Creating Knowledge Objects Lab Guide

Overview
Welcome to the Splunk Education lab environment. These lab exercises will test your knowledge of creating
knowledge objects in a Splunk environment.

Scenario
You will use data from the international video game company, Buttercup Games. A list of source types is
provided below.

NOTE: This is a lab environment driven by data generators with obvious limitations. This is not a
production environment. Screenshots approximate what you should see, not the exact output.

Index Type Sourcetype Interesting Fields

web Online sales access_combined action, bytes, categoryId, clientip, itemId,
JSESSIONID, price, productId, product_name,
referer, referer_domain, sale_price, status,
user, useragent

security Web server linux_secure action, app, dest, process, src_ip, src_port,
user, vendor_action

sales Business sales_entries AcctCode, CustomerID, TransactionID

Intelligence server

Retail sales vendor_sales categoryId, product_name, productId,

sale_price, Vendor, VendorCity, VendorCountry,
VendorID, VendorStateProvince

network Web security cisco_wsa_squid action, cs_method, cs_mime_type, cs_url,

appliance data cs_username, sc_bytes, sc_http_status,
sc_result_code, severity, src_ip, status, url,
usage, x_mcafee_virus_name, x_wbrs_score,
x_webcat_code_abbr

Firewall data cisco_firewall bcg_ip, dept, Duration, fname, IP, lname,

location, rfid, splunk_role, splunk_server,
Username

© 2021 Splunk Inc. All rights reserved. Creating Knowledge Objects 13 October 2021
1
Common Commands and Functions
These commands and statistical functions are commonly used in searches but may not have been explicitly
discussed in the module. Please use this table for quick reference. Click on the hyperlinked SPL to be taken to
the Search Manual for that command or function.
SPL Type Description Example

Sorts results in Sort the first 100 src_ip values in descending order
descending or ascending
sort command
order by a specified field.
| sort 100 -src_ip
Can limit results to a
specific number.

Return events with a count value greater than 30

Filters search results
where command
using eval-expressions.
| where count > 30
Rename SESSIONID to 'The session ID'
Renames one or
rename command
more fields.
| rename SESSIONID as "The session ID"

Remove the host field from the results

Keeps (+) or removes (-)
fields command
fields from search
results.
| fields - host

Calculate the total sales, i.e. the sum of price values

Calculates aggregate
stats command
statistics over the
| stats sum(price)
results set.

Concatenate first_name and last_name values with a

Calculates an expression space to create a field called "full_name"
eval command and puts the resulting
value into a new or
existing field. | eval full_name=first_name." ".last_name

Output vendorCountry, vendor, and sales values to

table command Returns a table. a table

| table vendorCountry, vendor, sales

Returns the sum of the Calculate the sum of the bytes field
statistical values of a field. Can be
sum() function used with stats,
| stats sum(bytes)
timechart, and chart
commands.

Returns the number of Count all events as "events" and count all events that
occurrences of all events contain a value for action as "action"
count or statistical
or a specific field. Can
count() function
be used with stats, | stats count as events,
timechart, and chart count(action) as action
commands.

© 2021 Splunk Inc. All rights reserved. Creating Knowledge Objects 13 October 2021
2
 Refer to the Search Reference Manual for a full list of commands and functions.

Lab Exercise 1 – Creating Event Types

Description
Configure the lab environment user account. Then, create event tags to monitor failed login attempts made
with various administrator accounts.

Steps
Task 1: Log into Splunk and change the account name and time zone.

Set up your lab environment to fit your time zone. This also allows the
instructor to track your progress and assist you if necessary.
1. Log into your Splunk lab environment using the username and
password provided to you.
2. You may see a pop-up window welcoming you to the lab environment.
You can click Continue to Tour but this is not required. Click Skip to
dismiss the window.
3. Click on the username you logged in with (at the top of the screen) and
then choose Account Settings from the drop-down menu.
After you complete step 6,
4. In the Full name box, enter your first and last name. you will see your name in
5. Click Save. the web interface.
6. Reload your browser to reflect the recent changes to the interface.
(This area of the web interface will be referred to as user name.)

NOTE: Sometimes there can be delays in executing an action like saving in the user interface or
returning results of a search. If you are experiencing a delay, please allow the user interface a
few minutes to execute your action.

