Using Fields – Lab Guide

Overview

Welcome to the Splunk Education lab environment. These lab exercises will give you some practical
experience of using fields in searches.

Scenario

You will use data from the international video game company, Buttercup Games. A list of source types is
provided below.

NOTE: This is a lab environment driven by data generators with obvious limitations. This is not a
production environment. Screenshots approximate what you should see, not the exact output.

Index Type Sourcetype Interesting Fields

web Online sales access_combined action, bytes, categoryId, clientip,
itemId, JSESSIONID, price, productId,
product_name, referer, referer_domain,
sale_price, status, user, useragent

security Web server linux_secure action, app, dest, process, src_ip,

src_port, user, vendor_action

network Email security cisco_esa dcid, icid, mailfrom, mailto, mid

data

Web security cisco_wsa_squid action, cs_method, cs_mime_type,

appliance data cs_url, cs_username, sc_bytes,
sc_http_status, sc_result_code,
severity, src_ip, status, url, usage,
x_mcafee_virus_name, x_wbrs_score,
x_webcat_code_abbr

Firewall data cisco_firewall bcg_ip, dept, Duration, fname, IP,

lname, location, rfid, splunk_role,
splunk_server, Username
sales Email security cisco_esa dcid, icid, mailfrom, mailto, mid
data
Web security cisco_wsa_squid action, cs_method, cs_mime_type, cs_url,
appliance data cs_username, sc_bytes, sc_http_status,
sc_result_code, severity, src_ip,
status, url, usage, x_mcafee_virus_name,
x_wbrs_score, x_webcat_code_abbr
Firewall data cisco_firewall bcg_ip, dept, Duration, fname, IP,
lname, location, rfid, splunk_role,
splunk_server, Username

©2023 Splunk Inc. All rights reserved. Using Fields 26 September 2023 1
Common Commands & Functions
These commands and statistical functions are commonly used in searches but may not have been explicitly
discussed in the module. Please use this table for quick reference. Click on the hyperlinked SPL to be taken to
the Search Manual for that command or function.
SPL Type Description Example

Sorts results in Sort the first 100 src_ip values in descending order
descending or ascending
sort command
order by a specified field.
| sort 100 -src_ip
Can limit results to a
specific number.
Return events with a count value greater than 30
Filters search results
where command
using eval-expressions.
| where count > 30
Rename SESSIONID to 'The session ID'
Renames one or
rename command
more fields.
| rename SESSIONID as "The session ID"

Remove the host field from the results

Keeps (+) or removes (-)
fields command
fields from search
results.
| fields - host

Calculate the total sales, i.e. the sum of price values.

Calculates aggregate
stats command
statistics over the
results set.
| stats sum(price)

Concatenate first_name and last_name values with a

Calculates an expression space to create a field called "full_name"
eval command and puts the resulting
value into a new or
existing field.
| eval full_name=first_name." ".last_name

Output vendorCountry, vendor, and sales values to a

table command Returns a table. table
| table vendorCountry, vendor, sales

Returns the sum of the

Calculate the sum of the bytes field
statistical values of a field. Can be
sum() function used with stats,
timechart, and chart
| stats sum(bytes)
commands.

Returns the number of Count all events as "events" and count all events that
occurrences of all events contain a value for action as "action"
count or statistical
or a specific field. Can
count() function
be used with stats, | stats count as events,
timechart, and chart count(action) as action
commands.

Refer to the Search Reference Manual for a full list of commands and functions.
©2023 Splunk Inc. All rights reserved. Using Fields 26 September 2023 2
Lab Connection Info
Access labs using the server URL, user name, and password shown in your lab environment.

Lab Exercise 1 – Use Fields in Searches

Description
Configure the lab environment user account. Then, explore how using fields and fields with operators can
change search results. Additional tasks will test your knowledge of the rename and fields commands.

Steps
Log into Splunk and change the account name and time zone.

