Splunk Fundamentals 1 – Lab Exercises

Lab typographical conventions:

{student ID} indicates you should replace this with your student number.
(sourcetype=vendor_sales) OR (status) indicates either a source type or the name of a field.

NOTE: This is a lab environment driven by data generators with obvious limitations. This is not a
production environment. Screenshots approximate what you should see.

There are a number of source types used in these lab exercises.

Index Type Sourcetype Interesting Fields
web Online sales access_combined action, bytes, categoryId, clientip, itemId,
JSESSIONID, price, productId, product_name,
referer, referer_domain, sale_price, status,
user, useragent

security Active Directory winauthentication_security LogName, SourceName, EventCode, EventType,

User

Badge reader history_access Address_Description, Department, Device,

Email, Event_Description, First_Name,
Last_Name, rfid, Username

Web server linux_secure action, app, dest, process, src_ip, src_port,

user, vendor_action

network Email security cisco_esa dcid, icid, mailfrom, mailto, mid

data

Web security cisco_wsa_squid action, cs_method, cs_mime_type, cs_url,

appliance data cs_username, sc_bytes, sc_http_status,
sc_result_code, severity, src_ip, status,
url, usage, x_mcafee_virus_name,
x_wbrs_score, x_webcat_code_abbr

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 1
Module 1 Lab Exercise – Introducing Splunk
Description
Log into Splunk, change your account settings, and explore the basic navigation and available data.

Steps
Task 1: Log into Splunk on the classroom server.

1. Direct your web browser to the class lab system, for example:
{server-name}.class.splunk.com
2. Log in with the credentials assigned by your instructor. (Your user login name is student#. For
example, student1, student2, student3, etc. Your instructor will provide you with this information.)

NOTE: When you first log in, the default app is Search & Reporting.

Task 2: Change your account settings to reflect your name and local time zone.

3. From the Splunk bar, click your user login name (for example, student1).
a) Click Account Settings.

b) In the Full name field, replace the value that appears with your full name (i.e., first name
followed by surname) and click Save.
c) Click the refresh button on your browser and ensure that your name now appears in the
Splunk bar.
4. Click your user login name on the Splunk bar, and select Preferences.
a) From the Time zone dropdown, select your local time zone.
b) Take a moment to look at the Default application options. Home represents the Launcher
app. Set the Default application to Home.
c) Click Apply.
d) Click the splunk> logo in the upper left corner. This brings you back to Home.

NOTE: The purpose of the splunk> logo in the top-left corner is to allow you to quickly access your
default app.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 2
Task 3: Explore the basic Splunk navigation of Search & Reporting.

5. Under Apps, in the left-side column, click Search & Reporting. If you are prompted to take a tour,
click Skip.

NOTE: Once you are in an app, you can always navigate to other apps by clicking the App menu to the
right of the splunk> logo.

6. Take a moment to notice the Documentation, Tutorial and Data Summary buttons on the Search
view. (If you click any of these buttons, a new window or browser tab opens. Be sure to close the new
window or browser tab before proceeding.)
a) Under What to Search, notice how many events are indexed in your lab environment and
how long ago the earliest event was indexed. Notice that the number of events is increasing
as new data arrives in Splunk.

b) Under What to Search, click the Data Summary button.

c) Click the Sourcetypes tab.

d) Observe the available sourcetypes. Can you identify what data might be associated with
some of these sourcetypes?
e) Close the Data Summary window and return to the Home view. (Recall that you can return
to the Home view by clicking the splunk> logo in the upper-left corner of the Splunk user
interface.)

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 3
7. In the app navigation bar, click Reports. Observe the options on the Reports page.

8. In the app navigation bar, click Dashboards. Observe the options on the Dashboard page.
Later in this course, you will learn what dashboards are, how to create them, and how to use them.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 4
9. From the Splunk bar, click Settings. Observe the settings options that appear.

10. From the Splunk bar, click Help. Observe the options that appear.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 5
Module 2 Lab Exercise – Searching
Description
As your first assignment, your manager has asked you to explore failed login attempts.

Steps
Task 1: Perform a basic search.

