Getting Data In

Where can I get the updated sample data for practicing searches using SPL?

Lorenzo1
Path Finder

please where can i get the updated sample data for practicing searches using SPL? thanks in advance

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You can get sample data literally anywhere.  Any data can be used to practice searching.  Your own workstation probably is the best place to start.  If you want more variety in your data, download the BOTS3 (Boss Of The SOC version3) dataset at https://github.com/splunk/botsv3

---
If this reply helps you, Karma would be appreciated.

View solution in original post

gcusello
SplunkTrust
SplunkTrust

richgalloway
SplunkTrust
SplunkTrust

You can get sample data literally anywhere.  Any data can be used to practice searching.  Your own workstation probably is the best place to start.  If you want more variety in your data, download the BOTS3 (Boss Of The SOC version3) dataset at https://github.com/splunk/botsv3

---
If this reply helps you, Karma would be appreciated.

Lorenzo1
Path Finder

also i tried to scp the .tgz file from my local folder to the virtual server so i can untar and install it there but was getting "permission denied" error (screenshot attached). can you help pls.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Use chmod to set the permissions.

You do not need any apps or add-ons to use the BOTS data set.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Lorenzo1
Path Finder

hi @richgalloway ,

so i was able to install botsv3 but got this error after restarting and splunkd stopped running. pls how can i solve this cos i can see am almost there. thanxx.

 

homePath='/opt/splunk/etc/apps/botsv3_data_set/var/lib/splunk/botsv3/db' of index=botsv3 on unusable filesystem.

Validating databases (splunkd validatedb) failed with code '1'

attached is the screenshot,

 

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

You'll need to fix the filesystem on which the botsv3 index is stored.  Perhaps it's in read-only mode or maybe the permissions on the botsv3 directory are incorrect.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Lorenzo1
Path Finder

ok lemme try that. Thanks for your time.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

It's out of scope of this forum I'm afraid. It's not that I don't want to help you out here but you obviously have problems with most basic unix CLI operations so it's better that you train somewhere else than if I give you a copy-paste solution which you can mistype and break your whole installation.

Find some basic unix/linux CLI tutorial and start from there.

0 Karma

Lorenzo1
Path Finder

i dont understand . i already have a good hand in linux. If i could deploy a fully clustered splunk environment then i dont think i need basic linux training. But its ok if you say so. thanxx.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Sorry, mate, but it seems so.

From the screenshots you provided it seems that you're trying to "run" your home directory and your scp syntax is wrong (use man scp to read about it). It's not an insult. It's just pointing out that you're missing the basics.

Lorenzo1
Path Finder

hey bro do i need to download and install all the app/add -on before installing the BOTS v3? Cos i decided not to download the ones that had to do with microsoft and windows since am using Mac.

0 Karma

Lorenzo1
Path Finder

hi @richgalloway thanxx bro i seen it in v3.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...