SIEM - Splunk Architecture, Features and Components

Splunk is a Security Information and Event Management (SIEM), which is one of popular and user friendly. It is available for free as well as enterprise version. An SIEM has lot of functionalities like log monitoring, log correlation, log analysis, parsing, log normalization, categorization, virus scanning, checking for mis-configurations, alerting, reporting, detecting zero-day vulnerabilities and many more
A normal Splunk Enterprise Infrastructure should consists of Indexers, Search heads and forwarders, Splunk Management console and Heavy forwarders (Not mandatory). This is for the smooth flow of the system. All the components in the server can be setup in a single server or it can made into different parts for smooth flow of the traffic. Finally, it’s completely based on the size of the business and how large their traffic flow is. So the components can range from 1 to “n”. Here is a complete explanation on each of the components.


Indexers process incoming machine data storing them in indexers as events. As the indexers indexes data - it creates a number of files organized by sets of directories by age. When u search your data, splunk will only open the directories and match the time frame

Search Head:

Allows users to use the splunk search language to search to index, handles search requests from users and distributes the requests to indexers to perform the actual searches on the data, then search heads consolidate and enrich the data from the indexers before returning them to the user
It consists of Dashboards, reports, visualizations
Single instance deployment can handle:

Splunk Management Console:

The Monitoring Console is the Splunk Enterprise monitoring tool. It lets you view detailed topology and performance information about your Splunk Enterprise deployment..

The available dashboards provide insight into the following areas of your deployment or instance:
ü  search performance and distributed search framework
ü  indexing performance
ü  operating system resource usage
ü  Splunk app key value store performance
ü  search head and indexer clustering
ü  index and volume usage
ü  forwarder connections and Splunk TCP performance
ü  HTTP Event Collector performance and license usage.

What can the Monitoring Console do?

There are three main configuration states for the Monitoring Console.

1)   You can leave the Monitoring Console un-configured in standalone mode on your Splunk Enterprise instance. This means that you can navigate to the Monitoring Console on your individual instance in your deployment and see that particular instance's performance.
2)   You can go through the configuration steps, still in standalone mode, which lets you access the default platform alerts.
3)   You can go through the configuration steps for distributed mode, which lets you log into one instance and view the console's information for every instance in your deployment.

Splunk Forwarders:

The Splunk universal forwarder is a free, dedicated version of Splunk Enterprise that contains only the essential components needed to forward data. Universal forwarders can be used to gather data from a variety of inputs and forward your machine data to Splunk indexers. The data is then available for searching.

Benefits of using the Splunk universal forwarder:

  • Data consolidation from all types of inputs
  • Reduces indexer load on the Data Center side (push vs. pull method)
  • Improves resiliency by buffering data when needed, sending to available indexers and switching to others when needed (auto load balance)
  • Administered remotely with the deployment server

Splunk Heavy Forwarders:

A type of forwarder, which is a Splunk Enterprise instance that sends data to another Splunk Enterprise instance or to a third-party system.
A heavy forwarder has a smaller footprint than a Splunk Enterprise indexer but retains most of the capabilities of an indexer. An exception is that it cannot perform distributed searches. You can disable some services, such as Splunk Web, to further reduce its footprint size.
Unlike other forwarder types, a heavy forwarder parses data before forwarding it and can route data based on criteria such as source or type of event. It can also index data locally while forwarding the data to another indexer.
In most situations, the universal forwarder is the best way to forward data to indexers. Its main limitation is that it forwards only unparsed data, except in certain cases, such as structured data. You must use a heavy forwarder to route data based on event contents.

Some Important Functionalities of Splunk Include

 1)   Transforming commands: commands that create statistics and visualizations are called transforming commands.

 2)  Splunk Search Language Include: 
          Search Terms
          Commands -->Charts
          Arguments --> variables
          Clauses --> how we want results to be grouped    

 3)  Color Coding:
          Boolean, Command modifiers: ORANGE
          Commands               : BLUE
          Command Arguments        : GREEN
          Functions                 : PURPLE

 4)   Common Stats Functions: count, distinct count, sum, average, list, values
ü  count: number of events
ü  distinct count: returns a unique value for a field
ü  list: lists all values of a given field
ü  value: displays unique values of a given field

 5)   Data Models: Data Models are knowledge objects that provide the data structure that pivots. Data model can be called as a framework and pivot as a interface to the data.
Splunk knowledge managers design and maintain data models. These knowledge managers understand the format and semantics of their indexed data and are familiar with the Splunk search language. In building a typical data model, knowledge managers use knowledge object types such as lookups, transactions, search-time field extractions, and calculated fields.

 6)   Datasets: Datasets are smaller collections of your data defined for specific purpose, they are represented as tables with field names for columns and field values for cells. Dataset types include Lookups, Data Model Datasets, Table Datasets

 7)   Lookups: Lookups enrich your event data by adding field-value combinations from lookup tables. Splunk software uses lookups to match field-value combinations in your event data with field-value combinations in external lookup tables. If Splunk software finds those field-value combinations in your lookup table, Splunk software will append the corresponding field-value combinations from the table to the events in your search.
Types of lookups:  CSV, External, K V Store, Geospatial
 8)   Alerts: Use alerts to monitor for and respond to specific events. Alerts use a saved search to look for events in real time or on a schedule. Alerts trigger when search results meet specific conditions. You can use alert actions to respond when alerts trigger.

Features of Alerts:                
ü  list in interface
ü  log events
ü  output to lookup
ü  send to telemetry endpoint
ü  trigger scripts
ü  send emails
ü  use a webhook
ü  run a custom alert


Splunk is suitable for small scale business, it’s not the best for large scale business (tier-3 and above), There are many more SIEM tools which are more accurate and reliable, But splunk is one of its kind – it is cost effective for small scale business. Splunk do have lot of features but other vendors also provide effective solutions and accuracy in detecting malicious events and creating notable events. 

=========       Hacking Don't Need Agreements    ==========
Just Remember One Thing You Don't Need To Seek Anyone's Permission To Hack Anything Or Anyone As Long As It Is Ethical, This Is The Main Principle Of Hacking Dream
            Thank You for Reading My Post, I Hope It Will Be Useful For You

I Will Be Very Happy To Help You So For Queries or Any Problem Comment Below Or You Can Mail Me At

Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

1 comment:

YK Agency said...

Nice post! This is a very nice blog that I will definitively come back to more times this year! Thanks for informative post. architect

Post a Comment