<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Splunk Fundamentals 1 Module 5 question in Splunk Search</title>
    <link>https://community.splunk.com/t5/Splunk-Search/Splunk-Fundamentals-1-Module-5-question/m-p/542764#M153752</link>
    <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231855"&gt;@Marqui&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;It's been years since I've taken the course, but a quick look at the lab guide for Module 5 Task 2 reads:&lt;/P&gt;&lt;P class="lia-indent-padding-left-30px"&gt;7. Click&amp;nbsp;&lt;STRONG&gt;Search&lt;/STRONG&gt; to start a new search.&lt;BR /&gt;8.&amp;nbsp;Search for &lt;FONT face="courier new,courier"&gt;fail* AND password&lt;/FONT&gt; over &lt;STRONG&gt;All time&lt;/STRONG&gt;. Review the results and notice the port values for a few of the events. You want to see users trying to log into the SSH port we have open, port 22.&lt;BR /&gt;9. At the end of the search string, type: &lt;FONT face="courier new,courier"&gt;22&lt;/FONT&gt;&lt;BR /&gt;10. Click the &lt;STRONG&gt;Search&lt;/STRONG&gt; button or press &lt;STRONG&gt;Enter&lt;/STRONG&gt; to run the search.&lt;BR /&gt;11. Notice that not only events with port 22 are selected, but any events with the number 22 in them.&lt;BR /&gt;12. Replace the number 22 in your search with: &lt;FONT face="courier new,courier"&gt;"port 22"&lt;/FONT&gt;. Make sure to use the quotation marks.&lt;BR /&gt;13. Notice that you are now only seeing events the entire phase.&lt;BR /&gt;14. Page through the results. There are many login failures.&lt;/P&gt;&lt;P&gt;In step 12, your search should be:&lt;/P&gt;&lt;LI-CODE lang="javascript"&gt;fail* AND password "port 22"&lt;/LI-CODE&gt;&lt;P&gt;Assuming the lab and test data agree, you should see results with host=web_server sourcetype=linux_secure.&lt;/P&gt;</description>
    <pubDate>Mon, 08 Mar 2021 00:46:10 GMT</pubDate>
    <dc:creator>tscroggins</dc:creator>
    <dc:date>2021-03-08T00:46:10Z</dc:date>
    <item>
      <title>Splunk Fundamentals 1 Module 5 question</title>
      <link>https://community.splunk.com/t5/Splunk-Search/Splunk-Fundamentals-1-Module-5-question/m-p/541250#M153240</link>
      <description>&lt;P&gt;In module 5, of Splunk Fundamentals 1, during the lab exercise, it asks to do a search and says to notice the host=web_server results and host=web_application, however,&amp;nbsp; there are no host=web_server results. So in the second search when they say put "port 22" in the search string, there are no results. I cannot finish the module. Any suggestions?&lt;/P&gt;</description>
      <pubDate>Wed, 24 Feb 2021 17:48:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/Splunk-Fundamentals-1-Module-5-question/m-p/541250#M153240</guid>
      <dc:creator>Marqui</dc:creator>
      <dc:date>2021-02-24T17:48:25Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk Fundamentals 1 Module 5 question</title>
      <link>https://community.splunk.com/t5/Splunk-Search/Splunk-Fundamentals-1-Module-5-question/m-p/542764#M153752</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231855"&gt;@Marqui&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;It's been years since I've taken the course, but a quick look at the lab guide for Module 5 Task 2 reads:&lt;/P&gt;&lt;P class="lia-indent-padding-left-30px"&gt;7. Click&amp;nbsp;&lt;STRONG&gt;Search&lt;/STRONG&gt; to start a new search.&lt;BR /&gt;8.&amp;nbsp;Search for &lt;FONT face="courier new,courier"&gt;fail* AND password&lt;/FONT&gt; over &lt;STRONG&gt;All time&lt;/STRONG&gt;. Review the results and notice the port values for a few of the events. You want to see users trying to log into the SSH port we have open, port 22.&lt;BR /&gt;9. At the end of the search string, type: &lt;FONT face="courier new,courier"&gt;22&lt;/FONT&gt;&lt;BR /&gt;10. Click the &lt;STRONG&gt;Search&lt;/STRONG&gt; button or press &lt;STRONG&gt;Enter&lt;/STRONG&gt; to run the search.&lt;BR /&gt;11. Notice that not only events with port 22 are selected, but any events with the number 22 in them.&lt;BR /&gt;12. Replace the number 22 in your search with: &lt;FONT face="courier new,courier"&gt;"port 22"&lt;/FONT&gt;. Make sure to use the quotation marks.&lt;BR /&gt;13. Notice that you are now only seeing events the entire phase.&lt;BR /&gt;14. Page through the results. There are many login failures.&lt;/P&gt;&lt;P&gt;In step 12, your search should be:&lt;/P&gt;&lt;LI-CODE lang="javascript"&gt;fail* AND password "port 22"&lt;/LI-CODE&gt;&lt;P&gt;Assuming the lab and test data agree, you should see results with host=web_server sourcetype=linux_secure.&lt;/P&gt;</description>
      <pubDate>Mon, 08 Mar 2021 00:46:10 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/Splunk-Fundamentals-1-Module-5-question/m-p/542764#M153752</guid>
      <dc:creator>tscroggins</dc:creator>
      <dc:date>2021-03-08T00:46:10Z</dc:date>
    </item>
  </channel>
</rss>