1. Navigate to the CLASS: Fundamentals 1 app. (If you are in the Launcher app, click CLASS:
Fundamentals 1 from the column on the left side of the screen. You can also select the app from the
App: menu at the top left of the Splunk bar.)

2. In the search bar, type the search: error OR fail*

NOTE: Remember that Booleans such as AND, OR, and NOT must be typed in uppercase.

a) Make sure the time range picker is set to the time range Last 24 hours, then click the
Search button . The search executes.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 6
 b) Review the search results. Observe that your search terms are highlighted in the results.
You may need to scroll down or click Format > Max Lines > All Lines to see the highlighted
text.

c) Use the paginator and click Next (located under the timeline on the right) to page through
and see more results.

Task 2: Start a new search. Narrow your results.

3. To start a new search, click on Search in the app menu (above the search bar).
a) Search for fail* password over the Week to date.
Week to date is located in the Presets section of the time range picker.

b) Review the results and notice the host value for a few of the events. You are only interested
in events from the mailsv1 host.
c) Modify the search to get information about failed logins for that server. At the end of the
search string, type: host=mailsv1

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 7
 d) Click the Search button or press Enter to run the search.
e) Move your mouse cursor over the timeline. Take note of what each element of the timeline
represents. For example, if you click on a column, you can see the total number events
returned for that 1-hour segment in the timeline.
f) Above the timeline, click –Zoom Out to expand the time range until each column represents
one day. Note that the time range picker is now looking at data over the past month.
g) Page through the results. There are many login failures.

NOTE: Above the results, there is a menu item that allows you to change the number of events that
display on a page. By default, this option is 20 Per Page but you can click the option to increase
or decrease that number.

Task 3: Use the timeline to look for trends in the results.

4. Look for trends in the timeline.

a) Single click one of the columns in the timeline. Look at these events.
b) Single click another column. Look at these events. If there are spikes in events that look
similar in time, your system may be the target of an attack. If there are no spikes, it has been
a good week. Optionally, look at some of the events that were returned and see if you can
spot any similarities in user names or IP addresses. (In the steps that follow, you will also do
some additional exploration of the events.)
c) Click + Zoom to Selection to re-execute the search and display only the events from the
selected column. Notice the timeline has changed and each column represents one hour.

Task 4: Use the output of your search to refine the results.

5. Click one of the user names in the search results. Note that when you click a user name, a menu
appears:

a) Click Add to search.

b) Look at the timeline to see if there are any spikes in password failures for this user.
c) If you see a spike, click that column in the timeline to zoom in on that time range.
d) Click the user name again in the results, and click Exclude from search.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 8
Task 5: Save and share results. Expand default viewing permissions to all. Extend the default
save time.

6. From the Job menu, which is below the right side of the search box, select Edit Job Settings.

a) Change the Read Permissions of the job. The default is Private. Click Everyone. For
important searches, this allows others to leverage your work.
b) Extend the Lifetime of your search. The default is that the search is saved for 10 minutes.
Click 7 days. Notice you can copy the link to your search results or bookmark its link.
c) Click Save to return to the Search view.

7. View your list of job histories from the Activity > Jobs menu.

a) Take a moment to review Owner, Events, Expires, Status, and Actions of the jobs.
(Note that if a job is running, you can use the button – located under Actions - to stop it.
This also sets the job status to Finalized.)

NOTE: When you are using Splunk at work, some jobs may still be running. If you already have enough
data, you can Finalize them to stop the search job.

b) Click on the search criteria (in blue) of the search for which you just changed the expiration to
7 days. The search reopens in the CLASS: Fundamentals 1 app.

NOTE: Opening this search does not re-execute it. It returns the same results that the original search
job returned.

c) Click Activity > Jobs. Since you didn’t change your search, it is only listed once.

NOTE: To return to the Search view, in the Splunk bar, click Apps > CLASS: Fundamentals 1. It is
also possible to return to the Search view using the Back button in your browser. This is useful
when the app bar does not appear in the browser.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 9
OPTIONAL
8. Try a few searches on your own. Practice using the features that interest you, for example:
• Wildcards, such as *
• Case sensitivity. For example, try a search with all lower case letters and then repeat the
search with some of the letters in upper case.
• Strings contained within quotation marks (")
• Comparisons using relationship specifiers, such as =, >=, <=, !=

Task 6: Use Search History to browse the search text from previous searches for possible re-use
or modification.