7. Navigate to user name > Preferences.

8. Choose your local time zone from the Time zone drop-down menu.
9. Click Apply.
10. (Optional) Navigate to user name > Preferences > SPL Editor > Search auto-format and click on the
toggle to activate auto-formatting. Then click Apply. When the pipe character is used in search, the SPL
Editor will automatically begin the pipe on a new line.

Search auto-format disabled (default)

Search auto-format enabled

© 2021 Splunk Inc. All rights reserved. Creating Knowledge Objects 13 October 2021
3
Scenario: The IT Operations team needs to monitor failed login attempts made with any variation of
admin/administrator user accounts to their network devices. To avoid lengthy searches,
include all events with these user accounts and create tags.

Task 2: Create an event type for status errors greater than 500 on web servers/devices.

11. In the top left corner of Splunk Web, select Apps > Search & Reporting. This sets the app context to the
search app.
12. Search for all online sales and Web security appliance data with status error codes greater than 500 in the
last 7 days.
(index=web sourcetype=access_combined) OR (index=network sourcetype=cisco_wsa_squid)
status>=500

13. Select Save As > Event Type.

14. Name your event type: web_error
15. Leave the Priority set to 1 (Highest).
16. Click Save.
17. Click Done in the “Your Event Type Has Been Created” dialog box.
18. Perform a search for the web_error event type for the Last 7 days.
eventtype=web_error

a. Expand an event and click the check box next to eventtype to add it to the Selected fields.

b. In the Fields side menu, how many sourcetypes are returned?

Two sourcetypes.

NOTE: Depending upon add-ons or apps you have installed, additional event types may be displayed.

© 2021 Splunk Inc. All rights reserved. Creating Knowledge Objects 13 October 2021
4
Lab Exercise 2: Creating Workflow Actions
Description
Create GET, POST, and Search workflow actions.

Steps
Scenario: Hackers are continually trying to log into the Linux web server. IT Ops analysts need to
track ongoing attempts by external sources trying to log in with invalid credentials.

Task 1: Create a GET workflow action that opens a new browser window with information about the
source IP address.

1. Navigate to Settings > Fields > Workflow actions.

a. Click New Workflow Action.
b. For the Destination App, select search.
c. For Name, type: get_whois_info
d. For Label, type: Get info for IP: $src_ip$
e. For Apply only to the following fields, type: src_ip
f. For Action type, make sure link is selected.
g. For URI, type: https://who.is/whois-ip/ip-address/$src_ip$
h. From the Open link in drop-down menu, verify New window is selected.
i. From the Link Method drop-down menu, verify get is selected.
j. Save your workflow action.
2. Verify your workflow action works as expected. Return to the search app and search for index=security
sourcetype=linux_secure src_ip=* over the last 24 hours. (You may need to refresh your browser
for the workflow action to appear.)
a. Expand the first event containing a value for src_ip and click Event Actions.
b. Click Get info for IP: {src_ip}. A secondary browser window or tab should open to the URI and
display the IP address information.
NOTE: If whois is not behaving as expected, try https://whois.domaintools.com/$src_ip$.

© 2021 Splunk Inc. All rights reserved. Creating Knowledge Objects 13 October 2021
5
© 2021 Splunk Inc. All rights reserved. Creating Knowledge Objects 13 October 2021
6
Scenario: The revenue accounting department is having issues with sales transactions not posting
to the accounting system. This issue is causing revenue recognition discrepancies and
the IT department is tasked with notifying the accounting system administrators when
there is a transaction error in the system.

Task 2: Create a POST workflow action that uses fields from events with errors to create a ticket in
the IT ticket tracking system.

3. Perform a search in the Last 7 days on the sales_entries sourcetype for events posting errors. These
events contain two fields that are needed when creating tickets in the tracking system: TransactionID
and CustomerID.
index=sales sourcetype=sales_entries error

NOTE: This lab exercise requires that a field extraction with a field name of result for the string "error."
This extraction allows you to easily search for events where result=error. The result=error
field extraction has already been created for you in this lab environment.

