First of all, while we can’t exactly add terabytes of security log data into our computers at home, we can very easily use Splunk Free, with minimal setup. We can even get started with tutorial data provided by Splunk less than 1 GB. Companies from Coca Cola to Comcast use Splunk, it’s no suprise then that it is one of the highest rated cybersecurity skills in demand today. But how do you get experience in Splunk if that’s not in your job responsibilities currently? There are steps that we can take at home to get a job in cybersecurity and using Splunk Free is one of them.
Table of Contents
Why learn Splunk?
- A Cybersecurity analyst can expect to earn on average around $75,000! Splunk is a highly desired skill in cybersecurity professionals.
- Splunk is utilized by some of the nation’s biggest companies, needing whole teams to properly administer the software.
- Learning Splunk demonstrates a level of experience with other desirable skills like using Linux, regex searches, web interfaces, and log administration depending on how far you want to go in.
What is Splunk?
Splunk sounds like spelunking for a reason, it metaphorically helps companies get on their hands and knees and explore their data, their calls echoing throughout the cavernous walls of the enterprise. “What do we do with all this data?!”. Splunk’s headquarters is located in San Francisco, California, USA. Guru Tip: Really wanna increase your chances of getting a Splunk-related job? Go to a .Conf Splunk conference, resume in hand after following this tutorial. See more here.
Splunk Inc. is an American multinational corporation based in San Francisco, California, that produces software for searching, monitoring, and analyzing machine-generated big data, via a Web-style interface. Splunk (the product) captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.- Wikipedia
What You’ll Need For This Tutorial
- Download the Splunk Free from the Splunk website.
- Setup a Ubuntu 18.04 virtual machine in VirtualBox
note: Need help setting up a virtual machine? Read my tutorial. From the site:
If you need more than 500 MB/day, you’ll need to purchase an Enterprise license. See How Splunk licensing works for more information about licensing. Splunk Free regulates your license usage by tracking license violations. If you go over 500 MB/day more than 3 times in a 30 day period, Splunk Free continues to index your data, but disables search functionality until you are back down to 3 or fewer warnings in the 30 day period.
Requirements: You won’t need more than 500 MB/day in fact the tutorial data provided by Splunk is less than 1 MB. Trial: Use Splunk until the trial period ends and upgrade to a paid license or use the free version forever. After 60 days you can convert to a perpetual free license or purchase a Splunk enterprise license.
1. Download Splunk Free
After providing your information in the Free Splunk input form you should have started a download for the Splunk software. Choose Linux > 64bit > .tgz .Find the .tgz file in your downloads folder now. Got it? If so and you have a virtual machine or are following my tutorial on setting up your virtual machine, you are ready to get started.
2. Move Splunk Free Into Ubuntu and Set Your Env Variables
Using your favorite file transfer method (or Drag and drop) move your Splunk download into your vm.
splunk@splunk-VirtualBox:~$ sudo tar xvzf splunk7.1.2-…x86_64.tgz -C /opt
This command sequence will decompress your download archive into the /opt directory. You have two options now: you can set the SPLUNK_HOME variable for your local shell or set it in your bash shell profile for a permanent solution. Option 1:
splunk@splunk-VirtualBox:~$ export SPLUNK_HOME=”/opt/splunk”
Option 2:
splunk@splunk-VirtualBox:~$ sudo nano ~./bashrc
Add these two lines at the very bottom of the file and save/exit. export SPLUNK_HOME=/opt/splunk export PATH=$SPLUNK_HOME/bin:$PATH
splunk@splunk-VirtualBox:~$ source ~./bashrc
This reloads the current shell profile in order for us to start using the new environment variable.
2. Start the Splunk Free Service
To start the service for the first time AND accept the ULA aggreement at once (I HIGHLY recommend you do this to avoid the long reading material)
splunk@splunk-VirtualBox:~$ sudo $SPLUNK_HOME/bin/splunk start –accept-license
You will be prompted to create a new password, do so then you should see system checks taking place in terminal followed by something like
The Splunk web interface is at http://splunk-VirtualBox:8000
3. Login to the Splunk Free web interface.
By default the username for Splunk is “Admin”. Enter your password that you just created a minute ago and if everything is correct you should be ready for the next step, adding data.
4. Add Data to Splunk Free
First Look At the Splunk Dashboard
Next follow these steps:
Uploading data takes place in the following steps.
- Click “Add Data”
- Click “Upload”
- Click “Select File”
- Configure “Input Settings”
- Review
- Done
1. Add Data
Add Data screen. Click on “Upload”.
2. Select Source
Upload tutorialdata.zip using Select Source. If you drag n’ dropped the .zip file into the vm you will find it in /tmp/VirtualBox Dropped Files/Timestamp
3. Configure Input Settings
Input Settings page. For Mac and Linux installation the segment number is “1”. For Windows installation the required option is “Regular expression on path”. We are installing for Linux.
4. Review
Review page. Make sure you made it this far, if you see errors go back and repeat the steps again, try refreshing the page before trying again.
5. Done
Done page. You’re done now.
5. Start Searching!
New Search page, after uploading the tutorialdata.
By default a new search is kicked off with the query of “source=”tutoiraldata.zip:*”. This is the same as the query “search*”, which means show everything or search all and display all the results.
In conclusion
Let’s recap what we have done so far.
- We uploaded the Splunk Free tutorial data into our Ubuntu 18.04 virtual machine in VirtualBox