9. Navigate to the Search view and click > Search History to expand your search history. Unlike jobs,
which save the results of your search for a short time, here you only see your search string, which is
saved for a long time. You will often have many searches. You can filter by time or content to find a
search.

a) Click inside the Search History filter box and type error. Notice the search list is shortened.
Only the searches that contain the word error remain. Click the X in the Search History filter
box to clear the filter.
b) For one of the searches, click Add to Search. Notice that the search criteria appears in the
Search bar, but the time range still displays the default setting (last 24 hours).
c) Change the time range, optionally add to or change the search criteria, and then execute the
search.
Task 7: View your recent searches using the Jobs page.

10. In the Splunk bar (the black bar towards the top of the browser window), click Activity > Jobs.
a) For any job shown, under the Actions column, click Job > Inspect Job.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 10
 b) The Search job inspector window appears in a separate browser window, displaying data
about your search and its performance. Scroll through the information.

NOTE: After you know more about Splunk, you may want to return to this screen to get ideas about how
to optimize the performance of your searches.

c) Close the browser window containing the Search job inspector information and return to the
Jobs window.
d) Look at the list of jobs displayed and check the search strings to see if there were any
keystroke mistakes. You may see listings like " | metadata ... " or " | history ... ",
which appear when you have accessed the Expand your search history.

NOTE: One way to learn more about Splunk is to find unfamiliar terms and look them up in the
Splexicon (docs.splunk.com/Splexicon) or docs (docs.splunk.com/Documentation/Splunk).
Look up a few terms that interest you to practice finding answers to your questions.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 11
Module 3 Lab Exercise – Using Fields in Searches
Description
Explore how fields can help you with your investigations.
Steps
Task 1: Use the Fields sidebar to examine search results.

1. You should already see the Search view in the browser. If you do not, in the app navigation bar, click
Search. Search for index=web sourcetype=access_combined action=purchase
over the Last 24 hours.

NOTE: If you do not see Search in the application bar, choose the CLASS: Fundamentals 1 app from
the App menu in the topmost Splunk bar. You can also do this at any point to clear your
previous search.

NOTE: After the search finalizes, verify that the search executed in Smart Mode. The search mode
displays under the time range picker. If the search did not execute in Smart Mode, change it to
Smart Mode, and then re-execute the search.

2. Examine the Fields sidebar’s Interesting Fields list. Notice that product_name is one of the fields
returned by Splunk.

NOTE: To find some fields, you may need to open the All Fields window from the link at the top of the
Fields sidebar.

3. In the Fields sidebar, under Interesting Fields, click product_name. Notice the pop-up window
shows the top-ten purchased products. Close the window by clicking the x in the upper-right corner.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 12
4. In the Fields sidebar, under Interesting Fields, click sale_price. This field contains the product’s
discounted price for each purchase event.
a) In order to quickly view the sale_price for each event, you can make it selected. From the
sale_price field window, click Yes in the upper right corner next to Selected. Close the
sale_price field window by clicking the x in the upper right corner.

b) Notice sale_price is now a selected field in the Fields sidebar. Each event with a value
present for sale_price will have sale_price=<value> in the last line of the event.

NOTE: Neither the product_name nor the sale_price fields are actually in the raw data. Both are
being added to the search results by a lookup. Lookups will be discussed in Module 7.

5. In the Fields sidebar, under Selected Fields, click the sale_price field.
a) From the field window, click the value with the highest number of purchases (listed at the
top). Notice the field and value have been added to the search criteria in the search bar. Also,
this selection causes a new search to execute using the new search criteria.
b) Remove the sale_price field from the search criteria (by deleting it from the search text)
and re-execute the search.
6. In the Fields sidebar, under Interesting Fields, click categoryId to see which types of products
account for the most purchases. Close the window by clicking the x in the upper-right corner.
Task 2: Compare results from searches using the !=, NOT, and =* syntax.

