Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Search String

Deniserity
Engager
‎07-15-2020 07:18 AM

Hi! I'm new to splunk, I'm just learning it now because I need to understand the splunk search string given to me by the client (i'm an auditor)

So I have a few questions with this splunk search string, I hope you could maybe help me 🙂

1. what does "index=*", in the index=* sourcetype=WinEventLog:Application OR source=WinEventLog:Application  SourceName="Application Name". And also I understand that in the source type, it is how the splunk will read the data (is that right?), I was also wondering why there is no "OR" before the SourceName?
2. Also if I fetch data from the event logging of the application, do I get the "Message" of that application?
3. How do I know which host the data is from?

I did my research but I can't fully grasp the concept just yet.
Thank you!

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

danielansell
Path Finder
‎07-15-2020 07:50 AM

1. Indexes can be viewed as a named repository for data. There are multiple reasons you would want to store certain data in one index and other data in another. These include

  • Access controls - assign permissions to certain indexes to certain users
  • Performance - data that your routinely search against and want fast results from can be stored separately from noisy data that you do not regularly search. Also you can specify how much (or how old) data is stored in faster storage before it transitions to slower storage. 
  • Retention - data in one index can "expire" before other data that needs stored long term

index=* simply means search all indexes that the user has access to (if your account is limited, you will only see the indexes which you have been given permission to see)

sourcetypes are used in Splunk to identify the type of data and how fields within that data should be extracted - there's more to it than that, but that's the gist of it. 

When there is no 'OR' an 'AND' is implied. 

2. The short answer is yes, the message is included. Splunk generally splits Windows events into two parts where the Message field begins. Splunk does this based on sourcetype and it allows Splunk to properly extract field value pairs (e.g. AccountName=john.smith). 

3. There are several fields in the data that should identify the host. The first and fastest method is simply the host field. This is valid when the environment uses the Universal Forwarder to retrieve data from the hosts. It is possible to manually load evtx files into Splunk and specify another system as the host. 

If the host field doesn't match up with what you expect, you can probably refer to the Computer field.  

 

Hope that helps. 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

danielansell
Path Finder
‎07-15-2020 07:50 AM

1. Indexes can be viewed as a named repository for data. There are multiple reasons you would want to store certain data in one index and other data in another. These include

  • Access controls - assign permissions to certain indexes to certain users
  • Performance - data that your routinely search against and want fast results from can be stored separately from noisy data that you do not regularly search. Also you can specify how much (or how old) data is stored in faster storage before it transitions to slower storage. 
  • Retention - data in one index can "expire" before other data that needs stored long term

index=* simply means search all indexes that the user has access to (if your account is limited, you will only see the indexes which you have been given permission to see)

sourcetypes are used in Splunk to identify the type of data and how fields within that data should be extracted - there's more to it than that, but that's the gist of it. 

When there is no 'OR' an 'AND' is implied. 

2. The short answer is yes, the message is included. Splunk generally splits Windows events into two parts where the Message field begins. Splunk does this based on sourcetype and it allows Splunk to properly extract field value pairs (e.g. AccountName=john.smith). 

3. There are several fields in the data that should identify the host. The first and fastest method is simply the host field. This is valid when the environment uses the Universal Forwarder to retrieve data from the hosts. It is possible to manually load evtx files into Splunk and specify another system as the host. 

If the host field doesn't match up with what you expect, you can probably refer to the Computer field.  

 

Hope that helps. 

0 Karma
Reply
Solved! Jump to solution

Deniserity
Engager
‎07-15-2020 07:13 PM

Thank you! This is really helpful 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...