Scribd Logo
Upload

Welcome to Scribd!

  • Answer Sheet-Splunk Fields and SPL

    Uploaded by

    Rotana Alkaabi
    26 views4 pages
    This document outlines the tasks, questions, and points for a Splunk Fields and SPL Lab assignment, including searching for specific field values, adding table and rename commands, and explaining best practices for Splunk searching and how it can be useful for incident response investigations. Students are asked to provide screenshots of their searches and answer conceptual questions about filtering, commands, and uses of Splunk.

    Original Description:

    Original Title

    Answer Sheet-Splunk Fields and SPL

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document outlines the tasks, questions, and points for a Splunk Fields and SPL Lab assignment, including searching for specific field values, adding table and rename commands, and explaining best practices for Splunk searching and how it can be useful for incident response investigations. Students are asked to provide screenshots of their searches and answer conceptual questions about filtering, commands, and uses of Splunk.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    26 views4 pages

    Answer Sheet-Splunk Fields and SPL

    Uploaded by

    Rotana Alkaabi
    This document outlines the tasks, questions, and points for a Splunk Fields and SPL Lab assignment, including searching for specific field values, adding table and rename commands, and explaining best practices for Splunk searching and how it can be useful for incident response investigations. Students are asked to provide screenshots of their searches and answer conceptual questions about filtering, commands, and uses of Splunk.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 4

    Answer Sheet: Splunk Fields and SPL Lab R

    Total Points: 45 pts


    Task Pt Questions
    s
    Task 1 20 When you complete all the modules, take a screenshot of the course
    overview that reflects your completion and paste it in the answer sheet.
    Module 4: 4 pts
    Module 6: 6 pts
    Module 7: 4 pts
    Module 8: 6 pts

    3 Q1: What is the difference between the search “status != 200” and “NOT
    status = 200”
    status != 200 returns events where status field exists and value in field doesn't
    equal to 200. Whereas NOT status = 200 returns events where status field
    exists and value in field doesn't equal 200 and all events where status field
    doesn't exist.

    3 Q2: Why it is better to place “dedup” (the command used for removing
    duplicates) as early as possible in a search?
    Dedup or data deduplication is a process that eliminates excessive copies of
    data and significantly decreases storage capacity requirements so that you can
    do efficient field search.

    Task 2 2 Step 1: (1) What does “a” in mean?

    a means string value.

    3 (2) Take a screenshot of your current search box and paste it in the
    answer sheet.

    3 Step 2:
    (3) Add a table command to your search, and take a screenshot of your
    search and paste it to answer sheet.
    3 (4) Add a rename command to your search, and take a screenshot of
    your search and paste it to answer sheet.
    Post- 5 Q1: Recall what you learned in Splunk training Module 7, answer the
    Lab following questions:
    Questio In one paragraph, summarize the best practice of running Splunk Search.
    ns (You can also refer to this webpage:
    https://www.splunk.com/en_us/blog/customers/splunk-clara-fication-
    search-best-practices.html)

    Splunk Search best practice is the filtering, it filters as early as possible


    and greatly speed up the search. As soon as the filters and other fields are
    added, it makes the search running faster.
    Splunk has a robust search functionality that enables to search the all the
    data sets, which is the best practice of this search.

    3 Q2: In one paragraph, explain why Splunk search can be useful during IR
    investigation.
    Splunk will be very beneficial during IR investigation. The reason is
    Splunk is able to check all the details of the data through their log for any
    possible of malicious activity. Also Splunk search can be useful during IR
    investigation because Splunk search has the ability to use time to limit the
    events returned. Also, Splunk search can run search in real time and real
    time searches allow investigator to monitor what happening in the data
    during IR investigation in real time stream of information

    You might also like