7. Search for index=web sourcetype=access_combined with a time range of Yesterday.

How many events are returned? _______________

Change your search to the following:

index=web sourcetype=access_combined action=*

This will search for only events that have some value in the action field.

How many events are returned? _______________

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 13
8. In the Fields sidebar, under Interesting Fields, click action. Notice that the events contain five
different values for action, the most frequent of which is purchase. Close the window by clicking the
x in the upper-right corner.

9. Change the search to index=web sourcetype=access_combined NOT action=*. This will

search for only events that don’t have some value in the action field.
How many events are returned? _______________
10. In the Fields sidebar, under Interesting Fields, try to find the action field. (Hint: You won’t be able
to because none of the returned events contain that field.)
Add the number of events that were returned from your last two searches—the events that contain an
action value and the events that don’t. Does the sum equal the total number of events returned
from your first search? (If it doesn’t, try running all three searches again and be sure the time range is
set to Yesterday for each search.)
11. Change the search to index=web sourcetype=access_combined action=purchase. This
will search for only those events where the action field contains the value purchase.
12. In the Fields sidebar, under Interesting Fields, click action. Notice that you now see only one
possible value, purchase. (If this isn’t what you see, double-check that your search string is correct.)
Close the window by clicking the x in the upper right corner.
13. Change the search to index=web sourcetype=access_combined action!=purchase. This
will search for only those events where the action field contains some value other than purchase.
How many events are returned? _______________
14. In the Fields sidebar, under Interesting Fields, click action. Notice that you now see all possible
values except purchase. Close the window by clicking the x in the upper right corner.
15. Change the search to index=web sourcetype=access_combined NOT action=purchase.
This will search for those events where the action field contains some value other than purchase
and for events where the action field contains no value at all.
How many events are returned? _______________
16. Verify that the number of events returned from the search using NOT is greater than the number
returned using !=. (If it isn’t, check your syntax, run the searches again, and be sure the time range is
set to Yesterday for each search.)

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 14
Module 4 Lab Exercise – Creating Reports and Dashboards
Description
You will save a search as a report, create a report from the Fields sidebar, and examine it in the Statistics
and Visualization tabs. You will also build some dashboards to display these reports.

Steps
Task 1: Save a search as a report.

1. Navigate to the CLASS: Fundamentals 1 app Search view.

Search for index=security sourcetype=linux_secure password fail* root over the
last 24 hours.
2. From the Save As menu (located above the time picker), select Report.
a) Name the report analyst_report_FailedRootLoginsLast24Hours.
b) Leave the default Yes for the time range picker option, and then click Save.
3. In the Your Report Has Been Created dialog, click View.

4. Click Reports. You can see the reports to which you have access. (You can re-execute a report by
clicking the title, or view or edit the search by clicking Open In Search.) Examine the All, Your, and
This App’s list of saved reports.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 15
Task 2: Create a report using the Fields sidebar and view it on the Statistics and Visualization
tabs.

5. In the app navigation bar, click Search to start a new search. (This will exit from the underlying
search of the previous report and return you to a blank search.)
6. Search for index=web sourcetype=access_combined status>=400 status<=600
(action=purchase OR action=addtocart) over the Last 7 days.
a) In the Fields sidebar, under Selected Fields, click the host field.
b) Select the Report: Top values by time. A line chart displays on the Visualization tab.
c) If a line chart does not appear, then select it. You can do this by clicking the name of the
current visualization in the upper-left corner of the chart; the Visualization dialog appears as
shown below. When you hover over a formatting icon, the icon name appears towards the
bottom of the dialog.

d) Look at the search string. Notice the timechart command was added to the search
automatically. The command transformed the results into a data structure required for
visualizations.
7. Click the Statistics tab. Notice that there is a row for each day over the past week, and each row
contains event counts by host for that day.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 16
8. Click the Visualization tab to return to the line chart.
a) Select Save As > Report.
b) In the Save As Report dialog, for the Title, enter
analyst_report_IncompleteSalesLast7Days.
c) Leave the other settings at their defaults values, and click Save to save the report.
d) Click View to display the report.

