Using Fields – Lab Solutions Guide

Overview
Welcome to the Splunk Education lab environment. These lab exercises will give you some practical
experience of using fields in searches.

Scenario
You will use data from the international video game company, Buttercup Games. A list of source types is
provided below.

NOTE: This is a lab environment driven by data generators with obvious limitations. This is not a
production environment. Screenshots approximate what you should see, not the exact output.

Index Type Sourcetype Interesting Fields

web Online sales access_combined action, bytes, categoryId, clientip, itemId,
JSESSIONID, price, productId, product_name,
referer, referer_domain, sale_price, status,
user, useragent

security Web server linux_secure action, app, dest, process, src_ip, src_port,
user, vendor_action

network Email security data cisco_esa dcid, icid, mailfrom, mailto, mid

Web security cisco_wsa_squid action, cs_method, cs_mime_type, cs_url,

appliance data cs_username, sc_bytes, sc_http_status,
sc_result_code, severity, src_ip, status, url,
usage, x_mcafee_virus_name, x_wbrs_score,
x_webcat_code_abbr

Firewall data cisco_firewall bcg_ip, dept, Duration, fname, IP, lname,

location, rfid, splunk_role, splunk_server,
Username

© 2021 Splunk Inc. All rights reserved. Using Fields 13 October 2021 1
Common Commands & Functions
These commands and statistical functions are commonly used in searches but may not have been explicitly
discussed in the module. Please use this table for quick reference. Click on the hyperlinked SPL to be taken to
the Search Manual for that command or function.
SPL Type Description Example

Sorts results in Sort the first 100 src_ip values in descending order
descending or ascending
sort command
order by a specified field.
| sort 100 -src_ip
Can limit results to a
specific number.

Return events with a count value greater than 30

Filters search results
where command
using eval-expressions.
| where count > 30
Rename SESSIONID to 'The session ID'
Renames one or
rename command
more fields.
| rename SESSIONID as "The session ID"

Remove the host field from the results

Keeps (+) or removes (-)
fields command
fields from search
| fields - host
results.

Calculate the total sales, i.e. the sum of price values.

Calculates aggregate
stats command
statistics over the
results set.
| stats sum(price)

Concatenate first_name and last_name values with a

Calculates an expression space to create a field called "full_name"
eval command and puts the resulting
value into a new or
existing field.
| eval full_name=first_name." ".last_name

Output vendorCountry, vendor, and sales values to a

table command Returns a table. table

| table vendorCountry, vendor, sales

Returns the sum of the Calculate the sum of the bytes field
statistical values of a field. Can be
sum() function used with stats,
timechart, and chart
| stats sum(bytes)
commands.

Returns the number of Count all events as "events" and count all events that
occurrences of all events contain a value for action as "action"
count or statistical
or a specific field. Can
count() function
be used with stats, | stats count as events,
timechart, and chart count(action) as action
commands.

Refer to the Search Reference Manual for a full list of commands and functions.
© 2021 Splunk Inc. All rights reserved. Using Fields 13 October 2021 2
Lab Exercise 1 – Using Fields in Searches
Description
Configure the lab environment user account. Then, explore how using fields and fields with operators can
change search results. Additional tasks will test your knowledge of the rename and fields commands.

Steps
Log into Splunk and change the account name and time zone.

Set up your lab environment to fit your time zone. This also allows the
instructor to track your progress and assist you if necessary.
Log into your Splunk lab environment using the username and
password provided to you.
You may see a pop-up window welcoming you to the lab environment.
You can click Continue to Tour but this is not required. Click Skip to
dismiss the window.
Click on the username you logged in with (at the top of the screen) and
then choose Account Settings from the drop-down menu.
After you complete step 6,
In the Full name box, enter your first and last name.
you will see your name in
Click Save. the web interface.
Reload your browser to reflect the recent changes to the interface.
(This area of the web interface will be referred to as user name.)

NOTE: Sometimes there can be delays in executing an action like saving in the UI or returning results
of a search. If you are experiencing a delay, please allow the UI a few minutes to execute
your action.

Navigate to user name > Preferences.

Choose your local time zone from the Time zone drop-down menu.
Click Apply.
(Optional) Navigate to user name > Preferences > SPL Editor > Search auto-format and click on the
toggle to activate auto-formatting. Then click Apply. When the pipe character is used in search, the SPL
Editor will automatically begin the pipe on a new line.

