username = user
8. Perform the following search: sourcetype=cisco* user=*
9. Do you receive results from the cisco_wsa_squid and cisco_firewall sourcetypes?

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects April 11, 2016 1
Task 2: Create a calculated field that converts bytes to MB.
10. Search for all events in the last 24 hours for the cisco_wsa_squid source type.
11. Note the sc_bytes field. This field displays the amount of bytes used during that event.
12. Go to Settings > Fields > Calculated fields.
13. Create a calculated field named bandwidth that converts the value of sc_bytes to MB with the
following values:
Destination app: search
Apply to: sourcetype
Named: cisco_wsa_squid
Name: bandwidth
Eval expression: sc_bytes/(1024*1024)
14. Return to the Search & Reporting app. Perform a search on the cisco_wsa_squid source type that
shows the total bandwidth by usage.

sourcetype=cisco_w* | stats sum(bandwidth) as "Bandwidth (MB)" by usage

Results Example:

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects April 11, 2016 2
Module 4 Lab Exercise: Creating Field Extractions
Description
This lab exercise walks you through the process of creating a regex field extraction.

Steps

Task 1: Use the Field Extractor to extract a port field for the linux secure data.
1. Search for sourcetype=linux_secure over the Last 24 hours. Note in the fields sidebar that the
port field is not extracted.
2. Use the Field Extractor to extract a port field. Click the > arrow under the icon in the first event.
3. Click Event Actions > Extract Fields.
4. Select the Regular Expression method and click Next.
5. Highlight the port number in the event.
It should look similar to the red text in this example:
……  Failed  password  for  root  from  211.166.11.101  port  4158  ssh2
6. In the Field name box, type src_port.
7. Click Add Extraction and click Next.
8. Validate the field is extracted properly and click Next.
9. Review the extraction information and click Finish.
10. Search for events in the linux_secure sourcetype in the last 24 hours. List the top ports.
sourcetype=linux_secure | top src_port

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects April 11, 2016 1
Module 5 Lab Exercise: Creating Tags and Event Types
Description
This lab exercise walks you through the steps to create tags and event types.

Steps
Task 1: Create tags to identify a products rating.
1. Run a search over the Last 24 hours for all events under the access_combined sourcetype and
categoryId field with valid values.
sourcetype=access_combined categoryId!=null
2. In the Fields sidebar, click the categoryId field and note all the categories that are returned from
the search. You should see seven categories.
3. Run a search for categoryId=sports

4. For the first event in the results, click the information widget to expand the event details.
5. Find the row for the categoryId field. Click the down arrow under the Actions column and select
Edit Tags.
6. Tag categoryId sports with the value General and click Save.
7. Run a search over the Last 24 hours for categoryId=strategy

8. For the first event in the results, click the information widget to expand the event details.
9. Find the row for the categoryId field. Click the down arrow under the Actions column and select
Edit Tags.
10. Tag categoryId strategy with the value Teen and save it.
11. Run a search over the Last 24 hours for categoryId=shooter

12. For the first event in the results, click the information widget to expand the event details.
13. Find the row for the categoryId field. Click the down arrow under the Actions column and select
Edit Tags.
14. Tag categoryId shooter with the value Mature.
15. Perform a search and verify the tags are created.

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects May 13, 2016 1
 Results Example:

Task 2: Use tags in a search.

16. Search for sourcetype=access_combined tag=Teen
Note that tags are case sensitive. A search for tag=teen produces no results.
Task 3: Use the Search interface to create event types for accessories and tee purchase events.
17. Search the access_combined source type for all purchase events in the last 30 days where
categoryId=accessories. sourcetype=access_combined action=purchase
categoryId=accessories
19. Select Save As > Event Type.
20. Name your event type: accessories_purchases
21. Optionally, select a color to flag the event type and a priority, then click Save.
Search the access_combined source type for all purchase events in the last 30 days where
categoryId=tee.

sourcetype=access_combined action=purchase categoryId=tee

22. Save the second event type as tee_purchases
23. Optionally, select a color to flag the event type and a priority, then click Save
24. Perform a search for purchase events with categoryId values of either accessories or tee.
sourcetype=access_combined action=purchase (categoryId=accessories OR
categoryId=tee)
25. Verify your event types were created by clicking on the eventtype field in the sidebar.

