View
231
Download
0
Category
Preview:
Citation preview
8/15/2019 Splunk Ppt satinder singh sandhu
1/146
8/15/2019 Splunk Ppt satinder singh sandhu
2/146
Course-Ware
-> Introduction
-> Splunk Inc
-> Licensing
-> Installation
-> Login
-> Splunk Home-> Getting Data
-> Search Dashboard
-> Data Summary
-> Search Actions and Modes
-> Search Language
-> Using Sub search-> ield Lookups
-> Sa!ing and Sharing "eports
-> More Searches and "eports
-> #reating Dashboards
8/15/2019 Splunk Ppt satinder singh sandhu
3/146
INTRODUCTION
Splunk $nterprise is the leading plat%orm %or real-timeoperational intelligence& It's the easy( %ast and secure )ay to search( analy*e and !isuali*e the massi!e streamso% machine data generated by your I+ systems and
technology in%rastructure,physical( !irtual and in thecloud&
+roubleshoot application problems and in!estigatesecurity incidents in minutes instead o% hours or days(a!oid ser!ice degradation or outages( deli!er complianceat lo)er cost and gain ne) business insights
8/15/2019 Splunk Ppt satinder singh sandhu
4/146
INTRODUCTION
8/15/2019 Splunk Ppt satinder singh sandhu
5/146
INTRODUCTION
8/15/2019 Splunk Ppt satinder singh sandhu
6/146
SPLUNK INC.
ounded in ../ and head0uartered in San rancisco( #ali%ornia
Specialties – “Machine Data +o 1perational Intelligence2 3
+he machine data that %acilitates operational intelligence comes in manydi%%erent %rom many di%%erent sources& Splunk is able to collect and inde4 data
%rom many di%%erent sources( including log%iles )ritten by )eb ser!ers or business applications( syslog data streaming in %rom net)ork de!ices( or theoutput o% custom de!eloped scripts&
Searching( monitoring( and analy*ing machine-generated big data( !ia a )eb-styleinter%ace
According to tech target( Splunk is designated as the SI$M o% the year&
+he name 5Splunk5 is a re%erence to e4ploring ca!es( as in spelunking&
8/15/2019 Splunk Ppt satinder singh sandhu
7/146
SPLUNK – LICENSING
6ou'll get a Splunk $nterprise REE license %or 7. days and youcan inde4 up to 8.. megabytes o% data per day&
Perpetual a!" Ter# Lice!si!$
+here are t)o options %or licensing Splunk $nterprise9:erpetual license9 this includes the %ull %unctionality o% Splunk$nterprise and starts as lo) as ;
8/15/2019 Splunk Ppt satinder singh sandhu
8/146
SPLUNK – LICENSING
8/15/2019 Splunk Ppt satinder singh sandhu
9/146
INST%LL%TION
Li!u& installation instructions
tar 4!*% splunkBpackageBname&tg* -# ?opt
Wi!"o's installation instructions
=& +o start the installer( double-click the splunk&msi %ile&& In the Celcome panel( click e4t&
/& In #ustomer In%ormation( enter the re0uested detailsand click e4t&
8/15/2019 Splunk Ppt satinder singh sandhu
10/146
INST%LL%TION
(ac OS ) i!stallatio! i!structio!s
=& a!igate to the %older or directory )here the installer is located&
& Double-click on the DMG %ile&
/& Double-click on splunk&pkg&
8/15/2019 Splunk Ppt satinder singh sandhu
11/146
Users
About Splunk $nterprise users
8/15/2019 Splunk Ppt satinder singh sandhu
12/146
Users
About Splunk $nterprise users
8/15/2019 Splunk Ppt satinder singh sandhu
13/146
irst ti#e Lo$i!
+he Splunk inter%ace is )eb-based( )hich means thatno client needs to be installed&
http9??localhost9...