Search auto-format disabled.

Search auto-format enabled.

© 2021 Splunk Inc. All rights reserved. Using Fields 13 October 2021 3
 Use the Fields sidebar to examine search results.

In the top left corner of Splunk Web, select Apps > Search & Reporting. This sets our app context to the
search app.
Search online sales data (index=web sourcetype=access_combined) for all events containing a
purchase action (action=purchase.) Execute this search over the Last 24 hours.
index=web sourcetype=access_combined action=purchase

NOTE: After the search finalizes, verify that the search executed in Smart Mode. The search mode is
located under the time range picker. If the search did not execute in Smart Mode, change it to
Smart Mode, and then re-execute the search.

Examine the Interesting Fields list to the left of your events. Notice that the product_name is one of the
fields returned by Splunk.
NOTE: To find some fields, you may need to open the All Fields window from the link at the top of the
Fields sidebar.

In the Fields sidebar, under Interesting Fields, click product_name. Notice the pop-up window shows the
top ten purchased products. Close the window by clicking the X in the upper-right corner.

In the Fields sidebar, under Interesting Fields, click sale_price. This field contains the product’s
discounted price for each purchase event.
a. Make the sales_price field a selected field. From the sale_price field window, click Yes in the
upper right corner next to Selected. Close the sale_price field window by clicking the X in the
upper-right corner.
b. Notice sale_price is now a selected field in the Fields sidebar.
c. Now, each event with a value present for sale_price will have sale_price=<value> in the last
line of the event.

© 2021 Splunk Inc. All rights reserved. Using Fields 13 October 2021 4
 In the Fields sidebar, under Selected Fields, click the sale_price field.
a. From the field window, click the value with the highest number of purchases (listed at the top.)
Notice the field and value have been added to the search criteria in the search bar. Also, this
selection causes a new search to execute using the new search criteria.
b. Remove sale_price=<value> from the search criteria (by deleting it from the search text) and
re-execute the search.
In the Fields sidebar, under Interesting Fields, click categoryId to see which types of products make up
the most purchases. Close the window by clicking the X in the upper-right corner.

© 2021 Splunk Inc. All rights reserved. Using Fields 13 October 2021 5
 Compare results from searches using the !=, NOT, and =* field expressions.

Search for index=web sourcetype=access_combined with a time range of Yesterday.

How many events are returned? ______
Edit your search to find only events that have a value present for the action field. Run the search again.
Now, how many events are returned? ______
index=web sourcetype=access_combined action=*

This search will only find events that have some value present for the action field. Therefore, this search
should return the same or fewer events than your previous search.
In the Fields sidebar, under Interesting Fields, click action. Notice that the events contain five different
values for action. Close the window by clicking the X in the upper-right corner.

Edit your search to find events that do not have a value present for the action field. Run the search again.
How many events are returned? ______
index=web sourcetype=access_combined NOT action=*

This search will find events that do not have some value in the action field.
In the Fields sidebar, under Interesting Fields, try to find the action field.
You should not see the action field because none of the returned events should contain that field.
Add the number of events that were returned from your last two searches—the events that contain an
action value and the events that don’t. Does the sum equal the total number of events returned from your
first search? (Hint: If this is not the case, try running all three searches again and be sure the time range is
set to Yesterday for each search.)

© 2021 Splunk Inc. All rights reserved. Using Fields 13 October 2021 6
 Edit the search to find only those events where the action field contains the value, purchase.
index=web sourcetype=access_combined action=purchase
In the Fields sidebar, under Interesting Fields, click action. Notice that you now see only one possible
value, purchase. Close the window by clicking the X in the upper right corner.
Edit the search to find events where the action field contains some value other than purchase.
How many events are returned? _____
index=web sourcetype=access_combined action!=purchase
In the Fields sidebar, under Interesting Fields, click action. Notice that you now see all possible values
except purchase. Close the window by clicking on the X in the upper right corner.
Edit the search to find events where:
a. The action field contains some value other than purchase.
b. The action field contains no value at all.
How many events are returned? _____
index=web sourcetype=access_combined NOT action=purchase
The number of events returned from this search should be greater than the number of events returned
from the previous search. If this is not the case, you should check your syntax, run the searches again,
and be sure the time range is set to Yesterday for each search.
Save your search as a report with the name L1S1.
a. Click Save As > Report
b. For Title, enter L1S1.
c. Save.
d. You can View your report or exit out of the Your Report Has Been Created window by clicking
the X in the upper-right corner.
e. You can access your saved reports using the Reports tab in the application bar.