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects May 13, 2016 2
 Results Example:

Task 4: Use the Event Type Settings page to create event types for strategy and arcade games purchase
events.
26. Search the access_combined source type for all purchase events in the last 30 days of STRATEGY
games.
sourcetype=access_combined action=purchase categoryId=strategy
27. After the search returns results, copy your search string.
28. Go to Settings > Event types and create a new event type.
29. Name the event type strategy_game_purchases and paste your search string in the Search string
field. Click Save.
30. Repeat the above steps for purchased ARCADE game events and name the event type:
arcade_game_purchases
sourcetype=access_combined action=purchase categoryId=arcade
31. Return to the Search & Reporting app and run a search to verify that your event types are being
returned.
sourcetype=access_combined action=purchase categoryId=*

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects May 13, 2016 3
 Results Example:

Note: Based on add-ons or apps you have installed, additional event types may be displayed. In this
example, nix-all-logs is added by the *NIX app.

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects May 13, 2016 4
Module 6 Lab Exercise: Creating and Using Workflow Actions
Description
These steps create GET and Search workflow actions.

Task 1: Create a GET workflow action that opens a new browser window with information about the
source IP address.
1. Navigate to Settings > Fields > Workflow actions.
2. Click New to create a workflow action.
3. For the Destination App, select search.
4. For Name, type: get_whois_info
5. For Label, type: Get info for IPaddress: $src_ip$
6. For Apply only to the following fields, type: src_ip
7. For Action type, make sure link is selected.
8. For URI, type: http://whois.domaintools.com/$src_ip$
9. From the Open link in dropdown menu, make sure New window is selected.
10. From the Link Method dropdown menu, make sure get is selected.
11. Save your workflow action.
12. Verify your workflow action works as expected. Return to the Search & Reporting app and search
for sourcetype=linux_secure src_ip=* over the last 24 hours.
13. Expand the first event and click Event Actions.
14. Click Get info for IPaddress: {src_ip}.
15. A secondary browser window should open to the URI and display the IP address information.

Results Example:

Task 2: Create a Search workflow action that

performs a search for all failed password events associated with a specific IP address.
16. Navigate to Settings > Fields > Workflow actions.
17. Click New.
18. For the Destination App, select search.

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects April 11, 2016 1
 19. For Name, type: search_access_by_ipaddress
20. For Label, type: Search failed access by IPaddress: $src_ip$
21. For Apply only to the following fields, type: src_ip
22. From the Action Type drop down menu, select search.
23. In the Search string field, type: sourcetype=linux_secure failed src_ip=$src_ip$
24. From the Run in app dropdown, select search.
25. From the Run search in dropdown menu, make sure New window is selected.
26. Select the Use the same time range as the search that created the field listing check box.
27. Save your workflow action.
28. Verify your workflow action works as expected. Return to the Search & Reporting app and search
for sourcetype=linux_secure src_ip=* over the last 24 hours.
29. Expand an event with an IP Address field and click Event Actions.
30. Select Search failed access by IPaddress: {src_ip}
31. A secondary search window should open with the search results for the IP address.

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects April 11, 2016 2
Module 7 Lab Exercise: Creating Alerts
Description
You learn to create an alert.

Steps
Task 1: Create a search to identify specific types of failed logins.
1. Search for the Linux secure logs on all web servers in the Last 60 minutes.
sourcetype=linux_secure failed NOT invalid

Task 2: Create and view and alert.

2. From the Save As menu, select Alert.
3. Name the alert: Failed Login Attempts
4. From the Alert type: Scheduled menu, select Run every hour.
5. From the At menu, select the next closest interval to your current time. For example if your current
time is 9:23, select 30 minutes past the hour.
6. For Trigger condition, select Number of Results.
7. Set the Number of Results is to Greater than 0.
8. Keep the default Once for Trigger selection.
9. Leave the Throttle check box un-checked.
10. From the + Add Actions menu, select Add to Triggered Alerts.
11. Set the Severity to High.