irst time signing credentials
Username 3 admin
:ass)ord - changeme
It is a good idea to change this pass)ord to pre!entun)anted changes to your deployment&
8/15/2019 Splunk Ppt satinder singh sandhu
14/146
Splu!* +o#e
%pps
+he Apps panel lists the apps that are installed on your Splunkinstance that you ha!e permission to !ie)& Select the app %rom thelist to open it&
or an out-o%-the-bo4 Splunk $nterprise installation( you see one App in the )orkspace9 Search F "eporting& Chen you ha!e morethan one app( you can drag and drop the apps )ithin the )orkspaceto rearrange them&
6ou can do t)o actions on this panel9- #lick the gear icon to !ie) and manage the apps that areinstalled in your Splunk instance&
- #lick the plus icon to bro)se %or more apps to install&
8/15/2019 Splunk Ppt satinder singh sandhu
15/146
Splu!* +o#e
Splunk ar
8/15/2019 Splunk Ppt satinder singh sandhu
16/146
Splu!* +o#e
Setti!$s #e!u
+he Settings menu lists the con%iguration pages %or no)ledgeobects( Distributed en!ironment settings( System and licensing(Data( and Authentication settings& I% you do not see some o% these
options( you do not ha!e the permissions to !ie) or edit them&
User #e!u
+he User menu here is called 5Administrator5 because that is thede%ault user name %or a ne) installation& 6ou can change thisdisplay name by selecting $dit account and changing the ullname& 6ou can also edit the time *one settings( select a de%aultapp %or this account( and change the account's pass)ord& +heUser menu is also )here you Logout o% this Splunk installation&
8/15/2019 Splunk Ppt satinder singh sandhu
17/146
Splu!* +o#e
(essa$es #e!u
All system-le!el error messages are listed here& Chen thereis a ne) message to re!ie)( a noti%ication displays as acount ne4t to the Messages menu&
%cti,it #e!u
-#lick obs to open the search obs manager )indo)( )here you can !ie) and manage currently running searches&
-#lick +riggered Alerts to !ie) scheduled alerts that are
triggered& +his tutorial does not discuss sa!ing andscheduling alerts&
-#lick System Acti!ity to see Dashboards about user acti!ityand status o% the system&
8/15/2019 Splunk Ppt satinder singh sandhu
18/146
GETTING D%T%
A Splunk data repository is called an inde4& During inde4ingJor e!ent processingK( Splunk processes the incoming datastream to enable %ast search and analysis( storing the results inthe inde4 as e!ents&
$!ents are stored in the inde4 as a group o% %iles that %all into t)ocategories9
- "a)data( )hich is the ra) data in a compressed %orm&
- Inde4 %iles and some metadata %iles that point to the ra) data&
+hese %iles reside in sets o% directories( called buckets( organi*ed by age&
8/15/2019 Splunk Ppt satinder singh sandhu
19/146
GETTING D%T%
8/15/2019 Splunk Ppt satinder singh sandhu
20/146
SE%RC+ D%S+O%RD
8/15/2019 Splunk Ppt satinder singh sandhu
21/146
D%T% SU((%R/
+he Data Summary dialogue displays three tabs9 Hosts(Sources( Sourcetypes&
+he host o% an e!ent is the host name( I: address( or%ully 0uali%ied domain name o% the net)ork machine%rom )hich the e!ent originated&
+he source o% an e!ent is the %ile or directory path(net)ork port( or script %rom )hich the e!ent originated&
+he source type o% an e!ent tells you )hat kind o% data itis( usually based on ho) it is %ormatted& +hisclassi%ication lets you search %or the same type o% dataacross multiple sources and hosts&
8/15/2019 Splunk Ppt satinder singh sandhu
22/146
D%T% SU((%R/
8/15/2019 Splunk Ppt satinder singh sandhu
23/146
+ime "ange :icker
y de%ault( the time range %or a search is set to All time& Chen you search large !olumes o% data( results return %aster )hen yourun the search o!er a smaller time period&
I% one o% the :resets is not )hat you )ant( you can de%ine a
custom time range( such as a "elati!e time range or a Date F+ime "ange&
+o run a search o!er the last t)o hours( use the "elati!e timerange option&
8/15/2019 Splunk Ppt satinder singh sandhu
24/146
+ime "ange :icker
or e4ample( to troubleshoot an issue that took placeSeptember /.th at 9
8/15/2019 Splunk Ppt satinder singh sandhu
25/146
Search Actions and Modes
#ontrol search ob progress A%ter you launch a search( you can pause it and stopit using the buttons under the search bar& Also( youcan access and manage in%ormation about the
