Basics

Learn the basics of Splunk.

1. Splunk has three main components:

   1. Forwarder

      1. Splunk Forwarder is a lightweight agent installed on the endpoint

         1. • Web server generating web traffic.

            • Windows machine generating Windows Event Logs, PowerShell, and Sysmon data.

            • Linux host generating host-centric logs.

            • Database generating DB connection requests, responses, and errors.

   2. Indexer

      1. Splunk Indexer plays the main role in processing the data

         1. Takes the data

         2. normalizes data into field-value pairs

         3. determines the datatype of the data

         4. stores data as events

   3. Search Head

      1. Splunk Search Head is the place within the Search & Reporting App where users can search the indexed logs

2. When the user searches for a term or uses a Search language known as Splunk Search Processing Language

   1. the request is sent to the indexer

   2. the relevant events are returned in the form of field-value pairs

Splunk Bar

1. In the Splunk Bar, you can see

   1. system-level messages (Messages)

   2. configure the Splunk instance (Settings)

   3. review the progress of jobs (Activity)

   4. miscellaneous information such as tutorials (Help)

   5. search feature (Find).

2. The default app for every Splunk installation is Search & Reporting.

3. https://community.splunk.com/t5/Splunk-Search/Exclude-specific-String-from-search/m-p/406035

   1. 
4. https://docs.splunk.com/Documentation