Splunk Data Models - Why Should You Use Them?
ฝัง
- เผยแพร่เมื่อ 21 พ.ย. 2022
- Splunk has provided data models to allow you to group together similar types of logs. Datamodels can be confusing when you first get started. This video is the first of a series of videos explaining what are Splunk data models and why they will make things easier for searching for data in Splunk.
Splunk Data Models and why you should use them • Splunk Data Models - W...
Getting the data model restricted to specific indexes • Splunk Data Models Res...
Eventtypes for the data model • Splunk Data Models and...
Tagging the data for the data model • Splunk Data Models and...
Field aliasing for the data model • Splunk Data Model Fiel...
Converting a normal query into a tstats query - • Splunk How to Convert ...
This is a playlist and we strongly encourage you to watch the playlist for all of the videos on Enterprise security below.
• Splunk Enterprise Secu...
Join this channel to get access to early release of videos and exclusive training videos that will help make you L.A.M.E. ninja: / @lamecreations_guides
Visit our discord channel to post questions and suggestions for what you want to learn. / discord
The latest L.A.M.E. Splunk apps are available at
www.github.com/lameCreations
Thanks for this. I always remain humbled and encouraged by the way that people are genuinely helpful and patient.
Beautiful!! Thanks so much!,
Glad you liked the video. Feel free to request videos you would like to see or comment on my discord channel.
very informative. Thank you
Glad it was helpful!
subscribed because you're clear and thorough with a cadence that's easy and pleasant to follow...thank you.
Awesome, thank you!
Really awesome stuff!!!
Also love your voice, very easy to follow.
Glad you enjoyed it
Question for you: Can we add new fields to our existing data models without having to rebuild the data model?
no you can't. Datamodels are actually making your data "structured" (think Elastic) Every time you change the rules for how the data is structured, you get to rebuild everything. If you have never used Elastic you have not had the "pleasure" of this wonderful experience. If the data is unstructured, you don't have to rebuild which is why you can add aliases and other things to your indexed data, but you can't modify the data models without a rebuild. Hope that makes sense.
What do you usually use for monitoring your networking when using Splunk?
I'm assuming you mean at home? Besides the hardware to run it, i don't pay for any of the gear. It's all open source or they have free versions. At home I have a pfsense firewall, it also is my web proxy and VPN (total cost $0) I use pihole as my dns. (Just a raspberry pi, but you can virtualize it, or pfsense can do it) then I use zeek on a Ubuntu instance to tap my internal network traffic. You can also use security onion. Both are free.
Question for you - Do you need additional or special type of licensing from Splunk to utilize Data Models?
You do not. You can create your data models from scratch or you can download splunkbase.splunk.com/app/1621 and use the common information models
@@lamecreations_guides Thank you kindly. Great video BTW