search's ob )ithout lea!ing the Search page&
8/15/2019 Splunk Ppt satinder singh sandhu
26/146
Search Actions and Modes
#lick ob and choose %rom the a!ailable options there&
- E"it 0o1 setti!$s. Select this option to open the ob Settings dialog bo4( )here you can change the ob's read permissions( e4tend the ob'sli%espan( and get a U"L %or the ob that you can use to share the ob )ith
others or put a link to the ob in your bro)ser's bookmark bar&
- Se!" 0o1 to t2e 1ac*$rou!". Select this option i% the search ob is slo)and you )ant to run the ob in the background )hile you )ork on otherSplunk $nterprise acti!ities Jincluding running a ne) search obK&
- I!spect 0o1. 1pens a separate )indo) and displays in%ormation and
metrics %or the search ob using the Search ob Inspector&- Delete 0o1. Use this option to delete a ob that is running( is paused( or
)hich has %inali*ed& A%ter you delete the ob( you can sa!e the search as areport&
8/15/2019 Splunk Ppt satinder singh sandhu
27/146
Search Actions and Modes
+he Search mode controls the search e4perience& 6ou canset it to speed up searches by cutting do)n on the e!entdata it returns Jast modeK( or you can set it to return as
much e!ent in%ormation as possible Jerbose modeK& InSmart mode Jthe de%ault settingK it toggles search beha!ior based on the type o% search you're running&
8/15/2019 Splunk Ppt satinder singh sandhu
28/146
Search Actions and Modes
Sa!e the results
+he Sa!e as menu lists options %or sa!ing the results
o% a search as a "eport( Dashboard :anel( Alert(and $!ent type&
8/15/2019 Splunk Ppt satinder singh sandhu
29/146
Search Actions and Modes
1ther search actions
- +he S2are options shares the search ob& +his
option e4tends the ob's li%etime to se!en days andset the read permissions to $!eryone&
- +he E&port option e4ports the results& Select thisoption to output to #S( ra) e!ents( NML( or S1
and speci%y the number o% results to e4port&- +he Pri!t option sends the results to a printer that
has been con%igured&
8/15/2019 Splunk Ppt satinder singh sandhu
30/146
Search Actions and Modes
Search "esults +abs
I% your search retrie!es e!ents( you can !ie) the results in the $!ents taband the :atterns tab( but not in the other tabs& I% your search includestrans%orming commands( you can !ie) the results in the Statistics and isuali*ation tabs&
8/15/2019 Splunk Ppt satinder singh sandhu
31/146
Search Actions and Modes
$!ents - +he key)ord search used in this screenshotretrie!es e!ents and populates the $!ents results tab&
8/15/2019 Splunk Ppt satinder singh sandhu
32/146
Search Actions and Modes
+he $!ents tab displays the timeline o% e!ents( the%ields sidebar( and the e!ents !ie)er& +o change thee!ent !ie)( use the List and ormat options& yde%ault( the e!ents appear as a list that is orderedstarting )ith the most recent e!ent& In each e!ent(the matching search terms are highlighted&
8/15/2019 Splunk Ppt satinder singh sandhu
33/146
Search Actions and Modes
Ti#eli!e o3 e,e!ts4 A !isual representation o% thenumber o% e!ents that occur at each point in time& Asthe timeline updates )ith your search results( youmight notice clusters or patterns o% bars& +he heighto% each bar indicates the count o% e!ents& :eaks or !alleys in the timeline can indicate spikes in acti!ityor ser!er do)ntime& +hus( the timeline highlightspatterns o% e!ents or in!estigates peaks and lo)s ine!ent acti!ity& +he timeline options are located abo!ethe timeline& 6ou can *oom in( *oom out( and changethe scale o% the chart&
8/15/2019 Splunk Ppt satinder singh sandhu
34/146
Search Actions and Modes
Ti#eli!e o3 e,e!ts4 A !isual representation o% thenumber o% e!ents that occur at each point in time& Asthe timeline updates )ith your search results( youmight notice clusters or patterns o% bars& +he heighto% each bar indicates the count o% e!ents& :eaks or !alleys in the timeline can indicate spikes in acti!ityor ser!er do)ntime& +hus( the timeline highlightspatterns o% e!ents or in!estigates peaks and lo)s ine!ent acti!ity& +he timeline options are located abo!ethe timeline& 6ou can *oom in( *oom out( and changethe scale o% the chart&
8/15/2019 Splunk Ppt satinder singh sandhu
35/146
Search Actions and Modes
