Searching and Reporting with Splunk 6.

3 - Lab Guide
Lab typographical conventions:
[sourcetype=vendor_sales] OR [cs_mime_type] indicates either a source type or the name of a field.

There are a number of source types used in these lab exercises.

The lab instructions refer to these source types by the types of data they represent:

Type Sourcetype Interesting Fields

AD/DNS winauthentication_security bcg_ip, bcg_workstation, fname, lname,

location, rfid, splunk_role

Badge reader history_access Address_Description, Department,

Device, Email, Event_Description,
First_Name, last_Name, Rfid, Username

BI server sales_entries AcctCode, CustomerID, TransactionID

Email data cisco_esa dcid, icid, mailfrom, mailto, mid

Web appliance data cisco_wsa_squid action, bandwidth, cs_method,

cs_mime_type, cs_url, cs_username,
sc_bytes, sc_http_status,
sc_result_code, severity, src_ip,
status, url, usage,
x_mcafee_virus_name, x_wbrs_score,
x_webcat_code_abbr

Online transactions access_combined action, bytes, categoryId, clientip,

itemId, JSESSIONID, price, productId,
product_name, referer, referer_domain,
sale_price, status, user, useragent

Retail sales vendor_sales AcctID, categoryId, product_name,

productId, sale_price, Vendor,
VendorCity, VendorCountry, VendorID,
VendorStateProvince

Web server login info linux_secure action, app, COMMAND, dest, process,
src_city, src_country, src_ip,
src_port, user, vendor_action

© 2015 Splunk Inc. All rights reserved. Searching and Reporting with Splunk 6.3 April 11, 2016 1
Lab Exercise 1 – Introduction and Review
Note: Each lab document has two sections. The first section includes the lab instructions without answers. The second
section includes lab instructions with the expected search string (answer) in red.

Description
This is a short lab exercise to familiarize you with the Buttercup Games data used in this course.
NOTE: If at any point you do not see results, check your search syntax and/or expand your time range.
Steps
Task 1: Set your name and time zone.
1. Click your student ID (455-xxxxxxx) on the navigation bar and select Edit Account.
2. In the Full Name field, enter your name.
3. From the Time zone menu, select your local time zone.
4. Un-check Restart backgrounded jobs.
5. Click Save.
6. Click the splunk> logo at the top left of the window to return to the Search & Reporting app.
Task 2: Review the available source types.
7. From the Search page, click Data Summary.
8. Examine the available source types on the Sourcetypes tab.
9. Close the Data Summary window.
Task 3: Explore web server events.
10. Search for all web server events [sourcetype=linux_secure] during the last 15 minutes.
Results Example:

Note: As you progress through the exercises, your results will vary from the example. However, it should
look similar to it.
11. In the Fields sidebar, click All Fields.
12. Review the values for the following fields:
• action
• app
• dest
• process
• src_ip
• user
• vendor_action
13. Close the Select Fields window.

© 2015 Splunk Inc. All rights reserved. Searching and Reporting with Splunk 6.3 April 11, 2016 2
 14. Expand one of the returned results and view the fields and values in the event.

Task 4: Explore web appliance events.

15. To clear the previous search, click Search in the navigation bar.
16. Search for all web appliance events [sourcetype=cisco_wsa_squid] during the last 24 hours.

Results Example:

17. Examine the fields in the Fields sidebar.

18. Review the values for the following fields:
• action
• bcg_ip
• bcg_workstation
• cs_username
• rfid
• usage
• username
• x_webcat_code_full
Task 5: Explore corporate network events.
19. Search for network events [sourcetype= winauthentication_security] during the last 24 hours.

© 2015 Splunk Inc. All rights reserved. Searching and Reporting with Splunk 6.3 April 11, 2016 3
 Results Example:

20. Review the values for the following fields:

• ComputerName
• Message
• User
• Location
NOTE: If you do not see a field in the Fields sidebar, remember to look at more fields.
Task 6: Explore retail sales events.
21. To clear the previous search, click Search in the navigation bar.
22. Search for retail sales events [sourcetype=vendor_sales] during the last 24 hours.
Results Example:

23. Notice the fields in the Fields sidebar that were automatically extracted.
24. Review the values for the following fields:
• AcctID
• categoryId
• product_name
• Vendor
• VendorCountry
25. Expand one of the returned results and view the fields and values in the event.
NOTE: The values of the product_name field contain information for Buttercup Games products.
26. Search for retail sales from Canada. [sourcetype=vendor_sales VendorCountry=Canada]
Task 7: Explore online sales events.
27. To clear the previous search, click Search in the navigation bar.
28. Search for online sales events [sourcetype=access_combined] during the last 24 hours.

