Splunk Exploring SPL TryHackMe Write-Up
Splunk SPL
Splunk is a powerful SIEM solution that provides the ability to search and explore machine data. Search Processing Language (SPL) is used to make the search more effective. It comprises various functions and commands used together to form complex yet effective search queries to get optimized results.
This room will dive deep into some key fundamentals of searching capability, like chaining SPL queries to construct simple to complex queries.
Learning Objectives
This room will teach the following topics:
- What are Search processing Language?
- How to apply filters to narrow down results.
- Using transformational commands.
- Changing the order of the results.
Room Prerequisites
- This room is based on the SIEM concepts covered in Intro to SIEM and Splunk: Basics rooms. Complete these rooms and continue to the next task.
Q What is the name of the host in the Data Summary tab?
ADD index=windowslogs * is used to filter data from the “windowslogs” index, showing all events represented by the asterisk ().
Time filter set to all, to get all the existing logs
Q In the search History, what is the 7th search query in the list? (excluding your searches from today)
Setting no time filter to get all possible logs with the time duration set to week to date.
ignore all the logs for today and the answer can be obtained at the 7th place from the first search that did not occur today.
Q In the left field panel, which Source IP has recorded max events?
Using new search query to search for source ip. host=”cyber-host” sourceip
Q How many events are returned when we apply the time filter to display events on 04/15/2022 and Time from 08:05 AM to 08:06 AM?
Q How many Events are returned when searching for Event ID 1 AND User as James?
Q How many events are observed with Destination IP 172.18.39.6 AND destination Port 135?
Q What is the Source IP with highest count returned with this Search query?
Search Query: index=windowslogs * Hostname=”Salena.Adam” DestinationIp=”172.18.38.5"
Q In the index windowslogs, search for all the events that contain the term cyber how many events returned?
index=windowslogs* cyber
Answer: 0
Q Now search for the term cyber, how many events are returned?*
Q What is the third EventID returned against this search query?
Search Query:
index=windowslogs | table _time EventID Hostname SourceName | reverse
Q Use the dedup command against the Hostname field before the reverse command in the query mentioned in Question 1. What is the first username returned in the Hostname field?
Q Using the Reverse command with the search query index=windowslogs | table _time EventID Hostname SourceName — what is the HostName that comes on top?
Q What is the last EventID returned when the query in question 1 is updated with the tail command?
Q Sort the above query against the SourceName. What is the top SourceName returned?
Q List the top 8 Image processes using the top command — what is the total count of the 6th Image?
Q Using the rare command, identify the user with the least number of activities captured?
Q Create a pie-chart using the chart command — what is the count for the conhost.exe process?
This wraps up the Splunk SPL room.
Try out more rooms on Splunk —