iel"s si"e1ar9 Chen you inde4 data( Splunk by de%aulte4tracts in%ormation %rom your data that is %ormatted asname and !alue pairs( )hich )e call %ields& Chen you run asearch( Splunk lists all o% the %ields it disco!ers in the %ields
sidebar ne4t to your search results& 6ou can select other %ieldsto sho) in your e!ents& Also( you can hide this sidebar andma4imi*e the results area&
Selected %ields are set to be !isible in your search results& yde%ault( host( source( and sourcetype appear&
Interesting %ields are other %ields that Splunk has e4tracted%rom your search results&
8/15/2019 Splunk Ppt satinder singh sandhu
36/146
Search Actions and Modes
Patter!s
+he :atterns tab simpli%ies e!ent pattern detection& It displaysa list o% the most common patterns among the set o% e!entsreturned by your search& $ach o% these patterns represents a
number o% e!ents that all share a similar structure& /ou ca! clic* o! a patter! to4 ie) the appro4imate number o% e!ents in your results that %it
the pattern& See the search that returns e!ents )ith this pattern& Sa!e the pattern search as an e!ent type( i% it 0uali%ies& #reate an alert based on the pattern&
8/15/2019 Splunk Ppt satinder singh sandhu
37/146
Search Actions and Modes
Statistics+he Statistics tab populates )hen you run a search )ith
trans%orming commands such as stats( top( chart( andso on& +he pre!ious key)ord search %or5buttercupgames5 does not display any results in thistab because it does not ha!e any trans%ormingcommands&
Cith a trans%orming search( such as one to %ind thepopular categories o% items sold on the uttercupGames online store( the Statistics tab displays a table o%results&
8/15/2019 Splunk Ppt satinder singh sandhu
38/146
Search Actions and Modes
8/15/2019 Splunk Ppt satinder singh sandhu
39/146
Search Actions and Modes
5isuali6atio!s
+rans%orming searches also populate the isuali*ation tab& +he resultsarea o% the isuali*ations tab includes a chart and the statistics tableused to generated the chart& y de%ault( the !isuali*ation type isthe #olumnchart&
8/15/2019 Splunk Ppt satinder singh sandhu
40/146
Start Searching
Retrie,e e,e!ts 3ro# t2e i!"e& =& +ype in key)ords to %ind errors or %ailures and use oolean
operators9 AD( 1"( 1+&
$NAM:L$9 buttercupgames Jerror 1" %ail@ 1" se!ereK
oolean operators need to be capitali*ed& +he AD directi!e is implied bet)een terms( so you do not need to )rite it& 6ou can use parenthesesto group terms& Chen e!aluating boolean e4pressions( precedence isgi!en to terms inside parentheses& AD or 1+ clauses are e!aluated be%ore 1" clauses& +he asterisk )ildcard is used to match terms thatstart )ith 5%ail5& +hese terms can include9 %ailure( %ailed( and so on&
8/15/2019 Splunk Ppt satinder singh sandhu
41/146
Start Searching
Use 3iel"s to searc2
ields e4ist in machine data in many %orms& 1%ten( a %ield is a !alue J)ith a%i4ed( delimited position on the lineK or a name and !alue pair( )here there is asingle !alue to each %ield name& A %ield can be multi!alued( that is( it can appear
more than once in an e!ent and has a di%%erent !alue %or each appearance& Some e4amples o% %ields are clientip %or I: addresses accessing your Ceb
ser!er( Btime %or the timestamp o% an e!ent( and host %or domain name o% aser!er& 1ne o% the more common e4amples o% multi!alue %ields is email address%ields& Chile the rom %ield )ill contain only a single email address(the +o and #c %ields ha!e one or more email addresses associated )ith them&
In Splunk $nterprise( %ields are searchable name and !alue pairings thatdistinguish one e!ent %rom another because not all e!ents )ill ha!e the same%ields and %ield !alues& ields let you )rite more tailored searches to retrie!e thespeci%ic e!ents that you )ant&
8/15/2019 Splunk Ppt satinder singh sandhu
42/146
Start Searching
i!" a!" select 3iel"s S$A"#H A"9 sourcetypeO5accessB@P
Search %or %ields use the synta49 %ieldnameO5%ield!alue5 & ield names are casesensiti!e( but %ield !alues are not& 6ou can use )ildcards in %ield !alues& Quotes arere0uired )hen the %ield !alues include spaces&
+his search indicates that you )ant to retrie!e only e!ents %rom your )eb access logs
and nothing else&
+his search uses the )ildcard accessB@ to match any Apache )eb access sourcetype( )hich can be accessBcommon( accessBcombined( or accessBcombinedB)cookie&
I! t2e E,e!ts ta17 scroll t2rou$2 t2e list o3 e,e!ts.
