Splunk® Enterprise

Splunk Enterprise Scenarios

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Start working with data

Scenario steps work with data.png
In this scenario, hackers appear to be making many failed attempts to log into a system. Login attempts are tracked in a new data set.

Start working with the data.

  • Review event patterns in the data to identify specific kinds of events.
  • Run a search to isolate events that match a particular event pattern.

Part 1: Review events in the sample data

The tutorial data has a source default field. Start searching the data using this field.

  • Note: Depending on when you imported the sample data into the Splunk platform instance, search results might vary.


  • Upload the tutorial sample data. For more details, see the previous scenario step.


  1. Run the following search over the All time time range.


    This search returns a large number of events from different log files in the tutorial data package. You might not see any login failure events in the first page of search results.

Part 2: Find event patterns in the dataset

Use the Patterns tab to view common event patterns in the dataset. You might be able to find a login error event to use in a search.

  • Note: Depending on when you imported the sample data into the Splunk platform instance, search results might vary.


  1. Select the Patterns tab. Selecting this tab generates a secondary search for event patterns in the initial search results.
  2. Observe that the Patterns tab shows two event patterns. One of the patterns represents a failed password attempt.
    Step2.2 patterns tab example small.png
    If the Smaller/Larger slider is set to a different position than the default setting displayed above, you might see more or fewer patterns. Use the default setting to get the same results.

  3. Select the failed login pattern to see the following details.
    • The keyword that defines the event pattern.
    • The search that returns the events represented in this pattern.

The Patterns tab is one way to examine a dataset. You can also use the following options.

  • Review the fields returned in the Fields sidebar. Study field summaries and run pre-built searches.
  • Open the search in Pivot to work with tables and charts based on the search data.

Part 3: Find events in the pattern


  1. In the Patterns tab, select View Events. A search runs using the search string for the pattern. The search isolates events that fit the pattern.
  2. Observe that the keyword Failed is highlighted in the search results.
    Step2.3-second search results.png
  3. Observe also that the fields sidebar to the left of the events includes a sourcetype field.
    There is only one value for this field, meaning that all events returned by this search have the same sourcetype value.

    Because all of the events have the same sourcetype, the following search returns the same events.

    sourcetype=secure failed

The next part of the scenario shows you how to identify and extract fields from the events.

Last modified on 26 June, 2017
Review the scenario and set a goal
Extract fields

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters