SPLK-1003 Splunk Enterprise Certified Admin – Splunk Inbuilt & Advanced Visualizations Part 3
- What is a Splunk Workflow?
We have learned more about drill down futures in the Dashboard, using which you should be able to create some wonderful use cases which you can use narrowing down by the splunk. Drill down futures into multiple dashboards or the same dashboards. Now let us see how we can add more value to splunk by creating a workflow. Imagine what is the first step you do when you find some weird IP address or some string in your logs. What is the first thing that comes up to your mind? Okay, the first thing that comes up to my mind is let me Google this. Let me Google this IP address or the user agent or the status code, whatever it comes. I’ll try to Google this information to identify or understand more about it.
Let’s see how we can configure it as a workflow to make it as simple as by just clicking on a link. In our Splunk, we’ll configure a workflow. That is, I have a field, that is my IP address, that is my client who is accessing my website. I have his IP address. I need to see or I need to Google to know more about this IP address. We’ll see how we can configure this as a workflow so that this can be accomplished by just simple as clicking on a link. And we can also expand this to search whether this IP has been blacklisted or we can identify more information by doing a OS lookup or if it is an internal IP. The client IP that my application testers are using, it’s an internal IP. I can test it using a database. Lookup, if I have an asset database in my environment, that is all about workflow. We’ll see how to create one in our lab exercise. This is a searcher. We have been using it to create a workflow.
We have identified that we need to Google our client IP address. We’ll see whether we are getting our client IP address as part of our logs and what is the field name. In last 30 days, we should be able to see our tutorial data as part of our previous discussions where we have uploaded this data into a searcher. So, here is my client IP. Let me bring it on top. This is my client IP. As you can see, every time if I want to do or know more about my client IP, I need to Google this. Instead of that, you can automate this by just clicking on a link.
You should be able to reach this page where it gives you much more information. Or even you can narrow it down to Oslo Lookup or any other third party sites where you can get more information about these IP addresses. As of now, just remember, this is called the Event menu and this is called the Field menu, where we will be adding our click on Search. That is our google these IP addresses based on just a click. Remember, these are event menus, and these are field menus, where it gives you additional actions that you can take on specified fields in order to create our workflow. We have verified we have a client IP field. Now let us see how we can go ahead and create our workflow.
- Creating a Splunk Work Flow
To create a workflow, go to Settings. Click on Fields. In the Fields page you’ll be able to see a menu called Workflow Actions. In this Workflow Actions you’ll be able to see all the workflows as part of your Splunk searches that are already created. These are some of the inbuilt workflows that are available. We will add our own. I’ll give a name called our demo workflow label will be Google IP Address to be more specific google Client IP Address. So this is being displayed before clicking on those links where you’ll be adding this workflows. Once you added the label, you can specify to which field this should be added. One is your client IP. This is your client IP field.
And also there are a couple of other fields we have extracted as part of other discussions. That is IP address using our pro ops and IP Address underscore transforms. I know we have not typed the address name, but this is how we have extracted the fields. So let us stick to with it. So I’ve added for three fields for googling the Client IP address and in the next menu if we know specific event types to which it should be added, we can specify the event types. We’ll leave blank as it is because as of now we don’t know the Client IP in which event types they exist. And here there is an action where it should be displayed. As we have seen previously explain an event menu and the Fields menu index is equal to just for a quick raw search. These are your Event menus and these are your Fields menu. So here we’ll choose both, display this action on both and what should be the action type? Action type is a link or a search.
If it is a search, this can open up our new search. So inside our Splunk, instead of that we’ll see it is a link. It should go to our third party site, that is who kill search followed by our query that is using Client IP. This we understand by our token. This is how the variables are being passed from one page to another page in Splunk. As part of URL we will pass the Client IP in Splunk to Google. com for a querying the results. So how do we get this? Whenever you search anything in Google, this is how the URL redirects. Based on that we are passing our argument as part of our Google query and how this link should be opening. Let it be as new window because current window might lose our search. So instead of that we can open it as part of new window.