- I% you are %amiliar )ith the accessBcombined %ormat o% Apache logs( you recogni*esome o% the in%ormation in each e!ent( such as9
- I: addresses %or the users accessing the )ebsite&
- U"Is and U"Ls %or the pages re0uested and re%erring pages&
- H++: status codes %or each page re0uest&
- G$+ or :1S+ page re0uest methods&
8/15/2019 Splunk Ppt satinder singh sandhu
43/146
Start Searching
8/15/2019 Splunk Ppt satinder singh sandhu
44/146
Start Searching
Select action( categoryId( and productId and close the Select ields )indo)&+he three %ields appear under Selected ields in the sidebar& +he selected %ieldsappear under the e!ents in your search results i% they e4ist in that particulare!ent& $!ery e!ent might not ha!e the same %ields&
8/15/2019 Splunk Ppt satinder singh sandhu
45/146
Start Searching
Under Selected ields( click the action %ield& +his opens the %ield summary %or the action %ield&
8/15/2019 Splunk Ppt satinder singh sandhu
46/146
Start Searching
Ru! #ore tar$ete" searc2es E&a#ple84 Search %or success%ul purchases %rom the uttercup Games store&
sourcetypeOaccessB@ statusO.. actionOpurchase
6ou can search %or %ailed purchases in a similar manner using statusRO..( )hich looks %or all e!ents )here the H++: status code is not e0ual to ..&
sourcetypeOaccessB@ statusRO.. actionOpurchase
E&a#ple 94 Search %or general errors&
Jerror 1" %ail@ 1" se!ereK 1" JstatusO
8/15/2019 Splunk Ppt satinder singh sandhu
47/146
Use +he Search Language
+he searches you ha!e run to this point ha!e retrie!ed e!ents %rom your Splunkinde4& 6ou )ere limited to asking 0uestions that could only be ans)ered by thenumber o% e!ents returned&
or e4ample( )e can run this search to see ho) many simulation games )erepurchased9
sourcetypeOaccessB@ statusO.. actionOpurchase categoryIdOsimulation
+o %ind this number %or the days o% the pre!ious )eek( you ha!e to run it againstthe data %or each day o% that )eek& +o see )hich products are more popularthan the other( you ha!e to run the search %or each o% the eightcategoryId !aluesand compare the results&
8/15/2019 Splunk Ppt satinder singh sandhu
48/146
Use +he Search Language
Lear! 'it2 searc2 assista!t Here )e are going to talk about the search assistant to learn about the Splunksearch processing language and construct searches&
"eturn to the search dashboard and restrict your search to 6esterday9
sourcetypeOaccessB@ statusO.. actionOpurchase
As you type in the search bar( search assistant opens )ith synta4 and usagein%ormation %or the search command Jon the right sideK& I% search assistantdoesn't open( click the do)n arro) under the le%t side o% the search bar& 6ou'!eseen be%ore that search assistant displays typeahead %or key)ords that you typeinto the search bar& It also e4plains brie%ly ho) to search&
8/15/2019 Splunk Ppt satinder singh sandhu
49/146
Use +he Search Language
8/15/2019 Splunk Ppt satinder singh sandhu
50/146
Use +he Search Language
Tpe a pipe c2aracter7 ; < ;7 i!to t2e searc2 1ar.
