topic Re: Simply server activity query in Reporting

What is a simple server activity query?

bbainunc — Wed, 15 Jun 2022 20:57:16 GMT

Looking to brush off the cobwebs of my Splunk use and wanted to find a simple query of server activity/traffic for a server on our domain. If anyone has a basic query they use on a regular basis to see traffic on their servers, I'd appreciate if you could share it, once I get the basic syntax, I can take it from there.

Re: Simply server activity query

gcusello — Wed, 15 Jun 2022 17:07:40 GMT

Hi @bbainunc,

I hint to follow some training, starting from:

Splunk Search Tutorial https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchTutorial/WelcometotheSearchTutorial

getting data in https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/Getstartedwithgettingdatain

in this way you can understand how to take data in Splunk and how to use them.

On the Splunk Channel of YouTube you can also find many useful video that explayin how Splunk works, but anuway starts from the above two points.

About your question is too poor to answer, you should describe:

which data you are speaking about,
if you already have them in Splunk or not.

Ciao.

Giuseppe

Re: Simply server activity query

bbainunc — Wed, 15 Jun 2022 18:02:58 GMT

Of course I have reviewed tutorials before posting to this forum, I specifically said server traffic, so that answered the data question. I know this is an easy query, was just looking for a boost to spark my memory Your post was not only unhelpful, but kind of condescending.

Re: Simply server activity query

state_larson_ti — Wed, 15 Jun 2022 18:18:11 GMT

Giuseppe was providing useful information. It is not clear to me what server environment you are using, and if you have tried the use local logs or if you want, in the case of network traffic, to pull in a .pcap file. Also, the answer for server activity changes if you have a linux or a windows server. Giuseppe is pretty good if you can be a bit more specific.

Cheers and good luck!

Re: Simply server activity query

state_larson_ti — Wed, 15 Jun 2022 18:20:48 GMT

@bbainunc wrote:
Of course I have reviewed tutorials before posting to this forum, I specifically said server traffic, so that answered the data question. I know this is an easy query, was just looking for a boost to spark my memory Your post was not only unhelpful, but kind of condescending.

https://lantern.splunk.com/Security/Use_Cases/Security_Posture/Monitoring_for_network_traffic_volume_outliers/Network_traffic_patterns_between_a_source-destination_pair

This link provides some good examples of looking for network traffic assuming you have a data set ingested. I hope this is helpful.

Kindest,

Re: Simply server activity query

bbainunc — Wed, 15 Jun 2022 18:22:39 GMT

Thank you, that is what I was looking for just to get started.