Set up your lab environment to fit your time zone. This also allows the
instructor to track your progress and assist you if necessary.
Log into your Splunk lab environment using the username and
password provided to you.
You may see a pop-up window welcoming you to the lab environment.
You can click Continue to Tour but this is not required. Click Skip to
dismiss the window.
Click on the username you logged in with (at the top of the screen) and
then choose Account Settings from the drop-down menu.
After you complete step 6,
In the Full name box, enter your first and last name.
you will see your name in
Click Save. (Do not change the password) the web interface.
Reload your browser to reflect the recent changes to the interface.
(This area of the web interface will be referred to as user name.)

NOTE: Sometimes there can be delays in executing an action like saving in the UI or returning results
of a search. If you are experiencing a delay, please allow the UI a few minutes to execute
your action.

Navigate to user name > Preferences.

Choose your local time zone from the Time zone drop-down menu.
Click Apply.

©2023 Splunk Inc. All rights reserved. Using Fields 26 September 2023 3
 (Optional) Navigate to user name > Preferences > SPL Editor > Search auto-format and click on the
toggle to activate auto-formatting. Then click Apply. When the pipe character is used in search, the SPL
Editor will automatically begin the pipe on a new line.

Search auto-format disabled.

Search auto-format enabled.

Use the Fields sidebar to examine search results.

In the top left corner of Splunk Web, select Apps > Search & Reporting. This sets our app context to the
search app.
Search online sales data (index=web sourcetype=access_combined) for all events containing a
purchase action (action=purchase.) Execute this search over the Last 24 hours.

NOTE: After the search finalizes, verify that the search executed in Smart Mode. The search mode is
located under the time range picker. If the search did not execute in Smart Mode, change it to
Smart Mode, and then re-execute the search.

Examine the Interesting Fields list to the left of your events. Notice that the product_name is one of the
fields returned by Splunk.

NOTE: To find some less common fields, you may need to open the All Fields window from the link at
the top of the Fields sidebar.

In the Fields sidebar, under Interesting Fields, click product_name. Notice the pop-up window shows the
top ten purchased products. Close the window by clicking the X in the upper-right corner.

©2023 Splunk Inc. All rights reserved. Using Fields 26 September 2023 4
 In the Fields sidebar, under Interesting Fields, click sale_price. This field contains the product’s
discounted price for each purchase event.
a. Make the sales_price field a selected field. From the sale_price field window, click Yes in the
upper right corner next to Selected. Close the sale_price field window by clicking the X in the
upper-right corner.
b. Notice sale_price is now a selected field in the Fields sidebar.
c. Now, each event with a value present for sale_price will have sale_price=<value> in the last
line of the event.

In the Fields sidebar, under Selected Fields, click the sale_price field.

©2023 Splunk Inc. All rights reserved. Using Fields 26 September 2023 5
 a. From the field window, click the value with the highest number of purchases (listed at the top.)
Notice the field and value have been added to the search criteria in the search bar. Also, this
selection causes a new search to execute using the new search criteria.

b. Remove sale_price=<value> from the search criteria (by deleting it from the search text) and
re-execute the search by pressing ENTER or by clicking the magnifying glass to the right of the
search bar.
In the Fields sidebar, under Interesting Fields, click categoryId to see which types of products make up
the most purchases. Close the window by clicking the X in the upper-right corner.

Compare results from searches using the !=, NOT, and =* field expressions.

Search for index=web sourcetype=access_combined with a time range of Yesterday.

Note the number of returned events.
Edit your search to find only events that have a value present for the action field. Run the search again.
Again, note the number of return events.
In the Fields sidebar, under Interesting Fields, click action. Notice that the events contain five different
values for action. Close the window by clicking the X in the upper-right corner.

Edit your search to find events that do not have a value present for the action field. Run the search again.
Note the number of returned events.
In the Fields sidebar, under Interesting Fields, try to find the action field.