Your recently saved L1S1 report will be visible in the Reports tab.

© 2021 Splunk Inc. All rights reserved. Using Fields 13 October 2021 7
Scenario: SecOps wants a list of authentication failure events associated with admin roles over the
last 60 minutes.

Use keywords, field expressions, and the fields command to filter for specific events.

Search the web server (index=security sourcetype=linux_secure) for events during the Last 60
minutes.
index=security sourcetype=linux_secure
Modify your search to look for:
a. Failed password attempts by invalid users by adding failed invalid to your basic search.
b. Events associated with the administrator user, i.e. user accounts that begin with admin.
index=security sourcetype=linux_secure failed invalid user=admin*
Use the fields command to extract only the user, src_ip, and app fields.

index=security sourcetype=linux_secure failed invalid user=admin*

| fields user, src_ip, app
Save your search as a report with the name L1S2.

Complete the missing portion of a search with the rename command.

This search finds purchase events from the online sales data that encountered a server problem
(status>399.) Complete the <missing> portion of this search so that the clientip field is renamed to
"Customer IP", the host field is renamed to "Web Server", and the status field is renamed to "HTTP
Status." Run this search over the Last 4 hours.

index=web sourcetype=access_combined action=purchase status>399

| table clientip host status
| <missing>

index=web sourcetype=access_combined action=purchase status>399

| table clientip host status
| rename clientip as "Customer IP", host as "Web Server", status as "HTTP Status"
Save your search as a report with the name L1S3.

© 2021 Splunk Inc. All rights reserved. Using Fields 13 October 2021 8
Lab Exercise 2 – Comparing Temporary vs Persistent Fields
Description
Perform search-time field extractions using the erex and rex commands.

Steps
Scenario: SecOps wants to see a count of event descriptions by port from all web server events over
the past 7 days.

Use the erex command to extract temporary fields and include events based on pattern
matching.

Search for all web server events (index=security sourcetype=linux_secure) over the Last 7 days
that contain the keyword “port”.
index=security sourcetype=linux_secure port
Scroll through the list of events. Notice how many events have “Accepted password for…” and “Failed
password for…”.

Use the erex command to create a field called event_description. Provide the phrases "Accepted
password " and "Failed password " as examples.
index=security sourcetype=linux_secure port
| erex event_description examples="Failed password , Accepted password "
Pipe your search to the following stats command:

| stats count(src_port) by event_description

The stats command uses the count function to count the number of ports (src_port) for each value
of event_description.

index=security sourcetype=linux_secure port

| erex event_description examples="Failed password , Accepted password "
| stats count(src_port) by event_description
Observe your results. There appears to be no results for “Server listening”. What is wrong? (If you don’t
see unusual results, expand your time range.)
When you view events for "Server listening" (click on Server listening in your results > View events)
you will see that the associated port is a two-digit number. If you look at the Interesting Fields sidebar,
you will also notice that there is no src_port field indicating that Splunk does not recognize 22 as a port

© 2021 Splunk Inc. All rights reserved. Using Fields 13 October 2021 9
 number. (NOTE: "port" is highlighted because it shows up in the basic search.)

Save your search as a report with the name L2S1. In Task 2, you will fix your search.

Use the rex command to improve your search results from Task 1.

Insert an erex command after the basic search that will create a new field called “port”. Provide it with
three port examples including 22. Edit the stats command so that it now counts port values instead of
src_port values.
index=security sourcetype=linux_secure port
| erex port examples="22,1229,1268"
| erex event_description examples="Failed password , Accepted password "
| stats count(port) by event_description
Click on the Job dropdown and view the messages. You will see that Splunk is recommending you use the
rex command with regex it has automatically generated. (Note: Your regex may be slightly different for
port.)

Replace your erex commands with the suggested rex commands.

index=security sourcetype=linux_secure port

| rex "(?i) .*?\[(?P<port>\d+)"
| rex "(?i)^[^\]]*\]:\s+(?P<event_description>\w+\s+\w+)"
| stats count(port) by event_description
Save your search as a report with the name L2S2.
© 2021 Splunk Inc. All rights reserved. Using Fields 13 October 2021 10