4. Create a new workflow action. Navigate to Settings > Fields > Workflow actions. Select New Workflow
Action.
a. For the Destination App, select search.
b. For Name, type: Create accounting system ticket
c. For Label, type: Open accounting ticket for transaction $TransactionID$
d. For Apply only to the following fields, type: result
e. For Show Action in, select Event menu.
f. For Action type, make sure link is selected.
g. For URI, type: http://52.3.246.206
h. From the Open link in drop-down menu, select New window.
i. From the Link Method drop-down menu, select post.
j. Enter the following values for the Post arguments:
— details = $_raw$
— environment = $host$
— occurred = $_time$
— priority = Urgent
— summary = sales transaction error on $host$
k. Click Save.
5. Rerun your search for events where result=error and view the details of one of the returned events. Does
your POST workflow action appear?
6. Click on your workflow action. A new browser window should appear with the ticket details.

© 2021 Splunk Inc. All rights reserved. Creating Knowledge Objects 13 October 2021
7
Results Example:

Task 3: Create a Search workflow action that performs a search for all failed password events
associated with a specific IP address.

7. Navigate to Settings > Fields > Workflow actions.

a. Click New Workflow Action.
b. For the Destination App, select search.
c. For Name, type: search_access_by_ipaddress
d. For Label, type: Search failed login by IP: $src_ip$
e. For Apply only to the following fields, type: src_ip
f. From the Action Type drop-down menu, select search.
g. In the Search string field, type: index=security sourcetype=linux_secure failed
src_ip=$src_ip$
h. From the Run in app drop-down menu, select search.
i. From the Run search in drop-down menu, verify New window is selected.
j. Select the Use the same time range as the search that created the field listing checkbox.
k. Save your workflow action.
8. Verify your workflow action works as expected. Return to the Search & Reporting app and search for
index=security sourcetype=linux_secure src_ip=* over the last 24 hours. (You may need to
refresh your browser for the workflow action to appear.)
a. Expand an event with an IP address field and click Event Actions.
b. Select Search failed login by IP: {src_ip}
c. A secondary search window should open with the search results for the IP address.

© 2021 Splunk Inc. All rights reserved. Creating Knowledge Objects 13 October 2021
8
Results Example:

© 2021 Splunk Inc. All rights reserved. Creating Knowledge Objects 13 October 2021
9
Lab Exercise 3: Creating Tags and Aliases
Description
This lab exercise walks you through the process of creating field aliases and tags.

Steps
Scenario: The IT Ops team runs reports for all employee access, but the user name field is not
consistent across the different source types.

Task 1: Create a field alias so that cs_username also appears as user.

1. Search all events in the cisco_wsa_squid sourcetype over the Last 7 days.
index=network sourcetype=cisco_wsa_squid

2. Note the cs_username field values.

3. Go to Settings > Fields > Field aliases. Create a new field alias with the following values:
— Destination app: search
— Name: cisco_wsa_squid_aliases
— Apply to: sourcetype
— Named: cisco_wsa_squid
— Field aliases: cs_username = user
4. Select the Overwrite field values check box and click Save.

© 2021 Splunk Inc. All rights reserved. Creating Knowledge Objects 13 October 2021
10
5. Return to Search. Re-run your search and examine the user field and values.

6. Search for all events in the cisco_firewall sourcetype over the last 30 days.
7. Note the Username field values.
8. Create another field alias for sourcetype cisco_firewall with the following values:
— Destination app: search
— Name: cisco_firewall_aliases
— Apply to: sourcetype
— Named: cisco_firewall
— Field aliases: Username = user
9. Perform the following search: index=network sourcetype=cisco* user=* over the Last 30 days.
You should receive results from the cisco_wsa_squid and cisco_firewall sourcetypes.

NOTE: It may take a minute before the field aliases are applied and appear in searches.

Supplemental Exercise:

Scenario: The IT Ops team wants to correlate data from multiple source types using the http_action
and http_method fields. In the access_combined source type, these fields are currently
called action and method.

Task 2: Create two field aliases for the access_combined sourcetype called http_action and
http_method, based on the existing access_combined fields action and method.

