Hello hello! If you’re looking to dive into Splunk and want a dataset to work with, the BOTS v3 (Boss of the SOC) dataset is a great choice. Lets look at the process of setting up the dataset in Splunk.
🟡 Avoid installing the BOTS v3 dataset app on a production Splunk environment.
1. Install Splunk
- Video Tutorial: How to Install Splunk
- Written Guide: Install Splunk 9.x on Ubuntu
- Install Options: You can choose to install Splunk through:
- A virtual machine (🌟 recommended)
- Your personal machine
2. Download the BOTS v3 Dataset
Get the BOTS v3 dataset app from this download link. This dataset is also linked in the official GitHub repo from Splunk.
3. Prepare Required Apps and TAs (Technology Add-ons)
Before installing the BOTS v3 dataset, make sure you have all the required apps and TAs.
- GitHub List: Check out the list of necessary apps and add-ons in the GitHub repo.
- Installation Tip: Some apps/add-ons might be deprecated or incompatible with the latest Splunk version. Feel free to skip those for simplicity sake.
- Install Apps:
- From the GitHub repo, click on the app link.
- Download the
tgz
file provided by Splunk Base. - In Splunk, head to Apps (top-left) > Manage Apps.
- Click Install app from file (top-right) to install the app and repeat this for each app.
⏳ Heads up! This might take a bit of time. There are quicker ways, but I’ll leave that tinkering to you! 😉
4. Install the BOTS v3 Dataset
With all apps in place and after restarting Splunk (Setting > Server controls > Restart Splunk), let’s get the BOTS v3 dataset set up.
- Follow the same install steps for the BOTS v3 dataset
tgz
file you downloaded earlier from GitHub. - Insight: The BOTS v3 app holds the indexed logs for the dataset. While you can explore the raw logs using 7-zip, installing the app makes them available for Splunk to search.
- Licensing Note: Typically, ingesting raw logs consumes your license based on log volume. But with the BOTS v3 dataset, logs are pre-indexed, saving your license. The trial license with Splunk Enterprise should suffice.
5. Restart Splunk
After installing the BOTS v3 dataset, give Splunk a quick restart (Setting > Server controls > Restart Splunk).
6. Dive into the Logs
You can start searching with the following SPL: index=botsv3 earliest=0
. Keep in mind that the dates on these logs are fairly old now, so you will need to search quite far back to see them (The earliest=0
in the search is doing this for you).
Good luck with your searching! 🙂