Splunk Cheatsheet
Splunk ist eine leistungsstarke Plattform zum Suchen, Monitoring und Analysieren von maschinengenerierten Daten über eine Web-style-Schnittstelle. Es ist weit verbreitet für Sicherheitsinformationen und Eventmanagement (SIEM), IT-Betriebe und Business Analytics.
Installation und Inbetriebnahme
Splunk Enterprise herunterladen und installieren
```bash
Download Splunk Enterprise (Linux)
wget -O splunk-9.1.2-b6b9c8185839-linux-2.6-amd64.deb \ 'https://download.splunk.com/products/splunk/releases/9.1.2/linux/splunk-9.1.2-b6b9c8185839-linux-2.6-amd64.deb'
Install on Ubuntu/Debian
sudo dpkg -i splunk-9.1.2-b6b9c8185839-linux-2.6-amd64.deb
Install on CentOS/RHEL
sudo rpm -i splunk-9.1.2-b6b9c8185839.x86_64.rpm
Start Splunk
sudo /opt/splunk/bin/splunk start --accept-license
Enable boot start
sudo /opt/splunk/bin/splunk enable boot-start ```_
Splunk Universal Forwarder
```bash
Download Universal Forwarder
wget -O splunkforwarder-9.1.2-b6b9c8185839-linux-2.6-amd64.deb \ 'https://download.splunk.com/products/universalforwarder/releases/9.1.2/linux/splunkforwarder-9.1.2-b6b9c8185839-linux-2.6-amd64.deb'
Install Universal Forwarder
sudo dpkg -i splunkforwarder-9.1.2-b6b9c8185839-linux-2.6-amd64.deb
Start forwarder
sudo /opt/splunkforwarder/bin/splunk start --accept-license ```_
Docker Installation
```bash
Run Splunk Enterprise in Docker
docker run -d -p 8000:8000 -p 9997:9997 \ -e SPLUNK_START_ARGS='--accept-license' \ -e SPLUNK_PASSWORD='changeme123' \ --name splunk splunk/splunk:latest
Run Universal Forwarder in Docker
docker run -d -p 9997:9997 \ -e SPLUNK_START_ARGS='--accept-license' \ -e SPLUNK_PASSWORD='changeme123' \ --name splunk-forwarder splunk/universalforwarder:latest ```_
Grundlegende Suchbefehle
Suche Grundlagen
```spl
Basic search
index=main error
Search with time range
index=main error earliest=-24h latest=now
Search multiple indexes
(index=main OR index=security) error
Search with wildcards
index=main source="access" status=404
Case-insensitive search
index=main Error OR error OR ERROR ```_
Suchoperatoren
```spl
AND operator (implicit)
index=main error failed
OR operator
index=main (error OR warning)
NOT operator
index=main error NOT warning
Field searches
index=main host=webserver01 sourcetype=access_combined
Quoted strings
index=main "connection refused"
Field existence
index=main user=*
Field non-existence
index=main NOT user=* ```_
Time Modifiers
```spl
Relative time
earliest=-1h latest=now earliest=-7d@d latest=@d earliest=-1mon@mon latest=@mon
Absolute time
earliest="01/01/2024:00:00:00" latest="01/31/2024:23:59:59"
Snap to time
earliest=-1d@d latest=@d # Yesterday from midnight to midnight earliest=@w0 latest=@w6 # This week from Sunday to Saturday ```_
Befehle zur Datenverarbeitung
Feldextraktion
```spl
Extract fields with regex
index=main|rex field=_raw "(?
Extract multiple fields
index=main|rex "user=(?
Extract with named groups
index=main|rex field=message "Error: (?
Extract fields from specific field
index=main|rex field=url "\/(?
