This is the README documentation for the Splunk Lab, produced and maintained by CodePath.org.
Want to jump into the lab? Navigate to the Part 0 Instructions to get started!
The Splunk Lab is designed to teach you how to use a SIEM (Security Information and Event Management) system to search, analyze, and investigate log data. You'll gain hands-on experience querying real datasets with Splunk's Search Processing Language (SPL), building dashboards, and applying your skills to a simulated security incident investigation.
- Understand how SIEMs organize and index log data
- Write SPL queries to search, filter, aggregate, and visualize events
- Investigate a simulated web server breach using authentication logs
- Apply SIEM skills in an open-ended CTF challenge across multiple datasets
- Set up the lab environment using Docker.
- Learn: Splunk Fundamentals
- Apply: Investigating a Web Server Breach
- Challenge: SIEMsational CTF
Students interact with Splunk entirely through a web browser at http://localhost:8000. No command-line tools are required beyond Docker to start the container.
The Docker image includes:
- Splunk Enterprise 9.0.4 — pre-configured with admin credentials and a Free license
- Pre-indexed datasets — lab data is automatically indexed on first container start (~90 seconds), including:
- Netflix titles catalog
- Top Video Game sales data
- WebServer01 authentication logs
- PathCode Inc. malware investigation logs (web proxy, failed logins, file upload hashes)
docker run --rm -it -p 8000:8000 -v splunk-lab-data:/opt/splunk/var ghcr.io/codepath/opencyber-splunk-lab:latestNote: The named volume (
splunk-lab-data) persists your indexed data and dashboards between sessions. Your work is safe if you stop and restart the container.