©2023 Splunk Inc. All rights reserved. Using Fields 26 September 2023 6
 Add the number of events that were returned from your last two searches—the events that contain an
action value and the events that don’t. Does the sum equal the total number of events returned from your
first search? (Hint: If this is not the case, try running all three searches again and be sure the time range is
set to Yesterday for each search.)
Edit the search to find only those events where the action field contains the value, purchase.
In the Fields sidebar, under Interesting Fields, click action. Notice that you now see only one possible
value, purchase. Close the window by clicking the X in the upper right corner.
Edit the search to find events where the action field contains some value other than purchase.
Note the number of returned events.
In the Fields sidebar, under Interesting Fields, click action. Notice that you now see all possible values
except purchase. Close the window by clicking on the X in the upper right corner.
Edit the search to find events where:
a. The action field contains some value other than purchase.
b. The action field contains no value at all (See step 21 above).
Note the number of returned events.
Save your search as a report with the name L1S1.
a. Click Save As > Report
b. For Title, enter L1S1.
c. Save.
d. You can View your report or exit out of the Your Report Has Been Created window by clicking
the X in the upper-right corner.
e. You can access your saved reports using the Reports tab in the application bar.

Your recently saved L1S1 report will be visible in the Reports tab.

©2023 Splunk Inc. All rights reserved. Using Fields 26 September 2023 7
Scenario: SecOps wants a list of authentication failure events associated with admin roles over the
last 60 minutes.

Use keywords, field expressions, and the fields command to filter for specific events.

Search the web server (index=security sourcetype=linux_secure) for events during the Last 60
minutes.
Modify your search to include the following:
a. Failed password attempts by invalid users by adding failed invalid to your basic search.
b. Events associated with the administrator user, i.e. user accounts that begin with admin.
Use the fields command to extract only the user, src_ip, and app fields.

Save your search as a report with the name L1S2.

Complete the missing portion of a search with the rename command.

This search finds purchase events from the online sales data that encountered a server problem
(status>399.) Complete the <missing> portion of this search so that the clientip field is renamed to
"Customer IP", the host field is renamed to "Web Server", and the status field is renamed to "HTTP
Status." Run this search over the Last 4 hours.

index=web sourcetype=access_combined action=purchase status>399

| table clientip host status
| <missing>
Save your search as a report with the name L1S3.

©2023 Splunk Inc. All rights reserved. Using Fields 26 September 2023 8
Lab Exercise 2 – Compare Temporary vs Persistent Fields
Description
Perform search-time field extractions using the erex and rex commands.

Steps

Scenario: SecOps wants to see a count of event descriptions by port from all web server events over
the past 7 days.

Use the erex command to extract temporary fields and include events based on pattern
matching.

Search for all web server events (index=security sourcetype=linux_secure) over the Last 7 days
that contain the keyword “port”.
Scroll through the list of events. Notice how many events have “Accepted password for…” and “Failed
password for…”.

Use the erex command to create a field called event_description. Provide the phrases "Accepted
password " and "Failed password " as examples.
Pipe your search to the following stats command:

| stats count(src_port) by event_description

The stats command uses the count function to count the number of ports (src_port) for each value
of event_description.
Observe your results. There appears to be no results for “Server listening”. Why?
Save your search as a report with the name L2S1. In Task 2, you will fix your search.

Use the rex command to improve your search results from Task 1.

Insert an erex command after the basic search that will create a new field called “port”. Provide it with
three port examples including 22. Edit the stats command so that it now counts port values instead of
src_port values.
Click on the Job dropdown and view the messages. You will see that Splunk is recommending you use the
rex command with regex it has automatically generated. (Note: Your regex may be slightly different for
port.)

©2023 Splunk Inc. All rights reserved. Using Fields 26 September 2023 9
 Replace your two erex commands with the suggested rex commands.
Save your search as a report with the name L2S2.

©2023 Splunk Inc. All rights reserved. Using Fields 26 September 2023 10