Re: What is the best approach to learning Splunk?

jackshultz · ‎12-26-2015

I start a new position as a Cyber Security Engineer in the next couple of weeks and I have to learn as much about Splunk Siem as I can. I have experience with McAfee Siem and a deep background in security and a little experience with python. I see that I can download a trial version of Splunk, would this be applicable on my laptop?

javiergn · ‎12-26-2015

Hi Jack,

I was an ArcSight consultant in a previous life and I am happy with the change 🙂

One of the first things I had to learn is: Splunk is not just a SIEM. And it's true. Splunk is all about making data easily searchable. Security data, financial data, sales, ... Collect, index and search. Simple.

You shouldn't have too much trouble understanding the architecture model or the collection. Which is mainly agent based too and relies on regex for data extraction.

Just another piece of advise, everything is extremely customisable. Everything. Which is good and bad. I had to refresh my knowledge of XML, JavaScript, HTML in order to get the best out of my data via advanced dashboards.

Good luck and welcome.

Thanks,
J

rashid47010 · ‎12-28-2015

Hi Javiergn,

Perviously I was working on ArcSight but now we are moving on SPlunk.
I wan to understand the architecture,
How we can integrate different Data sources with SPlunk. and the next step how can I verify that integration.

javiergn · ‎12-28-2015

Hi, your question is too broad to be answered within a reasonable amount of time so I'll try to summarise.

If you want to understand the architecture the best place to start is the documentation. Trust me, it's by far much easier to understand than others and very intuitive to navigate.

Http://docs.splunk.com

Integrating data sources is not complicated. You configure your agents or Splunk servers to read your logs and in general you only have to worry about the parsing at the very end. There's no hard scheme you can't modify once you have ingested your data. Forget about that. Simply get your data in and once is searchable you can spend time extracting the information and creating your fields.

Verifying the integration is just a matter of writing searches and making sure your logs are still coming. There are lots of examples in the forums.

If you want my advise, get Splunk running in your laptop. Configure one or two data sources and start familiarising with the search GUI. Using the search engine is critical.

Hope that helps.

Thanks,
J

esix_splunk · ‎12-26-2015

Also, check out the Splunk E-Learning : http://www.splunk.com/view/SP-CAAAHSM. There are a variety of courses and options there. Additionally, go through the Search Tutorial, install Splunk locally or get a demo Splunk Enterprise or Splunk ES (SIEM Solution) demo sandbox and experience it for yourself!

Sandboxes and Splunk Cloud : https://www.splunk.com/page/sign_up/cloud_trial?responsive=1&redirecturl=%2Fgetsplunk%2Fcloudtrial

jackshultz · ‎12-26-2015

Thank you Greatly

piebob · ‎12-26-2015

start here: http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial
yes, you can try it out on your laptop. are you actually going to be using the Splunk app for Enterprise Security? i recommend you learn about Splunk on its own first via this tutorial before moving on. .

jackshultz · ‎12-26-2015

Thank you greatly

What is the best approach to learning Splunk?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...