12. Click Save then click View Alert.

13. You should see an overview screen describing your new alert.
14. From the Splunk bar, click Activity > Triggered Alerts.

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects April 11, 2016 1
 Note: It may take a few minutes for your alert to appear.

15. Click the View results link on a triggered alert to see the event(s) that caused the alert.
Task 3: Disable the alert.
16. In the App Navigation bar, click Alerts.
24. For the row containing your alert, click Edit, then Disable.
25. When the Disable dialog appears, click Disable.

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects April 11, 2016 2
Module 8 Lab Exercise: Creating and Using Macros
Description
This lab exercise walks you through the steps for creating a basic macro and a macro with arguments.

Steps

Task 1: Create a basic macro that lists the monthly total sales in the US.
1. Navigate to Settings > Advanced search > Search macros.
2. Click New.
3. Verify the Destination app is set to search.
4. Name the macro: US_sales
5. In the Definition field, type the following search string, which returns the total sales amount for US
vendors:
sourcetype=vendor_sales VendorCountry="United States" | stats sum(price) as
USD by product_name | eval USD = "$" + tostring(USD,"commas")
6. Save the macro.
Task 2: Use a basic macro.
7. Return to the Search & Reporting app.
8. In the search bar, type `US_sales` and search over the Last 24 hours. Examine the results.
Results Example:

Task 3: Create a
macro with currency, currency symbol, and rate as arguments.
9. Navigate to Settings > Advanced search > Search macros.
10. Click New.
11. Verify the Destination app is set to search.
12. Name the macro: sales(3)
13. Enter the following search string:
| stats sum(price) as USD by product_name | eval $currency$ = "$symbol$"
+ tostring(USD*$rate$, "commas") | eval USD = "$" + tostring(USD,
"commas")
14. In the Arguments field, type the arguments, separated by a comma.
Hint: currency,symbol,rate (order of variables must match the search string)
15. Save the macro.

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects April 11, 2016 1
Task 4: Use your macro with arguments in a search.
16. Return to the Search & Reporting app.
17. Perform a search for sourcetype=vendor_sales where the VendorCountry is Germany,
France, or Italy. Use the macro and pass the arguments euro, €, and .79 for results in the Last
7 days.

sourcetype=vendor_sales VendorCountry=Germany OR VendorCountry=France OR

VendorCountry=Italy `sales(euro,€,.79)`
18. Run the search again for sales in the UK with the following arguments GBP, £, and .64.
Results Example:

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects April 11, 2016 2
Module 9 Lab Exercise: Creating a Data Model
Description
This exercise walks you through the process of creating a data model. After the data model is created, create a pivot
to verify your data model provides the expected results.

Steps

Task 1: Use Instant Pivot to create the Web Requests root event.

1. Search for sourcetype=access_combined

2. Select the Statistics tab, then click Pivot.
3. In the Fields dialog, keep All fields selected, then click OK. The Pivot interface opens.
4. Change the Time filter to Last 24 hours.
5. From the Save as menu, select Report.
6. In the Title and Model Title fields, type: Buttercup Games Site Activity
7. Click Save. In the Your Report Has Been Created dialog, select Edit objects under Data Model
Settings. The Data Model editor displays.
8. Click Rename for the EventObject and change the name to Web Requests and save.

Task 2: Rename field attributes.

9. Click the Edit link next to the following fields to rename the fields as described below, then click Save
for each:
action > action taken
bytes > size
categoryId > product category
clientip > client IP
productId > product ID
product_name > product name
req_time > request time

Task 3: Add a child event for actions that succeeded.

