Splunk for Beginners: FREE Security Lab with Botsv3 Dataset (Dashboards, Alerts & Queries!)

BlueDolphin
May 24
3 min read

If you're looking to break into cybersecurity or level up your blue team skills, learning Splunk is a smart move. But forget boring slideshows—this guide is all about hands-on practice.

In this tutorial, we’ll walk through how to install Splunk Enterprise on Windows, load up a juicy real-world dataset from Boss of the SOC (BOTS) v3, and start running useful searches, alerts, and dashboards right away.

Whether you're prepping for a security analyst role or just want to get better with log analysis, this post has you covered.

✅ What You’ll Learn

Installing Splunk Enterprise (Free!)
Importing the BOTS v3 dataset (Free)
Performing your first real searches
Building dashboards from security logs
Setting up alerts for brute force and ransomware

Want more step-by-step labs, security walkthroughs, and Splunk content?

📺 Watch the full video on YouTube💬 Leave a comment if you get stuck🔔 Don’t forget to like & subscribe—it really helps!

1. Install Splunk Enterprise (Yes, It’s Free!)

Go to the official Splunk download page and grab the Windows version. It says 60-day trial, but you’ll be prompted to continue using it even after that period expires.

After installing, just open your browser and visit:

http://localhost:8000

2. Load Real Security Data with BOTS v3

To make your Splunk experience real and relevant, download the Boss of the SOC v3 dataset from this GitHub repository.

Setup Steps:

Download and unzip the BOTS v3 files
Ingest them into Splunk (instructions are on the repo)
Search:

index=botsv3

Set your time range to All time to make sure everything loads properly.

Now you’ve got real-world logs at your fingertips—no fake data here.

3. First Search: Let’s Find Some Errors

Start simple:

index=botsv3 error

This will return all events with the word error. To get more granular, use fields like host or source.

Example:

index=botsv3 host="serverless" error

Need to exclude something (like AWS logs)? Use NOT:

index=botsv3 error NOT sourcetype="aws:cloudtrail"

4. Analyze with Stats and Timecharts

Want to see how often different log types appear?

index=botsv3 | stats count by sourcetype

Or use a timechart to track trends over time:

index=botsv3 | timechart count by sourcetype

These commands are great for spotting spikes, anomalies, or trends across your security environment.

5. Investigate Authentication Events with Transactions

Want to monitor login attempts and correlate them over time? Use transaction:

index=botsv3 sourcetype="WinEventLog:Security" (EventCode=4624 OR EventCode=4625) | transaction host, AccountName maxspan=30m | table _time AccountName host EventCode duration

This will show login successes and failures, grouped by host and user within a 30-minute window—perfect for spotting brute-force attempts.

6. Build a Splunk Dashboard (No Coding Required)

Dashboards make it easier to visualize your data.

How to Build One:

Go to the Dashboards tab
Click Create New Dashboard
Give it a name like “Host Authentication Attempts”
Choose Classic Dashboard for simplicity
Click Add Panel > New > Line Chart
Input your SPL search (like the one above)
Save the panel

Now you’ve got a real-time dashboard showing live security insights.

7. What’s Next?

Try creating alerts for:

Multiple failed logins from a single IP
Suspicious behavior patterns
Rare event codes

With a solid dataset and these fundamentals, you’re not just using Splunk—you’re thinking like a security analyst.

💡 Final Thoughts

Splunk is one of the most in-demand tools in cybersecurity. By starting with hands-on experience using real-world data, you’ll build skills that actually matter on the job.