10. Create the field aliases.

11. Run a search to verify that the field aliases were created correctly.

© 2021 Splunk Inc. All rights reserved. Creating Knowledge Objects 13 October 2021
11
Scenario: The IT Operations team needs to monitor failed login attempts made with any variation of
admin/administrator user accounts to their network devices. To avoid lengthy searches,
include all events with these user accounts and create tags.

Task 3: Create tags to identify all admin accounts.

12. Run a search over the Last 24 hours for all failed login attempts for any variation of the user admin under
the security index. You should see the following five users: admin, administrator, sysadmin, itmadmin, and
sapadmin.
index=security failed user=*admin*

NOTE: Only trailing wildcards make efficient use of indexes. For that reason, it is generally a best
practice not to use wildcards at the beginning of a string, as such searches must scan all events
within the specified timeframe. However, doing a search with a wildcard at the beginning of a
string is possible and sometimes necessary in particular scenarios. Be advised, however, that
such searches are inefficient and, in general, should be avoided. Performing an occasional
inefficient ad hoc search shouldn’t have too much of a performance impact, but such searches
certainly shouldn’t be used in reports, dashboards, dataset constraints, etc.

13. Expand an event and find the row for the user field. Click the down arrow under the Actions column and
select Edit Tags.

14. In the Tag(s) field, type privileged_user and click Save.

15. Create tags for each variation of the user admin (admin, administrator, sysadmin, itmadmin, and
sapadmin). You can create the subsequent tags the same way you created the first one, from the Events
tab of the search results. Alternatively, to create the subsequent tags, go to the Settings > Tags > List by
tag name screen, choose the newly created privileged_user tag, add the other four types of admins, and
click Save.
16. Run the search again and check to see that the privileged_user tag was created.
index=security failed user=*admin*

© 2021 Splunk Inc. All rights reserved. Creating Knowledge Objects 13 October 2021
12
17. Add tag to your list of Selected Fields if not already present.

Task 4: Use tags in a search.

18. Search for all failed login attempts by privileged user accounts for the Last 7 days. You should see the
following five users: admin, administrator, sysadmin, itmadmin, sapadmin
index=security failed tag=privileged_user

© 2021 Splunk Inc. All rights reserved. Creating Knowledge Objects 13 October 2021
13
Lab Exercise 4: Creating Search Macros
Description
This lab exercise walks you through the steps for creating a basic macro and a macro with arguments.

Steps
Scenario: The VP of Sales wants to run ad-hoc searches to determine the value of products sold in a
given month in various countries. He also wants to easily convert US Dollars to the same
value in another currency.

Task 1: Use the provided search to create a macro that will create a table displaying the total sales of
each product sold in certain European countries.

1. This search finds all retail sales events from Germany, France, and Italy (index=sales
sourcetype=vendor_sales VendorCountry IN (Germany, France, Italy)) and calculates the total
sales by each product with the stats command. Then, the eval command converts the numeric sales
values to string values with commas and a "$" sign. Run this search over the Last 30 days. (Hint: After
typing this search string, you may want to copy it into a notepad, as you’ll be using it to create a macro
later in this exercise.)
index=sales sourcetype=vendor_sales VendorCountry IN (Germany, France, Italy)
| stats sum(price) as USD by product_name
| eval USD = "$".tostring(USD,"commas")

2. Navigate to Settings > Advanced search > Search macros. Click New Search Macro.
3. Verify the Destination app is set to search.
4. Name the macro: Europe_sales
5. In the Definition field, type or paste the search string from Step 1.
6. Save the macro.

Task 2: Use your macro.

7. Return to the Search & Reporting app. In the search bar, type `Europe_sales` and search over the
Last 30 days. Examine the results.
NOTE: Remember to type the macro name between backticks, not single quotes.

© 2021 Splunk Inc. All rights reserved. Creating Knowledge Objects 13 October 2021
14
Task 3: Create a macro that allows users to specify currency when performing a search. This macro
uses currency, currency symbol, and rate as variables (arguments).

8. Run the following search to determine total sales for each product from vendors in Europe in the last
30 days:
index=sales sourcetype=vendor_sales VendorCountry IN (Germany, France, Italy)
| stats sum(price) as USD by product_name
| eval euro = "€".tostring(round(USD*0.79,2), "commas"), USD = "$".tostring(USD,
"commas")

Now you’re going to use the second portion of this search string, where the evaluations are done, to create a
dynamic macro with arguments.

