back to day 10
WEEK_2 · DAY_10 · LAB
Lab 10 — Five Beginner Queries
search · stats · table · top · rare · fields · sort · where
LAB PROGRESS0/5 steps · 0%
Lab Objectives
- ›Write efficient base searches
- ›Aggregate with stats, top, rare
- ›Filter with where vs search
- ›Format output with table and fields
Lab Instructions
- 1In Splunk → Search, write: top 10 source IPs.
- 2Write: rare destination ports.
- 3Write: failed logons by user, count > 10.
- 4Write: total bytes out per host, sorted descending.
- 5Save each as a Report.
SPL for this Lab
Top failed users open in Splunk
index=wineventlog EventCode=4625 | stats count by Account_Name | sort - count | head 10
// Most-attacked accounts.
Rare process names open in Splunk
index=sysmon EventCode=1 | rare Image limit=20
// Long-tail = anomalies often live here.
Filter post-aggregation open in Splunk
index=fw | stats sum(bytes_out) as out by src_ip | where out > 1073741824
// Hosts shipping > 1 GB outbound.