Category
Threat Intelligence
Level
Intermediate
Number
106
Splunk is a SIEM solution that excels in real-time collection, analysis, and correlation of network and machine logs.
It consists of three core components: the Forwarder, Indexer, and Search Head.
- The Splunk Forwarder is a lightweight agent installed on endpoints to gather and transmit data, ensuring minimal impact on performance.
- The Indexer processes incoming data, normalizing it into field-value pairs for easy searching and analysis.
- The Search Head facilitates user interactions, allowing for complex searches and the creation of insightful visualizations such as charts and tables.
Navigating Splunk involves understanding its main interface sections.
- The Splunk Bar provides system notifications, settings, job progress, help resources, and search functionality.
- The Apps Panel displays installed applications, with Search & Reporting being the default.
- The Explore Splunk section offers quick links for adding data and accessing documentation.
- The Home Dashboard allows users to select, create, and view various dashboards.
Adding data to Splunk involves selecting the source, specifying the source type, setting input parameters, and reviewing the configuration.
Key fields in Splunk include the Index for data storage, Source for data origin, Source Type for data format, and Host for the data-producing device.
Summary:
- Splunk is a SIEM solution with core components (Forwarder, Indexer, Search Head) for real-time log collection, processing, and analysis.
- offers a user-friendly interface for managing data sources, creating visualizations, and conducting complex searches.