© 2015 Splunk Inc. All rights reserved. Searching and Reporting with Splunk 6.3 April 11, 2016 4
 Results Example:

Notice the number of events returned.

29. Notice the fields in the Fields sidebar that were automatically extracted.
30. Review the values for the following fields:
• action
• categoryId
• clientip
• price
• referer
• referer_domain
• status
• useragent
31. Modify your search to return only purchase events.
HINT: action=purchase
32. Notice the number of events returned. Because you have narrowed your search to only purchases, there
are fewer events than before.
NOTE: The number of events returned depends on the time range you selected. Also, remember that
unless you have selected a discrete time range, Previous … or Yesterday, when you rerun a
search, events are being added to the returned results.

© 2015 Splunk Inc. All rights reserved. Searching and Reporting with Splunk 6.3 April 11, 2016 5
Lab Exercise 1 – Introduction and Review with Solutions
Description
This is a short lab exercise to familiarize you with the Buttercup Games data used in this course.
NOTE: If at any point you do not see results, check your search syntax and/or expand your time range.
Steps
Task 1: Set your name and time zone.
33. Click your student ID (455-xxxxxxx) on the navigation bar and select Edit Account.
34. In the Full Name field, enter your name.
35. From the Time zone menu, select your local time zone.
36. Un-check Restart backgrounded jobs.
37. Click Save.
38. Click the splunk> logo at the top left of the window to return to the Search & Reporting app.
Task 2: Review the available source types.
39. From the Search page, click Data Summary.
40. Examine the available source types on the Sourcetypes tab.
41. Close the Data Summary window.
Task 3: Explore web server events.
42. Search for all web server events [sourcetype=linux_secure] during the last 15 minutes.
sourcetype=linux_secure
Results Example:

Note: As you progress through the exercises, your results will vary from the example. However, it should
look similar to it.
43. In the Fields sidebar, click All Fields.
44. Review the values for the following fields:
• action
• app
• dest
• process
• src_ip
• user
• vendor_action
45. Close the Select Fields window.

© 2015 Splunk Inc. All rights reserved. Searching and Reporting with Splunk 6.3 April 11, 2016 6
 46. Expand one of the returned results and view the fields and values in the event.

Task 4: Explore web appliance events.

47. To clear the previous search, click Search in the navigation bar.
48. Search for all web appliance events [sourcetype=cisco_wsa_squid] during the last 24 hours.
sourcetype=cisco_wsa_squid
Results Example:

49. Examine the fields in the Fields sidebar.

50. Review the values for the following fields:
• action
• bcg_ip
• bcg_workstation
• cs_username
• rfid
• usage
• username
• x_webcat_code_full
Task 5: Explore corporate network events.
51. Search for network events [sourcetype= winauthentication_security] during the last 24 hours.
sourcetype= winauthentication_security

© 2015 Splunk Inc. All rights reserved. Searching and Reporting with Splunk 6.3 April 11, 2016 7
 Results Example:

52. Review the values for the following fields:

• ComputerName
• Message
• User
• Location
NOTE: If you do not see a field in the Fields sidebar, remember to look at more fields.
Task 6: Explore retail sales events.
53. To clear the previous search, click Search in the navigation bar.
54. Search for retail sales events [sourcetype=vendor_sales] during the last 24 hours.
sourcetype=vendor_sales
Results Example:

55. Notice the fields in the Fields sidebar that were automatically extracted.
56. Review the values for the following fields:
• AcctID
• categoryId
• product_name
• Vendor
• VendorCountry
57. Expand one of the returned results and view the fields and values in the event.
NOTE: The values of the product_name field contain information for Buttercup Games products.
58. Search for retail sales from Canada. [sourcetype=vendor_sales VendorCountry=Canada]
Task 7: Explore online sales events.
59. To clear the previous search, click Search in the navigation bar.
60. Search for online sales events [sourcetype=access_combined] during the last 24 hours.

© 2015 Splunk Inc. All rights reserved. Searching and Reporting with Splunk 6.3 April 11, 2016 8
 Results Example:

Notice the number of events returned.

61. Notice the fields in the Fields sidebar that were automatically extracted.
62. Review the values for the following fields:
• action
• categoryId
• clientip
• price
• referer
• referer_domain
• status
• useragent
63. Modify your search to return only purchase events.
HINT: action=purchase
sourcetype=access_combined action=purchase
64. Notice the number of events returned. Because you have narrowed your search to only purchases, there
are fewer events than before.
NOTE: The number of events returned depends on the time range you selected. Also, remember that
unless you have selected a discrete time range, Previous … or Yesterday, when you rerun a
search, events are being added to the returned results.

© 2015 Splunk Inc. All rights reserved. Searching and Reporting with Splunk 6.3 April 11, 2016 9