9. Navigate to. Click Settings > Advanced search > Search macros > New Search Macro.
10. Verify the Destination app is set to search.
11. Name the macro: convert_sales(3)
12. To make things easy for the user, the currency, currency symbol and exchange rate are arguments. In the
Definition field, enter the following search string (the arguments are encapsulated by the $ signs):
stats sum(price) as USD by product_name
| eval $currency$="$symbol$".tostring(round(USD*$rate$,2),"commas"),
USD="$".tostring(USD,"commas")

NOTE: Be sure to include the pipe symbol ( | ) before the eval command.

13. In the Arguments field, type the arguments, separated by commas. (Hint: The order of variables must
match the order in which the arguments are passed.)
14. Save the macro.

© 2021 Splunk Inc. All rights reserved. Creating Knowledge Objects 13 October 2021
15
Task 4: Use your macro with arguments in a search.

15. Return to the Search & Reporting app. Perform a search for sourcetype=vendor_sales where the
VendorCountry is Germany, France, or Italy. Use the macro and pass the arguments euro, €, and 0.79
for results in the Last 30 days. (Hint: You can copy and paste the € symbol from this document.)
index=sales sourcetype=vendor_sales VendorCountry IN (Germany, France, Italy)
| `convert_sales(euro,€,.79)`

16. Run the search again for sales in the UK with the following arguments GBP, £, and 0.64. Copy/paste the £
symbol from this document.
index=sales sourcetype=vendor_sales VendorCountry="United Kingdom"
|`convert_sales(GBP,£,.64)`

© 2021 Splunk Inc. All rights reserved. Creating Knowledge Objects 13 October 2021
16
Task 5: Edit your macro and use the isnum expression to validate the rate field.

17. Navigate to Settings > Advanced search > Search macros. Choose your user name from the Owner
drop-down menu.

18. Click on the convert_sales(3) link.

19. In the Validation Expression text box, type: isnum($rate$)
NOTE: isnum is an informational evaluation function that accepts a single argument and returns TRUE
if the argument is a numerical value. Refer to the Search Reference manual for more
information about isnum and other informational functions.

20. In the Validation Error Message text box, type:

This macro is expecting to be called as `convert_sales(currency,symbol,rate)` where rate is a

numeric value.

21. Click Save.

22. Return to the Search & Reporting app. Perform a search for sourcetype=vendor_sales for the Last 30
days where the VendorCountry is Germany, France, or Italy. Use the macro, but deliberately pass a non-
numeric value for the rate argument (for example, pass the arguments euro, €, and .xxx).
index=sales sourcetype=vendor_sales VendorCountry IN (Germany, France, Italy)
| `convert_sales(euro,€,.xxx)`

23. Check to see that your error message displays.

Results Example:

© 2021 Splunk Inc. All rights reserved. Creating Knowledge Objects 13 October 2021
17
Lab Exercise 5: Creating Calculated Fields
Description
This lab exercise walks you through the steps for creating calculated fields.

Steps
Scenario: The IT Ops team is monitoring bandwidth usage for all users for the last month, but the
data is reported in bytes. The team needs the usage to be measured in megabytes.

Task 1: Create a calculated field that converts bytes to MB.

1. Search for all events in the Last 7 days for the cisco_wsa_squid sourcetype.
index=network sourcetype=cisco_wsa_squid

2. Note the sc_bytes field. This field displays the amount of bytes used for that event.
3. Go to Settings > Fields > Calculated fields > New Calculated Field.
4. Create a calculated field named sc_megabytes that converts the value of sc_bytes to MB with the
following values:
— Destination app: search
— Apply to: sourcetype
— Named: cisco_wsa_squid
— Name: sc_megabytes
— Eval expression: sc_bytes/(1024*1024)
5. Return to the Search & Reporting app. Run this search using sc_megabytes over the Last 7 days.
index=network sourcetype=cisco_wsa_squid
| stats sum(sc_megabytes) as "Bandwidth (MB)", sum(sc_bytes) as sc_bytes by usage

© 2021 Splunk Inc. All rights reserved. Creating Knowledge Objects 13 October 2021
18