When you start this lab Splunk is not running yet, no need to start the browser. It wont be until Task 5 that the Splunk server is started. You will end up restarting Splunk often which takes a few minutes each time. Make sure that you double check all config files you write to prevent unnecessary restarts. It is also highly recommended you finish this room in one sitting as you'll be setting up a few things that would need to be repeated otherwise.

Most of the Splunk and managing Splunk config files is going to require you to use . While it is possible to use to get around this, some of the room's instructions are going to use the . This command would need to switch to .

A quick way to get the number of files & folders in a folder is to pipe (done with the | character) the output of to . The option will found the number of lines.
Navigate to the correct folder on the commandline and use .

An informational Task, which explains the steps we'll be taking in later tasks.

An important thing I would like to add to the information in this task is that files created in the DefaultApp are meant as "the default state" of the app. If you were to share your app with multiple analysts through a Splunk Deployment Server the default settings would be overridden on every update to make sure they match the new version. Each analyst could still add extra rules in the local folder which would persist between updates.

Unless you are creating an app, as we're doing in this room, it is generally not recommended to edit the files in . Instead one would edit the files in the folder.

Just like the props.conf in the previous task, all the .conf files you will be modifying can be found in the
folder. Read the information carefully so you understand what each config file is used for

Now it is time to start the Splunk instance and get some logs into Splunk. From the commandline run
, this will start the Splunk instance. It will take a few minutes before Splunk is ready and can be accessed. The Splunk dashboard will be available on .
Remember to use sudo to run the start command.

At this time no .conf files exist yet, so don't be surprised if you tried to checkout the DataApp/default folder and did not see anything. The task's instructions assume you're currently in the folder and used before running the command. If you're not, you can use the command to create the inputs.conf file.

Follow the instructions in the task to get a feel for how Splunk works, you will not be using the logs created in this task for future tasks.

Let's start generating some actual logs and inspecting them in Splunk.

An easy way to copy files from the Downloads directory to the DataApp/bin folder is by using the cp utility, use sudo if you are using the ubuntu user.

or if you are sudo

Modify inputs.conf file with nano to match the instructions in the task..

Restart Splunk
Restart Splunk afterwards to apply the new settings

Wait a few minutes until Splunk has restarted and check the logs again. Make sure to change the time range to `All time (Real-time)` so you know for sure you will see the logs. Not seeing any logs? Double check that you correctly copied all lines from the example:

inputs.conf

Defining properties
Just like we created the inputs.conf earlier we can create the props.conf to define properties of our data.
and restart Splunk again.

props.conf

You'll now see that each log for the vpn_logs is its own event. If you're not seeing changes you can click on the "apps" dropdown and reload the DataApp from there.

Since this task is nearly a repetition of the previous task simply with a different log type, I will not be repeating all the steps in this blog post. Please follow the information in the Task to complete the questions. Make sure to use the correct stanzas in the props.conf and to restart Splunk after you made your changes.

I personally felt that the inputs.conf file was too inconsistent and rearranged the order of settings as can be seen in the image below. However it does teach an important lesson that the order of settings is not important.

I would personally recommend to update both the inputs.conf and props.conf before restarting to save some time. At this point we've already done this process twice. While it is good practice to inspect the logs before adding any props, it also makes this a very long room with the restart time of Splunk.

Two quick comments here, 1. I used the DataApp/local folder instead of the default. However for the sake of sticking to the "we're creating a new app" task it is better to stick with default. 2 for the source and sourcetype I used the same name as the file that was generating the logs. Personal preference, however when creating an app that will be used by others it is better to stick with consistent naming conventions.

Important to note is that the [sourcetype] header matches the sourcetype: field in inputs.conf. Make sure to verify in your inputs.conf file.

SEDCMD
I read this command as sed command, since we're using sed syntax to modify. Important to note is that this modification happens BEFORE indexing. That means that our Splunk App is not aware of the information unmodified. This becomes relevant in Task 9.
The regex used in this command is very similar to the MUST_BREAK_AFTER except we're now looking the pattern with a global modifier. The global modifier means that if there were two credit card numbers in the log, both would be masked.

Note
If you're not seeing these changes but are 100% sure you have to correct syntax, you may have to reload the app. Go to the App menu in the top of the screen, click on DataApp and enter the correct search again.

I'll quickly gloss over most of this task as it is pretty straight forward and the room creator has already provided you with the regex required to complete the first two questions. If you are not seeing the Credit Card field in the fields column on the left, click on "1 more field" and select the Credit Card field in the pop-up.

Extracting Credit Card data:
As noted earlier the action runs before the data is indexed, this means that we have to use to match XXXX instead of when extracting the modified Credit Card information.

Lastly for reference here are the completed props.conf, transform.conf and fields.conf files.