Splunk Fundamentals 1 Lab Exercises

Lab typographical conventions:

[sourcetype=db_audit] OR [cs_mime_type] indicates either a source type or the name of a

field.

NOTE: Lab work will be done on your personal computer or virtual machine, no lab environment is
provided. We suggest you DO NOT do the lab work on your production environment.

The lab instructions refer to these source types by the types of data they represent:

Type Sourcetype Fields of interest

Web Application access_combined_wcookie action, bytes, categoryId, clientip,

itemId, JSESSIONID, productId,
referer, referer_domain, status,
useragent, file
Database db_audit Command, Duration, Type

Web server linux_secure COMMAND, PWD, pid, process

Lab Module 8 – Basic Commands

NOTE: Now that you understand the basics of searching in Splunk, we will make labs a little more
challenging. This lab document has two sections. The first section includes the instructions
without answers. The second section includes instructions with the expected search string
(answer) in red.

Description
In this lab, you will be using some of the common Splunk commands including fields, table, rename and
dedup.

Steps
Scenario: The Marketing team tracks all user sessions related to marketing campaigns. It would like a
report of all user sessions that include purchase actions so that it can put a value on the different
campaigns it's running.

Task 1: Search for the requested data.

Navigate to the Search view. (If you are in the Home app, click Search & Reporting from the column on
the left side of the screen. You can also access the Search view by clicking the Search menu option on
the bar at the top of the screen.)

NOTE: For this course, you will be searching across all time using the main index. This is NOT a best
practice in a production environment, but needed for these labs due to the nature of the limited
dataset.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 1

 Enter a search that returns all web application events that include a purchase action with a web status of
200.
Results Example:

Select the file field in the Interesting Fields list.

Results Example:

Notice that there are two different files that were returned from the web server. They are: error.do and
success.do. Our web development team informs us that the success.do is served when the order is
processed and error.do is served when there is an error with the information being processed.
The team is only looking for successful purchases, so change your search to only return those.

Results Example:

You will see fields that do not matter to the team. Use the fields command to only return the action,
JSESSIONID and status fields. Does your search run faster using the command?

Results Example:

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 2

 The fields list looks cleaner, but seeing the events like this might still be confusing for the team.
Task 2: Put the data into an easy to read table.

Replace the fields command with the table command to display the data as a table.
Results Example:

Change the order of the fields so that JSESSIONID is the first column.
Results Example:

Session IDs are called "UserSessions" in the marketing data. Rename JSESSIONID so that your report
matches the marketing data.
Results Example:

Sort UserSessions using the sort command.

Notice that some UserSessions values show up multiple times. Also notice the number of events
returned on the Statistics tab.
Remove the sort command and use dedup to remove any identical session values.
Results Example:

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 3

 How many events are now listed on the Statistics tab?

NOTE: As a best practice and for best performance, place dedup as early in the search as possible.

While having action and status fields displayed was nice for a sanity check of the data, the marketing
team will not need to have these displayed. Remove them from your table display.
Results Example:

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 4

Splunk Fundamentals 1 Lab Exercises
Lab typographical conventions:

[sourcetype=db_audit] OR [cs_mime_type] indicates either a source type or the name of a

field.

NOTE: Lab work will be done on your personal computer or virtual machine, no lab environment is
provided. We suggest you DO NOT do the lab work on your production environment.

The lab instructions refer to these source types by the types of data they represent:

Type Sourcetype Fields of interest

Web Application access_combined_wcookie action, bytes, categoryId, clientip,

itemId, JSESSIONID, productId,
referer, referer_domain, status,
useragent, file
Database db_audit Command, Duration, Type

Web server linux_secure COMMAND, PWD, pid, process

Lab Module 8 – Basic Commands with Solutions

NOTE: Now that you understand the basics of searching in Splunk, we will make labs a little more
challenging. This lab document has two sections. The first section includes the instructions
without answers. The second section includes instructions with the expected search string
(answer) in red.

Description
In this lab, you will be using some of the common Splunk commands including fields, table, rename and
dedup.

Steps
Scenario: The Marketing team tracks all user sessions related to marketing campaigns. It would like a
report of all user sessions that include purchase actions so that it can put a value on the different
campaigns it's running.

Task 1: Search for the requested data.

Navigate to the Search view. (If you are in the Home app, click Search & Reporting from the column on
the left side of the screen. You can also access the Search view by clicking the Search menu option on
the bar at the top of the screen.)

NOTE: For this course, you will be searching across all time using the main index. This is NOT a best
practice in a production environment, but needed for these labs due to the nature of the limited
dataset.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 1

 Enter a search that returns all web application events that include a purchase action with a web status of
200. (index=main sourcetype=access_combined_wcookie action=purchase status=200)
Results Example:

Select the file field in the Interesting Fields list.

Results Example:

Notice that there are two different files that were returned from the web server. They are: error.do and
success.do. Our web development team informs us that the success.do is served when the order is
processed and error.do is served when there is an error with the information being processed.
The team is only looking for successful purchases, so change your search to only return those.
(index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do)

Results Example:

You will see fields that do not matter to the team. Use the fields command to only return the action,
JSESSIONID and status fields. Does your search run faster using the command?
(index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | fields
action, JSESSIONID, status)
Results Example:

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 2

 The fields list looks cleaner, but seeing the events like this might still be confusing for the team.
Task 2: Put the data into an easy to read table.

Replace the fields command with the table command to display the data as a table. (index=main
sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | table action,
JSESSIONID, status).
Results Example:

Change the order of the fields so that JSESSIONID is the first column. (index=main
sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | table JSESSIONID,
action, status).
Results Example:

Session IDs are called "UserSessions" in the marketing data. Rename JSESSIONID so that your report
matches the marketing data. (index=main sourcetype=access_combined_wcookie action=purchase
status=200 file=success.do | table JSESSIONID, action, status | rename JSESSIONID as UserSessions).
Results Example:

Sort UserSessions using the sort command. (index=main sourcetype=access_combined_wcookie

action=purchase status=200 file=success.do | table JSESSIONID, action, status | rename JSESSIONID as
UserSessions | sort UserSessions)

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 3

 Notice that some UserSessions values show up multiple times. Also notice the number of events
returned on the Statistics tab.
Remove the sort command and use dedup to remove any identical session values. (index=main
sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | dedup
JSESSIONID | table JSESSIONID, action, status | rename JSESSIONID as UserSessions)
Results Example:

How many events are now listed on the Statistics tab?

NOTE: As a best practice and for best performance, place dedup as early in the search as possible.

While having action and status fields displayed was nice for a sanity check of the data, the marketing
team will not need to have these displayed. Remove them from your table display. (index=main
sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | dedup
JSESSIONID | table JSESSIONID | rename JSESSIONID as UserSessions).
Results Example:

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 4