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects May 16, 2016 1
 10. Click Add Object and select Child.
11. In the Object Name field, type: Successful Requests
12. In the Additional Constraints field, type: status<400
13. Click Preview to see a test sample of your results.
14. Save the child object.
15. Select the Successful Requests object. Add a child object called purchases with an Additional
Constraints value of action=purchase productId=*. Remember to click Save.
16. Select the Web Requests event and add child object named: Failed Requests
17. In the Additional Constraints field, type: status>399
18. Click Preview to receive a test sample of your results.
19. Save the child object.
20. Under the Failed Requests child object, add a child object named remove with an Additional
Constraints value of action=remove productId=*. Remember to click Save.
Results Example:

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects May 16, 2016 2
Task 4: Test your data model by creating a pivot.
21. Click Pivot.
22. Select the Web Requests object.
23. In the New Pivot window, change the following:
• Filter on the Last 7 days
• Split Rows by action taken and click Add To Table
• Split Columns by date_mday and click Add To Table

Results Example:

Task 5: Add an attribute that uses an eval expression. The eval expression will list events chronologically
by date and day.

24. Click the Web Requests button to go back to the Buttercup Games Site Activity data model.
25. Select Edit Object.
26. Make sure Web Requests is selected.
27. From the Add Attribute menu, select Eval Expression.
28. In the Eval Expression field, type:
strftime(_time,"%m-%d %A")
29. For Field Name, type: day
30. For Display Name, type: day
31. Click Preview to verify your eval expression returns results.
32. Save the eval expression.
Results Example:

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects May 16, 2016 3
Task 6: Verify the eval expression works as expected by using Pivot to create a dashboard.

33. Click Pivot.

34. Select the Web Requests object.
35. Change the time filter to the Last 7 days.
36. Split Rows by action taken.
37. Click Add To Table.
38. Split Columns by day.
39. Click Add To Table.
40. Click Save As and select Dashboard Panel.
41. For Dashboard Title, type: Weekly Website Activity
42. For Panel Title, type: Cart activity by day
43. Click Save.
44. Click View Dashboard. You should see the web requests categorized and counted by day.
Results Example:

Task 7: Add attributes from a lookup. The lookup table will provide descriptions for status codes.

45. Navigate to Settings > Data models.

46. Select the Buttercup Games Site Activity data model.
47. Make sure the Web Requests root object is selected.
48. Click Add Attribute and select Lookup.
49. From the Lookup Table dropdown list, select http_status_lookup.
50. From the Field in Lookup dropdown, select code.
51. From the Attribute dropdown, select status. This maps the status field in your indexed data to the
code column in the lookup table.
52. For the lookup Output section in the Field in Lookup field, check the description checkbox.
53. In the Display Name field, type: status description
54. Click the Preview button. You should see a description column in the results.
55. Click Save.

Task 8: Verify the lookup works properly by creating a Pivot report.

56. Click Pivot.

57. Select the Web Requests object.
58. Change the Filter to Last 7 days.
59. From Split Rows, add the status description attribute and click Add To Table.
60. Click the + button to split by another row and add the status attribute. Click Add To Table.
Note: This is a double row split, not a column split.
Results Example:

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects May 16, 2016 4
 61. Split Columns by day and click Add To Table.
62. Click Save As and select Dashboard Panel.
63. Select Existing Dashboard and select Weekly Website Activity.
64. For the Panel Title, type: Web Requests Summary
65. Click Save.
66. Click View Dashboard.
Results Example:

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects May 16, 2016 5
Supplemental Exercise:

Task 1: From the pivot editor, add an attribute as a filter that displays all shopping cart activity except
changequantity and remove.
1. Hover your mouse in the lower left corner of the Cart Activity by day dashboard panel. Click the

Open in Pivot icon .

2. Refine your search results by selecting the Column chart icon from the table formats on the left.
Results Examples:

3. Click Add Filter and choose action taken.

4. For Filter Type, select Match.
5. For Match, change the operator to is not, then select changequantity.
6. Add another filter and choose action taken.
7. For the Filter Type select Match.
8. For Match, change the operator to is not and then select remove.

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects May 16, 2016 6
 Results Example:

9. Click Save As and select Dashboard Panel.

10. Save to the Weekly Website Activity dashboard.
11. For Panel Title, type: Add Purchase View
12. Save and view your dashboard.
13. Rearrange the panels to your liking and admire your work!

© 2015 Splunk Inc. All rights reserved. Creating Splunk 6.3 Knowledge Objects May 16, 2016 7