Splunk is one of the leading SIEM solutions in the market that provides the ability to collect, analyze and correlate the network and machine logs in real-time. In this room, we will explore the basics of Splunk and its functionalities and how it provides better visibility of network activities and help in speeding up the detection.
Splunk has three main components, namely Forwarder, Indexer, and Search Head. These components are explained below:
Splunk Forwarder
Splunk Forwarder is a lightweight agent installed on the endpoint intended to be monitored, and its main task is to collect the data and send it to the Splunk instance. It does not affect the endpoint's performance as it takes very few resources to process. Some of the key data sources are:
Web server generating web traffic.
Windows machine generating Windows Event Logs, PowerShell, and Sysmon data.
Linux host generating host-centric logs.
Database generating DB connection requests, responses, and errors.
Splunk Indexer
Splunk Indexer plays the main role in processing the data it receives from forwarders. It takes the data, normalizes it into field-value pairs, determines the datatype of the data, and stores them as events. Processed data is easy to search and analyze.
Search Head
Splunk Search Head is the place within the Search & Reporting App where users can search the indexed logs as shown below. When the user searches for a term or uses a Search language known as Splunk Search Processing Language, the request is sent to the indexer and the relevant events are returned in the form of field-value pairs.
Question:
Which component is used to collect and send data over the Splunk instance?
Answer:
Forwarder
Task 4: Navigating Splunk
Splunk Bar:
when you access splunk, you will see the default home screen identical to the screenshot below.
…
Please review the Splunk documentation on Navigating Splunk here .
Question:
In the Add Data tab, which option is used to collect data from files and ports?
Answer:
Monitor
Task 5:
...
Question:
Upload the data attached to this task and create an index "VPN_Logs". How many events are present in the log file?
Answer:
2862
Question:
How many log events by the user Maleena are captured?
Answer:
Question 5c:
What is the name associated with IP 107.14.182.38?
Answer:
Question 5d:
What is the number of events that originated from all countries except France?
Answer:
Question 5e:
How many VPN Events were observed by the IP 107.3.206.58?
Answer:
This room was an insightful room as it gave me the basic knowledge needed to work with splunk. Now up to the next room!!!
Incident Handling with Splunk
![🚀 I Built a Simple Invoice Generator with Astro! [Feedback Welcome]](/uploads/2025/05/68188565d765b.png)