And if you have post method where you can specify arguments which all like username, passwords, all this if you have a private, let’s say DNS lookup, you can add your username and password fields here and authenticate before querying those third party sets. For this example, we’ll keep it as Get and I’ll go ahead and save this. It has been successfully saved our first workflow. Now let us search for checking. Our workflow source type is our access log and we need only fields with Client IP, so I’ll choose client IP is equal to Star. So we are able to see all the Client IP. But whatever the workflow we have created, it will be under Event menu. As of now it has not been displayed. This is the problem with Chrome. You need to refresh every time there is a configuration or UI change. It will be kind of a manual refresh because most of a request it just picks it up from its browser cache. So I made a forceful refresh using control fi.
- Demo of Splunk Work Flow Example
Let me rerun my same search again. So once we have a search now we should be able to see our newly created action that is Google Client IP address. So this is our event action menu. The second is as part of our Client IP itself, we should be able to see Google Client IP address. Similarly we have added for IP address props. As you can see it is available but any other fields it will not be visible. Once we have added it to all the fields, we should be able to see Google Client IP address. And as soon as you click it, it should be able to redirect you with specific details.
As you can see. Here. Just as simple as clicking a link. You can easily google this information. And also, these are some of the simple workflows you can do is look up. That is, you can have an action specifying, do a lookup. So that it gives complete domain information and under whom it has been registered. And similarly you can do a blacklist IP lookup so that whether you can check it is blacklisted in certain domains or not and also if you have external thread fields you can pass it username and password as part of your post request while configuring the workflow and check for whether these IP belong to some threat feed or not, and for other these are part of security use cases.
If it is other third party like other industry use cases, you can do this like probably creating an incident event action. You can create an incident based on you are seeing these kind of logs you can create an incident and assign it to specific team which will be created using this event actions. And also you can look up price users of your products. In case of it is stored in separate database, you can query database to get more information of these values which are present as per your log.
- Visualizations in Splunk
As part of our understanding. To know more about dashboard, let us see what are the default visualization which are available in Splunk. So that as a Splunk admin or architect you will be having better knowledge which visualization might give you the best information. In order to narrow down the specific requirement, we will be seeing in this video all the available visualization as part of your Splunk installation. So for this, let us go to our searcher. This is our search ad where we’ll be creating all our visualization in our demo lab access which is as part of this course. To understand or to get a clarity on what all different visualization are part of the Splunk, I have created a sample dashboard where you’ll be going through all the visualization that are built into your Splunk package.
This is the dashboard which will be available when you are accessing the labs and this visualization you’ll be able to see the search query used and also you can copy them, export them and try to understand how this visualization are configured. Let us go through all this visualization which are available as part of Splunk. By default, the first one in our discussion will be single value. That is indicating a small trend. What is the relative value that this event is running for? For a total of this duration, let’s say last seven days we had 3664, but today there is a reduction of close to 7000 events. So this is just a symbolic representation or a visualization which gives you a quick understanding using just the numericals. And also below this numerical there is a trend line showing that there was a small spike before there was a drop in 7000 events and also preview to do that it was complete flat. This is nothing but our internal loss that is Splunk was down for whole day. But during this demonstration I bought up the Splunk ends. We had our internal logs generated for a spy.
Now we are stabilizing, the events are started to drop. This is a basic single value. In this single value you can customize other visualization like radial gauge filters or marker gauge or you can add additional colors somewhat like this. And also you can create a drill down so that when you click on these values, it will give you the actual events that are contributing to this value. Let us see some other visualization like radial filter and marker gauge and how to change the visualization. In order to change the visualization, go to Edit mode. Once you are in edit mode, let’s say I need a radial gauge. Go to the second option that is next to your search button and choose the radial gauge. So this will be your radial gauge which is similar to a speedometer. In this case there is a limit only zero to 100, but our data is more than 100. So let us customize the limits for that.
Click on format visualization icon go to color ranges. By default, it is set to automatic. Choose manual. I’ll say zero to probably 5000 as green. This is just the threshold which depends on your use case. You can define 12,000 is yellow and 20,000 is my extreme range. So if you need more ranges, probably you can add. Furthermore, choose a different color and select them based on the requirement. Let us save this. As you can see, our events are more than one five k. Let us customize considering our present scenario, this is 50,001. As you can see, our events have come to a more appreciable range, whereas our red is around 400K. This is how you customize your radial gauge. Now let us go to our filter.