OPTIONAL (Steps 9 – 11)

9. Go to the Search view of the CLASS: Fundamentals 1 app. Use the > Search History link to
expand your search history and go back to the following search:
status>=400 status<=600(action=purchase OR action=addtocart)
a) Run the search over Last 24 hours.
b) In the fields sidebar, click status. (If status does not appear under Selected Fields, look
under Interesting Fields.)
c) Examine the status values. Is there a type of error that is significantly more common than
others? (The result will vary based on when you run your search. Example answer: 503.)
d) Click Top values by time. If a line chart does not appear, then select it. (If you don’t
remember how, review Step 6.)
10. Examine the chart for spikes you may want to explore in more depth. If you see a spike, click on it.
11. Splunk will return to the Events tab with your search zoomed in on - just the errors for the status and
the point in time you clicked on the chart. Now you can examine events for a spike at a specific time.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 17
Task 3: Add your report to a dashboard.

12. Navigate to the Search view.

13. In the app navigation bar, click Reports. On the Reports screen, click Yours. Select the report you
created earlier, analyst_report_IncompleteSalesLast7Days.
14. Click Add to Dashboard (in the upper-right corner of the browser.)
a) Leave the default setting for the Dashboard field at New. In the Dashboard Title field, type:
Ops Dashboard
b) In the Panel Title field, enter a name for your panel: Incomplete Sales - Last 7 Days and
click Save.
c) In the confirmation dialog, click View Dashboard to display the dashboard you created.

d) Click the Edit button.

NOTE: While in edit mode, you can add panels or modify existing panels.

e) In the Incomplete Sales – Last 7 Days panel, click the second of the four upper-right corner

icons . Experiment with other visualization types by clicking their names. When you

are finished experimenting, click to return to the Line Chart visualization.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 18
Task 4: Add a panel to the dashboard from a report.

15. Click the +Add Panel button, and then click New from Report.
a) Under New from Report, click the report you created earlier,
analyst_report_FailedRootLoginsLast24Hours.

NOTE: You may have to hover your cursor over the report icons in the list in order to see the full names
of the reports.

b) Click Add to Dashboard and click X to close the Add Panel dialog.
c) In the Panel Title field for the new panel (where it currently reads “No title” in grey), enter a
name for the new panel: Failed Logins for Root – Last 24 Hours.
d) Remove the prefilled subtitle for the panel (analyst_report_FailedRootLoginsLast24Hours)
by clicking in the Panel Subtitle field and deleting the text.
When done, click anywhere outside the title box to deselect it.
e) Click the dotted bar at the top of the Failed Logins for Root panel and drag to position it to
the right of the top panel. The panels should display side-by-side.
f) Click Save.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 19
OPTIONAL (Steps 16 – 19)
16. On the app navigation bar, click Dashboards.
a) For the Ops Dashboard, in the Actions column, click Edit > Edit Panels.

b) On the Incomplete Sales – Last 7 Days panel, explore the options under the paintbrush

icon . For example, try substituting a Custom Title for the X-axis.
c) Enable the drilldown feature on the Incomplete Sales – Last 7 Days panel by clicking the

three vertical dots in the upper right corner of the panel, clicking Edit Drilldown, and
changing the On Click option to Link to search.
d) Click Apply to apply the change, then click Save to save the dashboard.
17. Click on the panel for which you enabled the drilldown feature to test whether it drills down to the
underlying search.

NOTE: Depending on your browser, you may get a popup window with the message, “Are you sure you
want to leave this page?” This is strictly a feature of your browser, not of Splunk. If you receive
this message, click Leave and your browser will reload to show you the drilldown search results.

18. Return to the dashboard by clicking the back button on your browser.
19. Click the Edit button and try modifying some of the other settings on your panels. For example, try
rotating the axis labels or exploring the legend display options. When done, return to the Search view.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 20
Module 5 Lab Exercise – Splunk’s Search Language
Description
Get familiar with Splunk’s search language and some basic commands.

NOTE: Do not copy and paste text from the lab document. Quotes and double-quotes may not appear
as intended.

