Configure Splunk ERAU Watermark
x
Overview
Using Splunk
  • Getting Started
  • Configure Splunk
  • Additional Resources
Support
  1. Overview
  2. Configure Splunk

Configure Splunk

Splunk is meant to aggregate real-time data for investigation, monitoring, and analyzing incidents. For educational purposes, students will use course-provided stagnant datasets to leverage Splunk tools and functionality. In order to fully configure your instance of Splunk, you'll need to complete the following in order.

Part I: Install Apps & Add-ons

The Splunkbase library allows users to select an app or add-on to customize the functionality of Splunk. The dataset for MISA 532 requires the following applications, which are distributed and licensed separately and should be installed before using the dataset. The versions listed are those that were used to create the dataset. Different versions of the software may or may not work properly, so it's important to install the apps listed below exactly as they appear in the Splunkbase library.

  • Cisco Endpoint Security Analytics(CESA)(v4.0.7)
  • SA-cim_validator *Use Steps 7 & 8 to install this app.
Follow the directions below to install the necessary apps and add-ons. You will need to repeat the steps to install each app/add-on.

Step 1

Open Splunk

Splunk Enterprise splunk instance opened in chrome to Username and password login

If not already loaded, open Splunk in your preferred browser (Chrome is recommended). Type http://127.0.0.1:8000/ in the address bar. You'll need to log in using the administrative credentials you made during Getting Started.

Note: After the 60-day or 15-day trial ends, your account becomes free. This means an administrative login is not required to access your instance of Splunk.

Step 2

Manage Apps

Logged in to splunk, splunk apps setting gear outlined

Select the icon to open the Manage Apps window.

Step 3

Browse More Apps

In splunk manage apps window, select browse more apps button outlined

Select Browse More Apps. There will be apps/add-ons already listed from installing Splunk; you're encouraged to browse these apps as well to learn more about them.

Step 4

More Apps

Splunk app/add-on search bar labeled 1, Install button for chosen app/add-on labeled 2

Follow the steps below:

  1. Copy the name of the app/add-on exactly as it shows in the list above and paste it into the search box.
  2. Hit enter and select Install beside the appropriate app/add-on.

Step 5

Terms & Agreements

Login with your Splunlk username and password outlined selecing the terms and conditions arrowed to prior to selecting the Login and Install button outlined

Upon selecting Install Splunk will prompt you to provide your Splunk credentials created when registering with Splunk’s site on the Getting Started page.

Enter your credentials, and select Agree and Install to proceed.

Note: Splunk may ask you if you want to restart now or later. Select Restart Later. You'll restart after installing all apps/add-ons.

Step 6

Repeat for all Apps

Repeat Steps 3-5 for all required apps and add-ons in the table, with the exception of SA-cim_validator. You'll install this in the next steps using a downloaded zip file.

Step 7

Download File

Logged into splunk, splunk apps setting gear outlined

Download the SA-Cim_validator-master.zip file. Navigate to Splunk and select the icon to open the Manage Apps window.

Install app from file button outlined

Select Install app from file.

Step 8

Choose File

To upload an app from a file, choose file button outlined then select the upload button outlined

Select Choose File to search for the SA-Cim-validator-master.zip. Then, select Upload to upload the zipped file.

Step 9

Restart Splunk

Settings button outlined and labeled 1 in splunk top navigation, under system Server controls outlined and labeled 2

Once you've installed all the apps, you'll need to restart Splunk. To restart Splunk:

  1. Open Settings from the Splunk navigation.
  2. Select Server controls.
  3. Select Restart Splunk.

Restart splunk button outlined labeled 3

Note: It may take time for Splunk to restart - do not close the browser until Splunk has refreshed with the login page.

Step 10

Proceed to Part II

Move onto Part II: Download & Install Dataset to complete Splunk configuration.

