Reporting

Search query to retrieve data from Splunk log for reporting purpose

lesan
New Member

Hi Everyone,

We do have an application accessible for some authorized users. We want to monitor the users activity for security reason. For this purpose i will need use log information stored in Splunk. I have been trying to generate report using Splunk search query to retrieve the fields and data that i need for my report. I have some basic fields like Index, host sourcetype.... but it is not sufficient enough to provide me with the data that i want. I learned that i should use some expression.I am complete begginer for Splunk and knows very little about Splunk Processing Language. I'd appreciate any help with some generic Splunk query. Below is the report requirements:

  1. User Enrollment Log
    Provides record of all changes made to user enrollments for the day
    The report shows the full details of each user enrollment before (for changed and deleted enrollments) and/or after (for new and changed enrollments) maintenance

  2. Group (Role) Function Definition Report
    Provides record of all changes made to function definitions for the day
    The report shows the full details of each function definition before (for changed and deleted definitions) and after (for new and changed definitions) maintenance

3.User Activity Log 
Chronological list of all activities for each user  
The information on the report identifies the nature of the activity, the date and time the activity occurred, and whether a permissions violation occurred 

Labels (1)
0 Karma
1 Solution

gfreitas
Builder

Hi,

I believe the first step for you is to start extracting fields from your log, for our luck a lot of common log sources already have field extractions already built into Splunk or either available from Splunk add-ons. What exactly is the log source you're trying to create your report? You might also want to look inside https://splunkbase.splunk.com/ to check for any add-ons that might help you.
If no add-on is available or you're looking into a quite custom log source you'll need to extract fields yourself. This task can be achieved either by creating REGEXES or using the built-in Splunk field extractor. A good start is to use this documentation that helps you extracting fields: https://docs.splunk.com/Documentation/Splunk/8.0.1/Knowledge/ExtractfieldsinteractivelywithIFX. If you don't know a lot of REGEX, the built-in field extractor is good enough.

Now assuming you have your data indexed and fields extracted the next part is to start filtering data with Splunk. We can probably help you creating a few searches but it is very dependant on your data. I highly recommend you taking the Free Splunk courses, Foundamentals is a very good starting point: https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html.

Hope this helps you with your beginning with Splunk and happy splunking 🙂

View solution in original post

0 Karma

gfreitas
Builder

Hi,

I believe the first step for you is to start extracting fields from your log, for our luck a lot of common log sources already have field extractions already built into Splunk or either available from Splunk add-ons. What exactly is the log source you're trying to create your report? You might also want to look inside https://splunkbase.splunk.com/ to check for any add-ons that might help you.
If no add-on is available or you're looking into a quite custom log source you'll need to extract fields yourself. This task can be achieved either by creating REGEXES or using the built-in Splunk field extractor. A good start is to use this documentation that helps you extracting fields: https://docs.splunk.com/Documentation/Splunk/8.0.1/Knowledge/ExtractfieldsinteractivelywithIFX. If you don't know a lot of REGEX, the built-in field extractor is good enough.

Now assuming you have your data indexed and fields extracted the next part is to start filtering data with Splunk. We can probably help you creating a few searches but it is very dependant on your data. I highly recommend you taking the Free Splunk courses, Foundamentals is a very good starting point: https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html.

Hope this helps you with your beginning with Splunk and happy splunking 🙂

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...