Steps
Task 1: Check for authentication failures on the web servers in the last 60 minutes.

Final Results Example:

1. Click your user login name on the navigation bar and select Preferences.
a) Change the Default application to the CLASS: Fundamentals 1 app.
b) Click Apply.
2. Click the splunk> logo in the upper-left corner. This brings you back to the Search view of your new
default app, CLASS: Fundamentals 1.
3. Search the web server (index=security sourcetype=linux_secure) for events during the
last 60 minutes.

NOTE: Throughout the rest of the lab exercises, you will see search examples shown in parentheses,
such as in the step above. Type only what’s inside the parentheses—that is, the text that’s in
Courier font—not the parentheses themselves.

a) Modify your search to look for failed password attempts by invalid users.
b) Narrow your search to only look for events associated with administrator user accounts
(user accounts that begin with “admin”).

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 21
4. Using the fields command, extract only the user, src_ip, and app fields.

Notice that although there are now two parts to your search, a base search and a fields command,
both parts are on the same line.
5. To improve legibility, you’re going to turn on search auto-formatting.
a) From the Splunk bar (the black bar at the top of the browser window), click your name.
b) Click Preferences.
c) Click SPL Editor.
d) Click the Search auto-format button to turn auto-formatting on.
e) Click Apply.
6. Click Search in order to clear the search you previously typed.
Re-type and run the same search as above. Notice that now auto-formatting automatically inserts line
breaks whenever you type a pipe ( | ) in your search.

NOTE: Auto-formatting only works if you type the search anew. If you just retrieved the previous search
from the search history, it would not be auto-formatted.

Results Example:

7. Save your search as a report, with the title L5S1. (Save As > Report)
a) Click Save and then click View to view the report.
b) Click Search to return to the Search view.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 22
Task 2: Display all online sales activity over the last 60 minutes as a table and experiment with
different column and sort orders.

Final Results Example:

8. Search online sales for all events containing an action and a product ID (index=web
sourcetype=access_combined action=* productId=*) during the last 60 minutes and use
the fields command to extract only the clientip, productId, and action fields.

9. Replace the fields command with a table command to display the results in a table, using the
same fields as columns (clientip, productId, and action).
index=web sourcetype=access_combined action=* productId=*
Results Example:

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 23
10. Sort the table by clientip.
Results Example:

11. Reorder the columns in the table command so that productId is now the first column and
clientip is the second column. Notice that even though the order of the columns changes, the
table rows are still sorted by clientip, not by productId.
Results Example:

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 24
12. Change the sort order to sort the table by productId.
Results Example:

13. Change the sort order to sort the table by productId first, then by clientip within each
productId.
Results Example:

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 25
14. Now change the sort order to sort the table by productId in ascending order (the default), and by
clientip within each productId in descending order.
Results Example:

15. Finally, to make the table easier for non-IT employees to read and understand, rename the
productId column to "Product #," the clientip column to "Client IP Address", and the action
column to "Action Taken.”

NOTE: Remember, if a new field name includes spaces, it must be enclosed in double-quotes.
Results Example:

16. Save your search as a report, L5S2. (Save As > Report)

a) Click View to view the report.
b) Click Search to return to the Search view.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 26
Task 3: Display the same search with duplicate values removed.

Final Results Example:

17. In the Search view, click > Search History to expand your search history.
a) Find your last search and click Add to Search.
b) Run the search again over the last 60 minutes.

Results Example:

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 27
18. Notice that the table contains duplicate values for both Product # (productId) and Client IP Address
(clientip). Use dedup to remove the duplicate products.

NOTE: As a best practice and for best performance, place dedup as early in the search as possible.

Results Example:

19. Notice that now each productId only appears once. In order to accomplish this, many clientip
values have been suppressed. Now change the dedup clause to remove only duplicate client IP
addresses.

Results Example:

20. Notice that each IP address now appears only once. So even if a particular IP address is associated
with multiple products, only one of those events displays in the table; the other is suppressed to
accommodate the request to not show duplicate IP addresses.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 28
21. Finally, use dedup to remove both duplicate products and duplicate IP addresses. Now, each unique
product-IP address combination appears only once.
Results Example:

22. Save your search as a report, L5S3. (Save As > Report)

a) Click View to view the report.
b) Click Search to return to the Search view.