Part II: Download & Install Dataset

Step 1

Download Dataset

Dataset Description Size Format MD5 Hash
botsv3_data_set.tgz Boss of the SOC (BOTS) v3 dataset 320.1-607MB Pre-indexed Splunk d7ccca99a01cff070dff3c139cdc10eb

Step 2

Locate & Open Download

Windows file explorer opened to splunk folder with file path outlined

Locate the download and select the Open folder location Symbol symbol to open the zipped file at its location

Note: This should open a unzipped folder with the same name as the .zip file downloaded.

Step 3

Copy Folder

Splunk Apps folder create folder for data outlined arrowing to the data being extracted outlined
Follow the directions below to copy the folder:
  1. Select the botsv3_data_set folder.
  2. Right click and select copy.

Important Note: Be sure the contents within the folder you are copying look like the image below. You may need to extract the data into another folder if the folders contents don't look like the image below. Name this folder the same as above. Use the images below and above to guide you.

Splunk Apps folder create folder for data outlined arrowing to the data being extracted outlined

Step 4

Paste Folder in Splunk Apps Folder

In Splunk folder, apps folder outlined
Follow the directions below to paste the folder:
  1. Navigate to C:\Program Files\Splunk\etc\apps.
  2. Right click and select Paste.

Step 5

Navigate to apps Folder & Open Powershell

Right click on apps folder Open PoweShell window here outlined and arrowed to

Select the symbol to navigate to the parent directory.

Right click on apps folder Open PoweShell window here outlined and arrowed to

Follow the directions below to open powershell:

  1. Select the apps folder and Right click.
  2. Select option Open in Terminal.

Step 6

Verify File Integrity

PowerShell get file and check if the MD5-Hash matches the one at the top

You'll need to verify that the MD5 hash is the same as the one listed in the table in step 1. This is to ensure the data file is not compromised.

Type get-filehash -Algorithm MD5 .\botsv3_data_set.tgz and hit enter.

Note: If you make a typo/syntax error, this step will not work. Be sure to type it exactly as it appears above.

It should look like the image above. If your Hash value is different than d7ccca99a01cff070dff3c139cdc10eb, it means you are using a different version that may or may not be legitimate/corrupted. Delete the file and try again; contact your instructor if the problem persists.

Note: The directions for checking MD5 hash are for Windows machines. If you are using a Mac or a Linux, visit the vendor's website for support.

Step 7

Restart Splunk

Settings button outlined and labeled 1 in splunk top navigation, under system Server controls outlined and labeled 2

Once you've installed all the apps, you'll need to restart Splunk. To restart Splunk:

  1. Open Settings from the Splunk navigation.
  2. Select Server controls.
  3. Select Restart Splunk.

Restart splunk button outlined labeled 3

Note: It may take time for Splunk to restart - do not close the browser until Splunk has refreshed with the login page.

Step 8

Search & Reporting

Open Splunk Search & Reporting outlined

Open Splunk and navigate to Search & Reporting.

Step 9

Add Events

Search for data outlined labeled 1, time frame for search labeled 2, search button labeled 3. Search button and time frame are outlined together
  1. Type the following in the search textbox: index=botsv3 earliest=0
  2. Select the time frame you wish to search (last 24 hours, last thirty days, all time, etc.)
  3. Select to begin searching for events.

Note: If you cannot produce any events from the data set, this is typically because the data is not located in the right structure within the apps folder. Once you've confirmed that the folders are in the correct structure (see steps 2 & 3), reach out to your instructor for guidance.

Step 10

Finish

Your Splunk instance is configured! You can now complete course work, including accessing Splunk Fundamentals I resources. Visit the Additional Resources page to learn more about Fundamentals I, dashboards, and other Splunk resource documentation.

Back to Top
Back to Top

© Copyright 2025 All rights are reserved. The material contained herein is the copyright property of Embry-Riddle Aeronautical University, Daytona Beach, Florida, 32114. No part of this material may be reproduced, stored in a retrieval system or transmitted in any form, electronic, mechanical, photocopying, recording or otherwise without the prior written consent of the University.

ERAU Eagle

This page was last updated September 16, 2025