Splunk Data Models: Building An Inventory With Tstats

"Master Splunk Data Models: Inventory Building, Tstats Optimization, and Advanced Query Techniques"

What you'll learn

Gain a thorough understanding of Splunk Common Information Model (CIM) and its role in standardizing data across security, network, and application domains.

Develop skills in mapping network device logs and data to CIM fields, ensuring consistency and normalization for network inventory tracking.

Learn to troubleshoot and refine data models to ensure they meet CIM standards while providing actionable insights into network inventory.

Understand how to integrate your network inventory data model with other Splunk apps and dashboards to enhance visibility and security monitoring.

Requirements

Basic Understanding of Splunk and Network and Host Logs

Description

Unlock the full potential of Splunk with our comprehensive course, "Splunk Data Models: Building an Inventory with Tstats." This hands-on training is designed to guide Splunk users of all levels through the intricacies of creating a dynamic inventory using Splunk’s powerful data modeling and Tstats commands. Whether you're a Splunk administrator, analyst, or developer, this course provides the essential skills to build, manage, and optimize inventory data in your Splunk environment.We begin with an Introduction to the course and explore why building a dynamic inventory in Splunk is a game-changer for organizations managing vast datasets. Next, we delve into log exploration techniques and the importance of the Common Information Model (CIM) for structuring your data effectively.Learn how to map inventory data to Splunk Data Models, enhance your fields with custom field extraction and enrichment, and ensure CIM compliance for seamless integration across datasets. Dive deeper into the creation and utilization of data models, using commands like datamodel and Tstats to generate powerful, efficient, and scalable inventory reports.By the end of this course, you’ll have the tools and knowledge to simplify inventory tracking, accelerate queries, and streamline operations with Splunk. Elevate your Splunk expertise today with this practical and impactful course!

Overview

Section 1: Introduction

Lecture 1 Introduction

Lecture 2 Course Objectives

Lecture 3 Course Requirements

Lecture 4 Apps and Indexes Used During This Course

Lecture 5 Course Roadmap

Lecture 6 Expectation Setting

Section 2: Module 1 - Why Build Your Own Dynamic Inventory in Splunk?

Lecture 7 Module 1 - Objectives

Lecture 8 The Problem With Static Inventories

Lecture 9 The Case for Dynamic Inventories

Lecture 10 Building Your Inventory: Zeek and Beyond

Lecture 11 Beyond Inventory: The Broader Benefits

Section 3: Module 2 Exploring Your Logs

Lecture 12 Module 2 Overview

Lecture 13 Module 2 Common Log Types

Lecture 14 Identifying Key Fields

Lecture 15 Using SPL to Find Key Fields

Lecture 16 SPL Overview

Lecture 17 SPL Overview: Using Fields, Table, and Stats

Lecture 18 Learning to Find Data Efficiently with Metadata

Lecture 19 Install Botsv3 Instructions

Lecture 20 Install Stream Splunk App for Botsv3 Data

Lecture 21 Lab 1 Questions

Lecture 22 Lab 1 Answers

Section 4: Module 3 Common Information Model

Lecture 23 Module 3 Overview

Lecture 24 CIM Defined

Lecture 25 CIM Use Case Explained

Lecture 26 CIM Datamodels Explained

Lecture 27 Mapping Raw Data to CIM-Compliant Fields

Lecture 28 How to Install the CIM App

Lecture 29 Splunk Documentation on the Common Information Model

Lecture 30 Mapping a Zeek Log to Network Traffic

Lecture 31 Validating the Network Traffic Mapping

Lecture 32 Lab 2 Questions

Lecture 33 Lab 2 Answers

Section 5: Module 5 Mapping Inventory to Splunk Data Models

Lecture 34 Module 5 Overview

Lecture 35 Adding Zeek Conn Logs to Network Traffic (The Process)

Lecture 36 Adding Zeek DNS, HTTP to Respective Datamodels (The Process)

Lecture 37 Adding Zeek SMTP to Respective Datamodels (The Process)

Lecture 38 Adding Authentication Log to Authentication Datamodel (The Process)

Lecture 39 Adding Host Logs to Endpoint Datamodel (The Process)