OPTIONAL (Steps 23 – 24)

23. Search online sales (index=web sourcetype=access_combined) during the last 4 hours for all
purchase events (action=purchase) that encountered a server problem (status>399). Using the
table command, display only the clientip, host, and status columns. Rename the clientip
column to “Customer IP,” the host column to “Web Server,” and the status column to “HTTP
Status.”

Results Example:

24. Click Save As to save your search as a report, L5C1.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 29
Lab Exercise 6 – Transforming Commands
Description
This lab exercise reinforces the top, rare, and stats commands.

Steps
Task 1: Find out from where visitors to our website are coming.

Final Results Example:

1. Search online sales (index=web sourcetype=access_combined) during the Last 24 hours for
all referer domains (referer_domain) except http://www.buttercupgames.com.

2. Use the top command with the limit option to display the top two referrer domains.
Results Example:

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 30
3. Use the showperc option of top to remove the percent column from the display.

Results Example:

4. Switch to the Visualization tab.

5. Change the visualization from whatever’s currently displaying to the pie chart .
Results Example:

6. Save your search as report, L6S1.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 31
Task 2: Add this search to your IT Ops dashboard.

7. In the Your Report Has Been Created dialog, click Add to Dashboard.

a) Add this report to your existing Ops Dashboard and name the panel Top Domains.
b) Click Save.

8. In the Your Dashboard Panel Has Been Created dialog, click View Dashboard.
a) Click Edit and rearrange your panels so the dashboard looks like the example below.
b) Click Save.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 32
Task 3: Display the top status codes for each of our web servers.

Final Results Example:

9. Search online sales (index=web sourcetype=access_combined) during the last 24 hours.

a) Use top to display the top 2 status codes.
b) Hide the count field.
Results Example:

10. Add a by clause to display the top two status codes for each host.
Results Example:

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 33
11. Sort the results in ascending order on the host column and descending order on the percent
column.

Results Example:

12. Save your search as report, L6S2.

Task 4: Identify the types of content employees are viewing. Report the rare types, as these can
potentially be malicious.

13. Search the web appliance events (index=network sourcetype=cisco_wsa_squid) during the
last 24 hours.
14. Use the rare command to display the 3 least common content types (cs_mime_type).

Results Example:

15. Save your search as report, L6S3.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 34
Task 5: Count the number of employee badge swipes by location during the last 24 hours.

Final Results Example:

16. Search for employee badge swipes (index=security sourcetype=history_access) during the
last 24 hours.
Results Example:

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 35
17. Modify your search to display the distinct count of Username by location (Address_Description).

Results Example:

18. Without using a separate rename command, rename the dc(Username) column to
"Badged in Users".
Results Example:

19. Click the Visualization tab, and change the visualization to a Bar Chart.
Results Example:

20. Save your search as report, L6S4.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 36
Task 6: List the users (without duplicates) on the AD/DNS server during the last 4 hours.

21. Search Active Directory data (index=security sourcetype=winauthentication_security)

for events during the last 4 hours.

NOTE: You may need to expand the time range if you don’t get any results over the last 4 hours.

Results Example:

22. Use stats to display a list of unique users (User). Rename the column User.
Results Example:

23. Save your search as report, L6S5.

CHALLENGE Exercise:
Calculate the number of events, the average price, and the total price for each action in the online
store during the previous week.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 37
Final Results Example:

24. Search online sales (index=web sourcetype=access_combined) for events containing a value
in the action field during the Previous week.
25. Count the results by action.
Results Example:

26. Modify your search to compute the average price as “Average Price” and the sum of price as "Total
Amount". Rename the count column (that displays the action counts) as “Total Events” and rename
action to Action.
Results Example:

27. Save your search as report, L6C1.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 38
Module 7 Lab Exercise – Creating Lookups
Description
In this lab exercise, you create a new automatic lookup that provides additional information for the
access_combined source type.