+he pipe indicates to Splunk that you're about to use a command( and that you )ant to use the results o% the search to the le%t o% the pipe as the input to thiscommand& 6ou can pass the results o% one command into another command in
a series( or pipeline( o% search commands&
8/15/2019 Splunk Ppt satinder singh sandhu
51/146
Use +he Search Language
8/15/2019 Splunk Ppt satinder singh sandhu
52/146
Use +he Search Language
6ou )ant Splunk to gi!e you the most popular items bought at the online store&
8/15/2019 Splunk Ppt satinder singh sandhu
53/146
Use +he Search Language
+ype the categoryId %ield into the search bar to complete your search& sourcetypeOaccessB@ statusO.. actionOpurchase top categoryId
5ie' reports i! t2e Statistics ta1
+he results o% a search are reports& +he top command is a trans%orming
command and returns a tabulated report %or the most common !alueso% categoryId& 6ou can !ie) the results o% trans%orming searches inthe Statistics tab&
8/15/2019 Splunk Ppt satinder singh sandhu
54/146
Use +he Search Language
8/15/2019 Splunk Ppt satinder singh sandhu
55/146
Use +he Search Language
ie) and %ormat reports in the isuali*ation tab 6ou can also !ie) the results o% trans%orming searches in the isuali*ations tab )here you can %ormat the chart type&
8/15/2019 Splunk Ppt satinder singh sandhu
56/146
Use +he Search Language
SELECT PIE
8/15/2019 Splunk Ppt satinder singh sandhu
57/146
Use +he Search Language
Mouse o!er each slice o% the pie to see the count and percentage !alues %or eachcategoryId&
8/15/2019 Splunk Ppt satinder singh sandhu
58/146
Use +he Search Language
8/15/2019 Splunk Ppt satinder singh sandhu
59/146
Use a Subsearch
+his topic )alks you through e4amples o% correlating e!ents )ith subsearches&
A subsearch is a search )ith a search pipeline as an argument& Subsearches arecontained in s0uare brackets and e!aluated %irst& +he result o% the subsearch is thenused as an argument to the primary( or outer( search&
$4ample =9 Cithout a subsearch
Let's try to %ind the single most %re0uent shopper on the uttercup Games online storeand )hat this customer has purchased&
+o do this( search %or the customer )ho accessed the online shop the most&
=& Use the top command9
sourcetypeOaccessB@ statusO.. actionOpurchase top limitO= clientip
Limit the top command to return only one result %or the clientip& +o see more than one5top purchasing customer5( change this limit !alue&
8/15/2019 Splunk Ppt satinder singh sandhu
60/146
Use a Subsearch
+his search returns one clientip !alue( )hich )e'll use to identi%y our I:customer&
8/15/2019 Splunk Ppt satinder singh sandhu
61/146
Use a Subsearch
Use the stats command to count this I: customer's purchases9
sourcetypeOaccessB@ statusO.. actionOpurchase clientipOT&=
8/15/2019 Splunk Ppt satinder singh sandhu
62/146
Use a Subsearch
+he dra)back to this approach is that you ha!e to run t)o searches each time you )ant to build this table& +he top purchaser is not likely to be the sameperson at any gi!en time range&
Hence )e induce the concept o% SUS$A"#H RR
8/15/2019 Splunk Ppt satinder singh sandhu
63/146
Use a Subsearch
E&a#ple 94 Wit2 a su1searc2
sourcetypeOaccessB@ statusO.. actionOpurchase searchsourcetypeOaccessB@ statusO.. actionOpurchase top limitO= clientip tableclientipV stats count( dcJproductIdK( !aluesJproductIdK by clientip
Here( the subsearch is the segment that is enclosed in s0uare brackets( V& +hissearch( search sourcetypeOaccessB@ statusO.. actionOpurchase top limitO=clientip table clientip is the same as $4ample = Step =( e4cept %or the last pipedcommand( table clientip
ecause the top command returns count and percent %ields as )ell(
the table command is used to keep only the clientip !alue&
8/15/2019 Splunk Ppt satinder singh sandhu
64/146
8/15/2019 Splunk Ppt satinder singh sandhu
65/146
Use a Subsearch
"ename the columns to make the in%ormation more understandable&
sourcetypeOaccessB@ statusO.. actionOpurchase searchsourcetypeOaccessB@ statusO.. actionOpurchase top limitO= clientip tableclientipV stats count AS 5+otal :urchased5( dcJproductIdK AS 5+otal :roducts5( !aluesJproductIdK AS 5:roducts ID5 by clientip rename clientip AS 5I:#ustomer5
