Splunk Practice Exercise 3: Group Events by Vendor ID

Introduction

This practice exercise focuses on grouping events in Splunk based on the Vendor ID into predefined ranges.

Step 1: Access Splunk Web

1. Open your web browser and navigate to Splunk Web:

   http://<your server ip>:8000

2. Log in using your credentials.

Step 2: Navigate to Search & Reporting App

1. In the Splunk Web interface, go to the Search & Reporting app.

Step 3: Construct the Search Query

1. In the search bar, enter the following search query:

index=tutorial VendorID=* | eval VendorGroup=case(
    VendorID >= 1000 AND VendorID <= 1009, "Group A",
    VendorID >= 1010 AND VendorID <= 1019, "Group B",
    VendorID >= 1020 AND VendorID <= 1029, "Group C",
    VendorID >= 1030 AND VendorID <= 1039, "Group D",
    VendorID >= 1040 AND VendorID <= 1049, "Group E",
    VendorID >= 1050 AND VendorID <= 1059, "Group F",
    VendorID >= 1060 AND VendorID <= 1069, "Group G",
    VendorID >= 1070 AND VendorID <= 1079, "Group H",
    VendorID >= 1080 AND VendorID <= 1089, "Group I",
    VendorID >= 1090 AND VendorID <= 1099, "Group J",
    1=1, "Others"
) | table VendorID, VendorGroup

This query groups events by Vendor ID into predefined ranges and assigns corresponding group names.

Step 4: Run the Search

1. Press Enter or click the Search button to execute the search.

Step 5: Review Results

1. Review the search results in the table, where Vendor ID and their respective groups are displayed.

Conclusion

Congratulations! You have successfully completed the practice exercise, grouping events in Splunk based on the Vendor ID into predefined ranges. Continue to explore and experiment with different search queries to enhance your Splunk skills.