Select a result to preview

Splunk

##cybersecurity/blue-team/logging-siem

Splunk is a platform for collecting, storing, and analysing machine data.

It provides various tools for analysing data, including search, correlation, and visualisation.

Shows all ingested logs

index=main

web_traffic - This data source contains events related to web connections to and from the web server.

firewall_logs - This data source contains the firewall logs, showing the traffic allowed or blocked.

  1. Search query: This query retrieves all events from the main index that were tagged with the custom source type web_traffic. This marks the beginning of the investigation.
  2. Time range: The time range is currently set to "All time". In security analysis, this range would be tightened (e.g., to the spike window) after initial data loading.
  3. Timeline: This visual histogram shows the distribution of the over time. The graph indicates the successful daily log volume followed by a distinctive traffic spike (a period of high activity, likely the attack window).
  4. Selected fields: These are the fields currently chosen to be displayed in the summary column of the event list (hostsourcesourcetype). They represent basic metadata about the log file itself.
  5. Interesting fields: This pane lists all fields that Splunk has automatically extracted or manually added. Fields prefixed with # (e.g., #date_hour) are automatically generated by Splunk's time commands. The presence of user_agentpath, and client_ip confirms the successful parsing of the web log structure.
  6. Event details & field extraction: This section shows the parsed details of a single event with extracted fields like user_agentpathstatusclient_ip, and more.

total event count over time, grouped by day, to determine the number of events captured per day to identify the day that received an abnormal number of logs.

index=main sourcetype=web_traffic | timechart span=1d count`

append the reverse function at the end to display the result in descending order, showing the day with the maximum number of events at the beginning.

index=main sourcetype=web_traffic | timechart span=1d count | sort by count | reverse