Feldbetrieb
```spl
Create new fields
index=main|eval new_field=field1+field2
String operations
index=main|eval upper_user=upper(user) index=main|eval user_domain=user."@".domain
Conditional fields
index=main|eval status_desc=case( status>=200 AND status<300, "Success", status>=400 AND status<500, "Client Error", status>=500, "Server Error", 1=1, "Unknown" )
Mathematical operations
index=main|eval response_time_ms=response_time1000 index=main|eval percentage=round((part/total)100, 2) ```_
Datentransformation
```spl
Remove fields
index=main|fields - _raw, _time
Keep only specific fields
index=main|fields user, ip, action
Rename fields
index=main|rename src_ip as source_ip, dst_ip as dest_ip
Convert field types
index=main|eval response_time=tonumber(response_time) index=main|eval timestamp=strftime(time, "%Y-%m-%d %H:%M:%S") ```
Statistische Befehle
Grundstatistik
```spl
Count events
index=main|stats count
Count by field
index=main|stats count by user
Multiple statistics
index=main|stats count, avg(response_time), max(bytes) by host
Distinct count
index=main|stats dc(user) as unique_users
List unique values
index=main|stats values(user) as users by host ```_
Fortgeschrittene Statistiken
```spl
Percentiles
index=main|stats perc50(response_time), perc95(response_time), perc99(response_time)
Standard deviation
index=main|stats avg(response_time), stdev(response_time)
Range and variance
index=main|stats min(response_time), max(response_time), range(response_time), var(response_time)
First and last values
index=main|stats first(user), last(user) by session_id ```_
Zeitbasierte Statistiken
```spl
Statistics over time
index=main|timechart span=1h count by status
Average over time
index=main|timechart span=5m avg(response_time)
Multiple metrics over time
index=main|timechart span=1h count, avg(response_time), max(bytes)
Fill null values
| index=main | timechart span=1h count | fillnull value=0 | ```_
Filtern und Sortieren
Das Kommando
```spl
Filter results
| index=main | stats count by user | where count > 100 |
String comparisons
index=main|where like(user, "admin%") index=main|where match(email, ".*@company.com")
Numeric comparisons
index=main|where response_time > 5.0 index=main|where bytes > 1024*1024 # Greater than 1MB ```_
Suche und Wo
```spl
Search command for filtering
index=main|search user=admin OR user=root
Complex search conditions
index=main|search (status>=400 AND status<500) OR (response_time>10)
Search with wildcards
index=main|search user="admin" OR user="admin" ```_
Sortierung
```spl
Sort ascending
| index=main | stats count by user | sort user |
Sort descending
| index=main | stats count by user | sort -count |
Multiple sort fields
| index=main | stats count, avg(response_time) by user | sort -count, user |
Sort with limit
| index=main | stats count by user | sort -count | head 10 | ```_
Erweiterte Suche Techniken
Forschungen
```spl
Basic subsearch
index=main user=[search index=security action=login|return user]
Subsearch with formatting
| index=main [search index=security failed_login | stats count by user | where count>5 | format] |
Subsearch with specific return
index=main ip=[search index=blacklist|return ip] ```_
Mitglieder
```spl
Inner join
| index=main | join user [search index=user_info | fields user, department] |
Left join
| index=main | join type=left user [search index=user_info | fields user, department] |
Join with multiple fields
| index=main | join user, host [search index=inventory | fields user, host, asset_tag] | ```_
Lookups
```spl
CSV lookup
index=main|lookup user_lookup.csv user OUTPUT department, manager
Automatic lookup (configured in transforms.conf)
index=main|lookup geoip clientip
External lookup
index=main|lookup dnslookup ip OUTPUT hostname ```_
Transaktionen
```spl
Group events into transactions
index=main|transaction user startswith="login" endswith="logout"
Transaction with time constraints
index=main|transaction user maxspan=1h maxpause=10m
Transaction with event count
index=main|transaction session_id maxevents=100
Transaction statistics
| index=main | transaction user | stats avg(duration), count by user | ```_
Visualisierung und Reporting
Diagrammbefehle
```spl
Simple chart
index=main|chart count by status
Chart over time
index=main|chart count over _time by status
Chart with functions
index=main|chart avg(response_time), max(response_time) over host by status
Chart with bins
index=main|chart count over response_time bins=10 ```_
Top und Rare
```spl
Top values
index=main|top user
Top with limit
index=main|top limit=20 user
Top by another field
index=main|top user by host
Rare values
index=main|rare user
Top with percentage
index=main|top user showperc=true ```_
Geostate
```spl
Geographic statistics
| index=main | iplocation clientip | geostats count by Country |
Geostats with latfield and longfield
index=main|geostats latfield=latitude longfield=longitude count by region
Geostats with globallimit
| index=main | iplocation clientip | geostats globallimit=10 count by City | ```_
Sicherheits- und SIEM-Nutzungsfälle
Fehlerhafte Login-Erkennung
```spl
Failed login attempts
index=security sourcetype=linux_secure "Failed password"
|rex field=raw "Failed password for (?
Brute Force Detection
```spl
Brute force attack detection
index=security action=login result=failure |bucket time span=5m |stats dc(user) as unique_users, count as attempts by src_ip, _time |where attempts > 20 OR unique_users > 10 |sort -attempts ```
Vorrechte Eskalation
```spl
Sudo usage monitoring
index=security sourcetype=linux_secure "sudo"
|rex field=raw "sudo:\s+(?
Verkehrsanalyse
```spl
Large data transfers
index=network |stats sum(bytes_out) as total_bytes by src_ip, dest_ip |where total_bytes > 1073741824 # 1GB |eval total_gb=round(total_bytes/1073741824, 2) |sort -total_gb ```_
Malware-Detektion
```spl
Suspicious process execution
index=endpoint process_name= |search (process_name=".tmp" OR process_name="*.exe" OR process_name="powershell.exe") |stats count, values(command_line) as commands by host, process_name |where count > 10 ```_
Leistungsoptimierung
Suche Optimierung
```spl
Use specific indexes
index=main sourcetype=access_combined
Filter early in search
index=main error earliest=-1h|stats count by host
Use fast commands first
| index=main | where status=404 | stats count by uri |
Avoid wildcards at the beginning
index=main uri="/api/" NOT uri="debug*" ```_
Feldextraktion Optimierung
```spl
Extract only needed fields
| index=main | rex field=_raw "user=(?
