Splunk Fundamentals 1 Lab Exercises

Lab typographical conventions:

[sourcetype=db_audit] OR [cs_mime_type] indicates either a source type or the name of a field.

NOTE: Lab work will be done on your personal computer or virtual machine, no lab environment is
provided. We suggest you DO NOT do the lab work on your production environment.

The lab instructions refer to these source types by the types of data they represent:
Type Sourcetype Fields of interest
Web Application access_combined_wcookie action, bytes, categoryId, clientip,
itemId, JSESSIONID, productId,
referer, referer_domain, status,
useragent, file

Database db_audit Command, Duration, Type

Web server linux_secure COMMAND, PWD, pid, process

Lab Module 11 – Using Pivot

NOTE: This lab document has two sections. The first section includes the instructions without answers.
The second section includes instructions with the expected search string (answer) in red.
Description
In this lab, you will be building a report using the Pivot interface.

Steps
Scenario: The CFO loved the simple dashboard you created, but would like to add a report of where our
customers are coming from. She would like to know what items users added to the shopping
cart, and where those users originated from.

Task 1: Use a non-transforming command with instant Pivot.

Navigate to the Search view. (If you are in the Home app, click Search & Reporting from the column on
the left side of the screen. You can also access the Search view by clicking the Search menu option on
the green bar at the top of the screen.)

NOTE: For this course, you will be searching across all time using the main index. This is NOT a best
practice in a production environment, but needed for these labs due to the nature of the limited
dataset.

Enter in a search that returns all web application events for all time.
Click on the Visualization tab to see three icons: Pivot, Quick Reports, and Search Command.
Example:

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 1

 Click on the Pivot icon.
In the modal window, select to show All Fields and click OK.
Task 2: Build a report using the Pivot interface.

Under Filters, click , to open the filter selector, and select file from the Fields list.
Select cart.do from the match menu and click Add To Table.
Example:

Under Split Rows, click , to open the split rows selector, and then click productID.
For the Label, enter Product Added To Cart.
Keep other settings at their default values, and click Add To Table.
Under Split Columns, click to open the split columns selector, and then click referrer_domain.
Keep other settings at their default values, and click Add To Table.
Notice that a large amount of the web traffic is coming from the buttercupgames.com domain. We will
want to filter these out.

Example Results:

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 2

 Under Filters, click , to open the filter selector, and select referrer_domain from the Fields list.
Select is not and http://www.buttercupgames.com from the match menu.
Example:

Click Add To Table.

Use the black sidebar to select the Line Chart visualization.
Example:

Task 3: Add a panel to a dashboard from a pivot, and create a Data Model.

Use the Save As menu to select Dashboard Panel.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 3

 Notice that there are form fields for Model Title and Model ID. Pivot reports require a data model. Since
you used Instant Pivot from the Visualization tab, there is currently not a data model for this report.
Saving the report will create a new data model from the original search.
Save the dashboard with these values:
• Dashboard: Existing
• Dashboard Title: Sales Dashboard
• Panel Title: Sales By Referral Domain
• Model Title: Web Application Dataset
• Model ID: web_app_ds
Click View Dashboard to view the dashboard.
Click the Datasets menu option on the bar at the top of the screen.
Click Yours on the filter toolbar to show only your Datasets.
Select Explore from the actions menu and click Visualize with Pivot.
Example:

Use the Filter and Split tools to explore your data in the pivot interface.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 4

Splunk Fundamentals 1 Lab Exercises
Lab typographical conventions:
[sourcetype=db_audit] OR [cs_mime_type] indicates either a source type or the name of a field.

NOTE: Lab work will be done on your personal computer or virtual machine, no lab environment is
provided. We suggest you DO NOT do the lab work on your production environment.

The lab instructions refer to these source types by the types of data they represent:
Type Sourcetype Fields of interest
Web Application access_combined_wcookie action, bytes, categoryId, clientip,
itemId, JSESSIONID, productId,
referer, referer_domain, status,
useragent, file

Database db_audit Command, Duration, Type

Web server linux_secure COMMAND, PWD, pid, process

Lab Module 11 – Using Pivot with Solutions

NOTE: This lab document has two sections. The first section includes the instructions without answers.
The second section includes instructions with the expected search string (answer) in red.
Description
In this lab, you will be building a report using the Pivot interface.

Steps
Scenario: The CFO loved the simple dashboard you created, but would like to add a report of where our
customers are coming from. She would like to know what items users added to the shopping
cart, and where those users originated from.

Task 1: Use a non-transforming command with instant Pivot.

Navigate to the Search view. (If you are in the Home app, click Search & Reporting from the column on
the left side of the screen. You can also access the Search view by clicking the Search menu option on
the green bar at the top of the screen.)

NOTE: For this course, you will be searching across all time using the main index. This is NOT a best
practice in a production environment, but needed for these labs due to the nature of the limited
dataset.

Enter in a search that returns all web application events for all time.
(index=main sourcetype=access_combined_wcookie)
Click on the Visualization tab to see three icons: Pivot, Quick Reports, and Search Command.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 1

Example:

Click on the Pivot icon.

In the modal window, select to show All Fields and click OK.
Task 2: Build a report using the Pivot interface.

Under Filters, click , to open the filter selector, and select file from the Fields list.
Select cart.do from the match menu and click Add To Table.
Example:

Under Split Rows, click , to open the split rows selector, and then click productID.
For the Label, enter Product Added To Cart.
Keep other settings at their default values, and click Add To Table.

Under Split Columns, click to open the split columns selector, and then click referrer_domain.
Keep other settings at their default values, and click Add To Table.
Notice that a large amount of the web traffic is coming from the buttercupgames.com domain. We will
want to filter these out.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 2

Example Results:

Under Filters, click , to open the filter selector, and select referrer_domain from the Fields list.
Select is not and http://www.buttercupgames.com from the match menu.
Example:

Click Add To Table.

Use the black sidebar to select the Line Chart visualization.
Example:

Task 3: Add a panel to a dashboard from a pivot, and create a Data Model.

Use the Save As menu to select Dashboard Panel.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 3

 Notice that there are form fields for Model Title and Model ID. Pivot reports require a data model. Since
you used Instant Pivot from the Visualization tab, there is currently not a data model for this report.
Saving the report will create a new data model from the original search.
Save the dashboard with these values:
• Dashboard: Existing
• Dashboard Title: Sales Dashboard
• Panel Title: Sales By Referral Domain
• Model Title: Web Application Dataset
• Model ID: web_app_ds
Click View Dashboard to view the dashboard.
Click the Datasets menu option on the bar at the top of the screen.
Click Yours on the filter toolbar to show only your Datasets.
Select Explore from the actions menu and click Visualize with Pivot.
Example:

Use the Filter and Split tools to explore your data in the pivot interface.

© 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 4