Intro to Splunk

Acronyms

Data Sources

Components

Default Fields

Dashboards, Reports and Alerts

100

This is the query language used to search, analyze, transform, and visualize data inside Splunk

SPL (Search Processing Language)

100

This built-in logging system in that records system, security, and application events

Windows Event Log

100

This is a Splunk component that collects data and sends it to Slunk

Forwarder

100

This field is the device name

host

100

This provides visual insights

Dashboards

200

This is a security solution category that collects, analyzes, and correlates log and event data from across an organization to detect threats and support incident response.

SIEM (Security Information + Event Management)

200

This is a text-based data format that stores information in key-value pairs and structured objects.

JSON

200

This is a lightweight forwarder (small CPU/memory footprint)

Universal Forwarder (UF)

200

This field is the data sources

source

200

This is a search that can be reused

Reports

300

This is a set of rules and endpoints that allows other systems, tools, or applications to interact with Splunk programmatically instead of using the Splunk web interface.

API (Application Programming Interface)

300

This is the default logging framework used to record system and application activity.

Linux syslogs

300

This can collect and forward only

Universal Forwarder (UF)

300

This field is Format/type of data

sourcetype

300

This notifies users when conditions are met

Alerts

400

This is a security platform that automates and coordinates incident response workflows so security teams can respond to threats faster and more consistently.

SOAR (Security Orchestration, Automation, and Response)

400

What are services that provide computing, storage, networking, and applications over the internet.

Cloud Platform

400

This can filter, parse, and route data

Heavy Forwarder (HF)

400

This field is a storage location

index

400

This is beneficial because of consistent results, dashboard integration, and easy sharing.

Reports

500

This is a standard data model that normalizes and organizes data into consistent field names and categories so different data sources can be searched and correlated in a uniform way.

CIM (Common Information Model)

500

This is the core system log that Splunk ingests to provide visibility into system activity, security events and operational health.

Linux syslogs

500

This can deploy to thousands of endpoints

Universal Forwarder (UF)

500

This field is the Event timestamp

_time

500

This can display reports, charts, tables, and metrics.

Dashboard