Use field extraction in search
index=main user=admin|stats count
Limit field extraction scope
| index=main | head 1000 | rex field=raw "pattern" | ```
Speicher und CPU Optimierung
```spl
Use summary indexing for frequent searches
|collect index=summary_index source="daily_stats"
Use report acceleration
|sistats count by user
Limit search scope
index=main earliest=-1h latest=now|head 10000 ```_
Konfiguration und Verwaltung
Index Management
```bash
Create new index
/opt/splunk/bin/splunk add index myindex -maxDataSize 1000 -maxHotBuckets 10
List indexes
/opt/splunk/bin/splunk list index
Clean index
/opt/splunk/bin/splunk clean eventdata -index myindex ```_
Benutzermanagement
```bash
Add user
/opt/splunk/bin/splunk add user username -password password -role user
List users
/opt/splunk/bin/splunk list user
Change user password
/opt/splunk/bin/splunk edit user username -password newpassword ```_
Dateneingang Konfiguration
```bash
Monitor file
/opt/splunk/bin/splunk add monitor /var/log/messages -index main
Monitor directory
/opt/splunk/bin/splunk add monitor /var/log/ -index main
Network input
/opt/splunk/bin/splunk add tcp 9999 -sourcetype syslog ```_
Forwarder Konfiguration
```bash
Add forward server
/opt/splunkforwarder/bin/splunk add forward-server splunk-server:9997
Add monitor to forwarder
/opt/splunkforwarder/bin/splunk add monitor /var/log/apache2/access.log -index web
List forward servers
/opt/splunkforwarder/bin/splunk list forward-server ```_
REST API Verwendung
Authentication
```bash
Get session key
curl -k -u admin:password https://localhost:8089/services/auth/login \ -d username=admin -d password=password
Use session key
curl -k -H "Authorization: Splunk
Suche API
```bash
Create search job
curl -k -u admin:password https://localhost:8089/services/search/jobs \ -d search="search index=main|head 10"
Get search results
curl -k -u admin:password \
https://localhost:8089/services/search/jobs/
Dateneingang API
```bash
List data inputs
curl -k -u admin:password https://localhost:8089/services/data/inputs/monitor
Add monitor input
curl -k -u admin:password https://localhost:8089/services/data/inputs/monitor \ -d name=/var/log/myapp.log -d index=main ```_
Fehlerbehebung
Gemeinsame Themen
```bash
Check Splunk status
/opt/splunk/bin/splunk status
Check license usage
/opt/splunk/bin/splunk list licenser-localslave
Restart Splunk
/opt/splunk/bin/splunk restart
Check configuration
/opt/splunk/bin/splunk btool inputs list /opt/splunk/bin/splunk btool outputs list ```_
Analyse der Ergebnisse
```bash
Check Splunk internal logs
tail -f /opt/splunk/var/log/splunk/splunkd.log
Check metrics
tail -f /opt/splunk/var/log/splunk/metrics.log
Check audit logs
tail -f /opt/splunk/var/log/splunk/audit.log ```_
Leistungsüberwachung
```spl
Internal Splunk metrics
index=_internal source=*metrics.log group=per_index_thruput |stats sum(kb) as total_kb by series |sort -total_kb
Search performance
index=_audit action=search |stats avg(total_run_time) as avg_runtime by user |sort -avg_runtime
License usage
index=internal source=*license_usage.log type=Usage |stats sum(b) as bytes by idx |eval GB=round(bytes/1024/1024/1024,2) |sort -GB ```
Best Practices
Suche Best Practices
- Benutzen Sie bestimmte Zeitbereiche - Vermeiden Sie die Suche "All time"
- Filter früh - Index, Quelltyp und Hostfilter zuerst verwenden
- ** Verwenden Sie schnelle Befehle** - Statistiken, Diagramme, Zeitdiagramme sind schneller als Transaktion
- *Avoid Wildcards - Besonders zu Beginn der Suchbegriffe
- *Benutze Zusammenfassung Indexing - Für häufig laufende Suchanfragen
Daten an Bord Best Practices
- Plan-Indexstrategie - Separate Indizes nach Datentyp und Speicherung
- ** Quelltypen konfigurieren** - Richtige Feldextraktion und Parsing
- *Einrichten der richtigen Zeitextraktion - Stellen Sie genaue Zeitstempel sicher
- *Use Universal Forwarders - Für verteilte Datenerhebung
- Monitor Lizenznutzung - Bleiben Sie in Lizenzgrenzen
Sicherheit Best Practices
- Benutzen Sie einen rollenbasierten Zugriff - Beschränken Sie Benutzerberechtigungen entsprechend
- Enable SSL - Für Web-Schnittstelle und Weiterleitungskommunikation
- *Regular Backups - Backup-Konfiguration und kritische Daten
- Monitor admin Aktivitäten - Konfigurationsänderungen verfolgen
- *Keep Splunk aktualisiert - Sicherheitspatches regelmäßig anwenden
Ressourcen
- Splunk-Dokumentation
- (__LINK_5___)
- [Splunk Community](LINK_5 -%20(_LINK_5)
- Splunk Apps