Splunk
Splunk is a data analytics and monitoring platform that ingests, indexes, and analyzes machine-generated data (logs, metrics, traces) for security (SIEM), IT operations (ITSM) .
Key Components
Forwarder
Collects and forwards data (no processing).
Indexer
Parses, indexes, and stores data.
Search Head
Executes SPL queries and visualizes results.
Deployment Server
Manages configurations for forwarders.
Work with Splunk
1. Data Ingestion
Sources: Logs (files, APIs, syslog), metrics (CPU, memory), and streaming data (Kafka).
Forwarders: Lightweight agents (Splunk Universal Forwarder) collect and send data to Splunk.
2. Indexing
Parsing: Splunk extracts key fields (timestamps, hostnames, event types).
Indexing: Data is stored in time-series indexes for fast retrieval.
3. Search & Analysis
Search Processing Language (SPL): Splunk’s query language (e.g.,
index=“wazuh-alert” | stats count by src_ip).Correlation: Detects patterns (e.g., brute-force attacks).
4. Visualization & Alerts
Dashboards: Custom charts/tables in Splunk Web.
Alerts: Trigger actions (email, webhook) when thresholds are breached.
5. Storage & Retention
Hot/Warm/Cold Buckets: Automatically moves data to cheaper storage over time.
SPL (Splunk Query Language) Complete Reference
1. BASIC SEARCHES
2. BOOLEAN OPERATORS
3. FIELD EXTRACTION
4. STATISTICAL COMMANDS
5. TIME FILTERS
6. ADVANCED EXAMPLES
Security Alert (Brute Force):
Application Performance:
Last updated