b h
8/15/2019 Splunk Ppt satinder singh sandhu
66/146
Use a Subsearch
i ld k
8/15/2019 Splunk Ppt satinder singh sandhu
67/146
Use ield Lookups
+his topic takes you through using %ield lookups to add ne) %ields to youre!ents& ield lookups let you re%erence %ields in an e4ternal #S %ile that match%ields in your e!ent data& Using this match( you can enrich your e!ent data byadding more meaning%ul in%ormation and searchable %ields to each e!ent&
i ld k
8/15/2019 Splunk Ppt satinder singh sandhu
68/146
Use ield Lookups
U i ld L k
8/15/2019 Splunk Ppt satinder singh sandhu
69/146
Use ield Lookups
U i ld L k
8/15/2019 Splunk Ppt satinder singh sandhu
70/146
Use ield Lookups
Upload the lookup table %ile=& In the Lookups manager under 5Actions5 %or Lookup table %iles( click Add ne)&
+his takes you to the Add ne)' lookup table %iles !ie) )here you upload #S%iles to use in your de%initions %or %ield lookups&
U i ld L k
8/15/2019 Splunk Ppt satinder singh sandhu
71/146
Use ield Lookups
& +o sa!e your lookup table %ile in the Search app( lea!e the Destination app assearch&
/& Under Upload a lookup %ile( bro)se %or the #S %ile Jprices&cs!K to upload&
8/15/2019 Splunk Ppt satinder singh sandhu
72/146
Use ield Lookups
S2are t2e loo*up ta1le 3ile $lo1all I% the lookup %ile is not shared( you can not select it )hen you de%ine the lookup&
=& Go to the Lookup table %iles list&
& Under Sharing %or the prices&cs! lookup table's :ath( click :ermissions&
+his opens the :ermission dialog bo4 %or the prices&cs! lookup %ile&
/& Under 1bect should appear in( select All apps&
8/15/2019 Splunk Ppt satinder singh sandhu
73/146
Use ield Lookups
%"" t2e 3iel" loo*up "e3i!itio!%"" t2e 3iel" loo*up "e3i!itio!=& "eturn to the Lookups manager&
& Under Actions %or Lookup de%initions( click Add e)&
+his takes you to the Add ne) lookups de%initions !ie) )here you de%ine your%ield lookup&
U i ld L k
8/15/2019 Splunk Ppt satinder singh sandhu
74/146
Use ield Lookups
/& Lea!e the Destination app as search&
8/15/2019 Splunk Ppt satinder singh sandhu
75/146
Use ield Lookups
Share the lookup de%inition )ith all apps=& "eturn to the Lookup de%initions list&
& Under Sharing %or pricesBlookup( click :ermissions&
+he :ermission dialog bo4 %or the prices&lookup opens&
/& Under 1bect should appear in( select All apps&
8/15/2019 Splunk Ppt satinder singh sandhu
76/146
Use ield Lookups
(a*e t2e loo*up auto#atic=& In the Lookups manager( under Actions %or Automatic lookups( click Add
e)& +his takes you to the Add e) automatic lookups !ie) )here you con%igure the lookup to run automatically&
U i ld L k
8/15/2019 Splunk Ppt satinder singh sandhu
77/146
Use ield Lookups
& Lea!e the Destination app as search&/& ame your automatic lookup priceBlookup&
8/15/2019 Splunk Ppt satinder singh sandhu
78/146
Use ield Lookups
T& Under Lookup output %ields( type in the name o% the %ields that you )ant to add to youre!ent data based on the input %ield matching and rename the %ields&
T&= In the %irst te4t area( type productBname( )hich contains the descripti!e name %oreach productId&
T&& In the second te4t area( a%ter the e0ual sign( type productame& +his renames the%ield to productame&
T&/& #lick Add another %ield to add more %ields a%ter the %irst one&
T&
8/15/2019 Splunk Ppt satinder singh sandhu
79/146
Use ield Lookups
+his returns you to the list o% automatic lookups and you should see your con%igured lookup&
Use ield Lookups
8/15/2019 Splunk Ppt satinder singh sandhu
80/146
Use ield Lookups
Sho) the ne) %ields in your search results=& "eturn to Search&
& "un the search %or )eb access acti!ity&
sourcetypeOaccessB@
/& Scroll through the list o% Interesting ields in the %ields sidebar( and %ind the price %ield&
8/15/2019 Splunk Ppt satinder singh sandhu
81/146
Use ield Lookups
8& e4t to Selected( click 6es&7& #lose the dialog bo4&
+he price %ield appears under Selected ields in the %ields sidebar&
T& "epeat Steps / to 8 %or the productame %ield&
Use ield Lookups
8/15/2019 Splunk Ppt satinder singh sandhu
82/146
Use ield Lookups
Searc2 'it2 t2e !e' loo*up 3iel"s