Steps

Scenario: The access_combined source type contains http status codes, but not the code
definitions. Apply a lookup to the access_combined source type to make the code
definitions available as fields.

Task 1: Add a lookup file.

1. Be sure you’re in the CLASS: Fundamentals 1 app.

2. Navigate to: Settings > Lookups > Lookup table files.
3. Click New Lookup Table File.
a) Save the lookup table file with these values:
• Destination app: class_Fund1
• File: status_definitions.csv
• Destination filename: status_definitions.csv
b) Click Save.

Task 2: Create a lookup definition.

4. Navigate to Settings > Lookups > Lookup definitions.

5. Click New Lookup Definition.
a) Save the lookup definition with these values:
• Destination app: class_Fund1
• Name: status_definitions_lookup
• Type: File-based
• Lookup file: status_definitions.csv
b) Click Save.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 39
Task 3: Verify the lookup definition.

6. Return to the CLASS: Fundamentals 1 app.

7. Use the inputlookup command with the name of the lookup definition to verify the contents of the
lookup file and that the lookup definition was created correctly.

Results Example:

Task 4: Use your lookup in a search.

8. Search the online store data for the last 24 hours for all events that do not have a status of 200. Use
the lookup command to reference the file you just created and the input field of status. Use the
OUTPUT option to output status_description and status_type. Use the stats command to
get a count by host, status_description, and status_type.

Results Example:

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 40
Task 5: Create an automatic lookup definition.

9. Navigate to Settings > Lookups > Automatic lookups.

10. Click New Automatic Lookup.
a) Create the automatic lookup with these values:
• Destination app: class_Fund1
• Name: status_definitions_auto_lookup
• Lookup table: status_definitions_lookup
• Apply to: sourcetype
• Named: access_combined
• Lookup input fields: status = status
• Lookup output fields:
o status_description = StatusDescription
o status_type = StatusType
b) Click Save.

NOTE: It may take a few moments before the automatic lookup starts working.

Task 6: Verify your automatic lookup is working.

11. Search the online store data and get a count by host, StatusDescription, and StatusType
over the Last 24 hours.

NOTE: Notice that the lookup command is not included in this search. It may take a few minutes for the
automatic lookup to take effect.

Results Example:

12. Change the search mode to Verbose mode and click the Events tab. Notice that the lookup fields
also now appear in the fields sidebar.
13. Change the search mode back to Smart mode.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 41
Module 8 Lab Exercise – Creating Alerts

Description
Create a real-time alert for multiple failed logins.
Steps
Task 1: Create a search to identify specific types of failed logins.

1. Search for all events in the Linux secure logs over the Last 60 minutes.
2. Add the keywords failed AND password NOT invalid. Re-run the search.

Task 2: Create and view an alert.

3. From the Save As menu, select Alert.

a) Name the alert: <student name> - Login Attempts
b) For Alert type, select Real-time.
c) Leave Expires at 24 hour(s).
d) For Trigger alert when, select Number of Results.
e) Set the number of results to: is greater than 0.

NOTE: This setting is set to 0 for testing. Once the alert is verified, you can change this value.
f) The in field should be set to 1 minute.
g) For Trigger, select For each result.
h) Check the Throttle checkbox.
i) For Suppress results containing field value, type: host
j) Make sure Suppress triggering for is set to 60 second(s).
k) Click Add Actions and select Add to Triggered Alerts.
l) Set the Severity to High.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 42
 m) Click Save.

Example:

4. Click View Alert. You should see an overview screen describing your new alert.

Example:

5. From the Splunk bar, click Activity > Triggered Alerts.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 43
6. Select your student ID from the Owner menu and view the triggered alerts.

NOTE: It may take a few minutes for your alert to appear.

Example:

7. Click the View results link on a triggered alert to see the event(s) that caused the alert.

Task 3: Disable the alert.

8. From the App dropdown menu, choose CLASS: Fundamentals 1 to return to the Search view.
9. In the App navigation bar, click Alerts.
a) For the row containing your alert, click Edit, then Disable.
b) When the Disable dialog appears, click Disable.

© 2019 Splunk Inc. All rights reserved. Splunk Fundamentals 1 January 8, 2020 44