Lecture 40 Expanding Beyond the Basics

Lecture 41 Advantages of Mapping Logs to Datamodels

Lecture 42 Lab 3 Questions

Lecture 43 Lab 3 Answers

Section 6: Module 5 Field Extraction and Enrichment

Lecture 44 Module 5 Overview

Lecture 45 Methods for Field Extractions

Lecture 46 Hands On Demo of Automatic Field Extraction

Lecture 47 Hands On Demo Regex Extraction

Lecture 48 Hands On Splunk Field Extractor

Lecture 49 Hands on Props and Transforms Configurations

Lecture 50 Data Enrichment Methods

Lecture 51 Hands On Data Enrichment Lookups

Lecture 52 Hands On Data Enrichment Calculated Fields

Lecture 53 Hands On Data Enrichment Tags

Section 7: Module 6 Hands On - Mapping to Datamodels

Lecture 54 Module 6 Overview

Lecture 55 Network Traffic - Aliasing the Fields

Lecture 56 Network Traffic - Validating The Fields

Lecture 57 Network Traffic - Calculated Fields

Lecture 58 Network Resolution DNS Aliasing the Fields

Lecture 59 Network Resolution - Troubleshooting When Things Just Don't Alias

Lecture 60 Lab 4 Questions

Lecture 61 Lab 4 Answers

Section 8: Module 7 Validating CIM

Lecture 62 Module 7 Overview

Lecture 63 Downloading and Using the CIM Vladiator App

Lecture 64 Resolving Issues Detected by Vladiator App

Lecture 65 Lab 5 Questions

Lecture 66 Lab 5 Answers

Section 9: Module 8 Datamodels, Datamodels, and more Datamodels

Lecture 67 Module 8 Overview

Lecture 68 Datamodel Parent / Child Relationships

Lecture 69 Hands On Datamodel Parent / Child Relationships

Lecture 70 Datamodel Acceleration

Lecture 71 Hands On Datamodel Acceleration

Lecture 72 SPL Datamodel Command Part 1

Lecture 73 Hands On SPL Datamodel Command Part 1

Lecture 74 SPL Datamodel Command Part 2

Lecture 75 Validating that Data has been Accelerated

Section 10: Module 9: Inventory Creation

Lecture 76 Module 9 Overview

Lecture 77 Oops - Time Issues Announcement

Lecture 78 Inventory Creation - The Process

Lecture 79 Hands On Demo of Your New Dataset

Lecture 80 Manually Setting Up Your New Dataset

Lecture 81 Scripting Your New Dataset

Lecture 82 Generating All the Unique IPs

Lecture 83 Excluding non-RFC 1918 IP Addresses

Lecture 84 Finalizing the IP Inventory Lookup

Lecture 85 Meta Roles Defined for Inventory

Lecture 86 Enriching IP Inventory With Metadata

Lecture 87 Adding Static and Analyst Provided Inventory

Lecture 88 Normalizing Data with Yes and No

Lecture 89 Creating Categories of Data for Enterprise Security and Other Risk Alerting

Lecture 90 Finalizing Metadata Inventory

Lecture 91 Build Your Inventory Using a Modular Approach

Lecture 92 Lab 6 Questions

Lecture 93 Lab 6 Answers

Section 11: Module 10: Using Datamodel Command to Build Inventory

Lecture 94 Module 10: Overview

Lecture 95 Mapping New Corelight Logs to Network Traffic Datamodel

Lecture 96 Mapping New Corelight Logs to DNS and Web Datamodel

Lecture 97 Accelerating New Datamodel Data

Lecture 98 Modifying Our IP Inventory Query With Datamodel Info

Lecture 99 Modifying Meta Inventory With Datamodel Info

Lecture 100 Lab 7 Questions

Lecture 101 Lab 7 Answers

Section 12: Module 11: Tstats Command Explained

Lecture 102 Module 11: Overview

Lecture 103 Tstats Syntax

Lecture 104 Tstats Examples

Lecture 105 Tstats Another Perspective

Lecture 106 Tstats Performance Benefits

Lecture 107 Hands On Tstats Queries

Lecture 108 Using Datamodel Pivot to Help You Write a Tstats Query

Lecture 109 Using Tstats Queries to Build IP Inventory

Lecture 110 Using Tstats Queries to Build Metadata Inventory

Lecture 111 Tstats Speed Comparison to Standard SPL and Datamodel Commands

Lecture 112 Lab 8 Questions

Lecture 113 Lab 9 Answers

Section 13: Module 12: What's Next

Lecture 114 Scheduling Inventory Searches

Lecture 115 What is Next?

This course is tailored for: Splunk Administrators and Engineers who need to expand their capabilities in data modeling and compliance with the Splunk Common Information Model (CIM). Network Engineers and IT Professionals looking to leverage Splunk for network inventory management, security monitoring, and compliance reporting. Security Analysts who want to enhance their network visibility through standardized data models for threat detection and incident response. Data Analysts interested in mastering advanced Splunk techniques to organize, analyze, and utilize network data more effectively. Anyone involved in IT Operations aiming to improve their organization's network asset management and security posture using Splunk's data modeling features. This course assumes a basic familiarity with Splunk and some understanding of network concepts, making it suitable for those who wish to deepen their expertise in Splunk for network-related data analytics and compliance.