SPLK-2002 Splunk Enterprise Certified Architect – Post Installation Activities Part 3

6. Splunk Event Types

Hey everyone and welcome back. In today’s video we will be discussing about the basics related to splunk event types. Now event types are basically a categorization which can help you make sense of your data so let’s understand this with an example. So let’s assume you write a query where you have source type is equal to axis underscore combined status is equal to 200 an action is equal to purchase so this can mean that someone has purchased your product and the status of 200 which means it was a success.

Now what you can do is you can save this as an event type call as success underscore purchase and what you can do is instead of writing the entire query you can just do an event type is equal to success underscore purchase and you will get all the result which has this specific events. Now do remember this is not although it might look similar to saved search it is not because any event that gets returned it will have the success underscore purchase field associated with it.

So let’s understand this with a practical example because that is what will make sense. So I’m in my splunk, I’ll go to the search and reporting app and let’s quickly wait and let’s say source type is equal to Linux underscore Secure I’ll do a time range of all time. And currently you see you have various events like failed password for invalid user then you have failed password for root. So there is a difference between both of them. Failed password for invalid user means that someone is trying to log into the machine with the user which does not exist and failed password for root basically means that the user is already existing and someone is trying to brute force into that so you can write a query which is similar to that. So let’s say I’ll say failed, I’ll type failed and I’ll have invalid user so now you will have all the events which contains invalid user.

So now what you can do is you can save this as an event type here and let’s say I put it as invalid underscore user and we’ll click on save. Now similar to that let’s go back to Linux underscore secure now if you go a bit down you would see that there is an event type field. Now within the event type field you have something called as the invalid user. So what it basically means that whenever someone does a source type is called a Linux secure something similar to that they will be able to see just from the event type they’ll be able to see a graph on how many of logs in total have invalid user kind of attempt.

So from entire linux underscore secure you have 59. 7% of the log type which are of invalid underscore user. So it really makes much more easier for anyone to understand who is reading your log files. So for them if they just look into the event type and they see okay, there is a failed login. Of these many, there are successful logins. If they just see from Event type, it just makes much more simpler sense. So similar to this, let’s create one more Event type. So you would be creating Event type for let’s say Session Open. Let’s quickly find if you have an event which has this data perfect.

So Session Open is like someone has logged in or created a session via SSH. So now what you can do, you can save this as an event type, I’ll say Success logins and I’ll click on Save. Now if you just do a source type Linux underscore Secure and if you just go by Event type you see that out of total Events, you have 5. 28% success logins and you also have failed login as 82%. Now, in case you’re wondering where this failed login came from, it came from the Event types which are prebuilt by Splunk. So if you go to Settings and if you go to Event types, you see there are so many event types which are already prebuilt by Splunk.

So you have free disk space. So this is an Event type based on Windows logs, so you have a source type of WMI and so on. So there are a lot of event types which are already pre built by Splunk and hence it really becomes simpler for anyone who is looking into your log file to make some meaningful information. So with this, I hope you understood the difference between what saved searches and what Event type is. Although with Event types, the great benefit is that if you just do a source type Linux underscore Secure and you click on Event type, you can quickly see how many failed logins are there, how many successful logins are there, so you don’t really have to write any edition external query. Everything comes from the Event type. So with this, there are certain limitation of Event types that we need to understand. First limitation is that it cannot include a pipe operator after a simple search and you cannot have a sub search as well with Event types.

7. Tags

Hey everyone, and welcome back. In today’s video, we will be discussing about tags. Now, Tags feature in Splunk basically allows us to assign names to specific field and value combination, which can be event type, host, source, or even source type. So, let’s understand, this was a simple use case where tags will be useful. So, you have your network logs, and it has various IPS addresses which belongs to three subnets, which is 109 21610, 10770 00:16 and 10660 00:16. So typically, network logs, if you see some IP addresses which belongs to this subnet, a typical analyst will not understand whether it is a dev prod or staging. So what he’ll do is he might refer to a documentation which the network team has provided, and from there he’ll be able to analyze. However, it is better that if the person or the analyst, if he can analyze it from the Splunk itself, that is the best bet.

So, what we can do is, for any IP addresses which belongs here, we can assign tag saying that this is a Singapore region VPC. Or for 1077, you can assign a Mumbai region. For 66, you can assign an Oregon region VPC. So you can say Singapore is production. So you can add one more tag saying this is production, this is staging, and this is a development environment. And this it becomes much more simpler for anyone who is looking into your logs to identify the information out of it. So let’s understand this practically with one more use case.

So, let’s go to the search and reporting app, and within the data summary, we’ll be scanning by source type of Linux. Underscore secure, I’ll say the time range as all time. And if you remember, during the event type demo, we had created an event type called as invalid user. So we can associate tag as well. So we know that let’s take an example of compliance. So in compliance, there’s something called as okay or not okay, or it may be compliant or maybe not compliant. So Invalid user is definitely not okay. So security wise, it is not okay at all. So what you can do is you can assign a tag call is not okay to the invalid user event type. So what you can do, you can go to settings and you can go to Event types. Now, within event type, let’s put Invalid, and this is our invalid user.

So let’s click on it and we’ll assign a tag. So this definitely this is not an okay thing. So I’ll say the tag as not okay and I’ll save this. Similarly, we know that we had created something called a session opened or let’s say Sessions, and this was our success logins. So for success login, let’s put an event type of okay. This is just for demonstration, to just show on how tag works. It might not necessarily mean that session okay. It should be of tag.

