Splunk: Basics

Learn the basics of Splunk.

As the leading SIEM solution, Splunk allows for collecting, analyzing, and correlating logs in real-time.

Splunk Components

Splunk's three main components are the Forwarder, Indexer, and Search Head.

Splunk Forwarder

Splunk Forwarder is a lightweight agent that can be installed on an endpoint wished to be monitored. The Forwarder will collect and send data to the Splunk instance and does not affect the endpoint's performance due to minimal processing of resources.

Key data sources include:

• Web server generating web traffic.

• Windows machine generating Windows Event Logs, PowerShell, and Sysmon data.

• Linux host generating host-centric logs.

• Database generating DB connection requests, responses, and errors.

Splunk Indexer

Splunk Indexer is the main component as it processes the received data into normalized field-value pairs and determines the data types as stored events. This is beneficial since processed data is easy to search and analyze.

Search Head

Splunk Search Head allows for users to search the indexed logs. This is made possible by using Splunk SPL (Search Processing Language). The request is sent to the indexer which returns relevant events as field-value pairs. Additionally, Search Head can transform results into visualizations.