Okay? All right, now, similar to this, it might happen that if you talk about access combined logs, it might happen that the logs which contains Http 500 response code or Http 403 which is access denied response code, those can be termed as tag Not okay. So now that we have two tags that we have created, we can search by tag or we can search by event type as well. I’ll quickly show you how it works. So let’s go by source type as Linux underscore Secure. And now if you do a tag, you will see that there are already many tags which are associated. However, these are the two tags that we have. One is Not okay, and second is okay. So now what you can do is you can do a tag is equal to Not okay. And now you will get a list of all the events which have the tag as Not okay.

Now let’s take one more example. So let’s say source type is equal to access underscore combined underscore test and here there would be a fee call as response code. Let’s quickly verify, it should be response code or status. So within status, let’s quickly check. Within status you have various type of status, you have 20 zero, which means response okay, it is a success status, you have 50 three, you have 50 five, you have 500 which basically is internal server error and you also have 40 three. Do you have that? Let’s quickly check. It says that’s count by status you do not have a 40 three year in this demo, but you do have the 500 error. So now what you might want to do is you say that what I want is any Http response code like 500. It should be considered as not okay. And you can associate a tag with these type of events. Let’s say I put a status is equal to 500 here and I’ll save this as event type.

Event type is equal to let’s say web server underscore 500 and I associate a tag call as Not okay over here and I’ll go and save it. Perfect. So now you have done that. What you basically need to do is you have to do a tag of Not okay here. And now you see, you will get all the events which I have Not okay, primarily from Linux underscore Secure and access underscore combined. So this becomes much more simpler. So similar to this, you can have a tag call as compliant and you can also have a tag call as not compliant. So for compliance related aspects, it becomes really easy for the auditor as well as maybe for the management to see what is missing and what is not missing. So tags becomes really useful. So ideally you should be tagging things and it really helps a lot in identifying the issues.

8. Splunk Events Types Priority and Coloring Scheme

Hey everyone and welcome back. In today’s video, we will be discussing about a feature of colored events. So, this is one of my favorite, one of my favorite features in Splunk and I generally use it actively typically in the searches that we configure and it really helps any management team or any analyst who is viewing the events a lot. So let’s look into what exactly this is. Now, typically we generally group a similar event by event type. So whenever you search based on wild card like index is equal to star, you will get a lot of events and each of the event will have its associated event type as a field. However, if you just look from here, it seems okay, not that great. But now if you look into this now you see from the color itself, you might be able to determine all red.

So red color events is dangerous, orange color event is less dangerous, and blue color events, they are good enough. So if you have a color associated with individual events based on priority or severity, it really makes things easy to search for any analyst or even management. So in today’s video, we’ll be looking into how exactly we can associate color depending upon the various factors. Now, I am in my Splunk and within the source type of access underscore combined underscore test, we have our test file. So this is the access log file that we have been using actively throughout our demos. Now, what we’ll be doing is if you basically do a quick search on stats count by status, you see there are a lot of status which are available. Now, not all of the status are good, so 200 is good. Now, 500 is not a good status that you would like to see. So typically let’s say anything except of 200 or maybe 300 series status is something that one might not like to see, typically at a high level overview. So what we’ll be doing is we’ll be covering our events based on the status quo.

All right? So let’s look into how this would work. So, as a basic scenario, typically when you install I do not have an app right now, but typically when you install various app of NGINX or Apache, it comes with its own event types. Now, currently you will see that there are certain event types which are present by default. So always remember that if you do not need any event, you can just disable them instead of just adding an additional field to your searches. Now, let’s go ahead and look into the coloring part. So a coloring, whatever coloring that you do for events are based on the event type. So let’s say I do a status is equal to 200 and now I have all the events which has the status of 200. So I’ll save this as an event type. I’ll say status underscore 200 and now you have an option for color, I’ll say 200 status quo is generally considered good. I’ll say it as green. And the priority, it starts from one to ten, where one is the highest and ten is the lowest.

I’ll put it as one for the time being and I’ll go ahead and I’ll save it. All right? So this is one event type. Now, apart from that, there can be various other status quo that you will typically see within your events. So let’s quickly find it out. And it seems that in the first page you have the events with 200 as a first glance. So now, if I do a quick search, or let me just remove the status here. Now, if I do a wild card kind of a search, you see none of the events are being colored. You have a 200 status here, even on the second event and so on. Now, the reason why you do not really have it is because of the clash. Now, currently, you see there are a lot of event types which are present over here. One of the major one is Nihen, all Hyphen logs. Now, what we can do is we can go to the event types and let’s just quickly search based on the event type which was present, which is Nix Hyphen, all Hyphen logs.

Now, this specific event type, if you see it also has a search string, it also has its priority and the color is none over here, so many times what happens is that there is a clash which really happens. So if you do not need a specific event type, you can just go ahead and disable it so that you only have the event types which you created or which are useful for your analysts or for your searching. Now that we have disabled it, if I quickly do a search again, now you see, the event associated with the Http status code of 200 are being marked as green. And this is now much more easier to read. Now, let’s do one thing. You also have certain events which has the status of 40 eight. So let’s do a status is equal to 40 eight and we’ll save this as an event type. I’ll name it Status underscore 40 eight.

The priority again, I’ll put it as highest and this time we’ll give it a orange color and I’ll do a save. Now, once we have done the save, you can remove the status. It’s equal to 40 eight. You can search by source type. And if you press search now, you see you have green as well as orange events. So just by looking at the color, you will be able to determine the severity of the events. And this is extremely useful specifically if you are having security logs.

So security logs might have high priority events, or medium priority or a low priority. So if you tag all the events which are of high priority for analysts, it becomes much more easier. So if he’s just doing a source type or index is equal to star, just by looking at the colored becomes much more easier for him to determine that already. This is an orange. There is something which is wrong over here. He can just maximize this event and he can look into the detail on why this has an orange color associated with it. So this is what the colored events are all about.