=& #opy and paste or type in the pre!ious subsearch e4ample to see )hat the I: customer bought& +his time( replace the productId %ield )ith productame&
sourcetypeOaccessB@ statusO.. actionOpurchase search sourcetypeOaccessB@
statusO.. actionOpurchase top limitO= clientip table clientipV stats count AS 5+otal:urchased5( dcJproductIdK AS 5+otal :roducts5( !aluesJproductameK AS 5:roductames5 by clientip rename clientip AS 5I: #ustomer5
+he result is the same as in the pre!ious subsearch e4ample( e4cept that the I: customer's
purchases are more meaning%ul )ith the added descripti!e product names&
Use ield Lookups
8/15/2019 Splunk Ppt satinder singh sandhu
83/146
Use ield Lookups
Sa!ing and Sharing "eports
8/15/2019 Splunk Ppt satinder singh sandhu
84/146
Sa!ing and Sharing "eports
Sa!e as a report=& Select the time range 6esterday and run the subsearch
sourcetypeOaccessB@ statusO.. actionOpurchase search sourcetypeOaccessB@statusO.. actionOpurchase top limitO= clientip table clientipV stats count AS 5+otal:urchased5( dcJproductIdK AS 5+otal :roducts5( !aluesJproductameK AS 5:roductames5 by clientip rename clientip AS 5I: #ustomer5
& +o sa!e it as a report( click Sa!e as abo!e the search bar and select "eport&
Sa!ing and Sharing "eports
8/15/2019 Splunk Ppt satinder singh sandhu
85/146
Sa!ing and Sharing "eports
/& $nter a +itle I: #ustomer&
8/15/2019 Splunk Ppt satinder singh sandhu
86/146
Sa!ing and Sharing "eports
+here are other options in this )indo)&
#ontinue $diting lets you re%ine the search and report %ormat&
Add to dashboard lets you add the report to a ne) or e4isting dashboard&
ie) lets you !ie) the report&
Sa!ing and Sharing "eports
8/15/2019 Splunk Ppt satinder singh sandhu
87/146
Sa!ing and Sharing "eports
& #lick ie)&
Sa!ing and Sharing "eports
8/15/2019 Splunk Ppt satinder singh sandhu
88/146
Sa!ing and Sharing "eports
5ie' a!" e"it sa,e" reports 6ou can !ie) and edit the sa!ed report %rom its report !ie)&
=& In the report !ie) %or 5I: #ustomer5( click $dit&
6ou can open the report in the search !ie) and edit the sa!ed search's description(permissions( schedule( and acceleration& 6ou can also clone( embed( and delete the report %romthis menu&
Sa!ing and Sharing "eports
8/15/2019 Splunk Ppt satinder singh sandhu
89/146
Sa!ing and Sharing "eports
9. Clic* (ore I!3o.
6ou can !ie) and edit di%%erent properties o% the report( including its schedule(acceleration( permissions( and embedding&
Sa!ing and Sharing "eports
8/15/2019 Splunk Ppt satinder singh sandhu
90/146
Sa!ing and Sharing "eports
/& Look at the time range picker( located to the top le%t& 6ou sa!ed this report )ith a time range picker& +he time range picker
lets you change the time period to run this search& or e4ample( you canuse this time range picker to run this search %or the I: #ustomer Ceekto date( Last 7. minutes( Last < hours ust by selecting the :reset time
range or de%ining a custom time range&
Sa!ing and Sharing "eports
8/15/2019 Splunk Ppt satinder singh sandhu
91/146
Sa!ing and Sharing "eports
ind and share sa!ed reports 6ou can access your sa!ed reports using the app na!igation bar&
=& #lick "eports to open the "eports listing page&
Sa!ing and Sharing "eports
8/15/2019 Splunk Ppt satinder singh sandhu
92/146
Sa!ing and Sharing "eports
Chen you sa!e a ne) report( its :ermissions are set to :ri!ate& +his means that only youcan !ie) and edit the report& 6ou can allo) other apps to !ie)( or edit( or !ie) and editthe reports by changing its :ermissions&
=& Under Actions %or the I: #ustomer report( click $dit and select $dit :ermissions&
+his opens the $dit :ermissions dialog bo4&
Sa!ing and Sharing "eports
8/15/2019 Splunk Ppt satinder singh sandhu
93/146
Sa!ing and Sharing "eports
& In the $dit :ermissions dialog bo4( set Display or to App and check the bo4under "ead %or $!eryone&
+his action gi!es e!eryone )ho has access to this app the permission to !ie) it&
/& #lick Sa!e&
Sa!ing and Sharing "eports
8/15/2019 Splunk Ppt satinder singh sandhu
94/146
Sa!ing and Sharing "eports
ack at the "eports listing page( you see that the Sharing %or I: #ustomer no) reads App&
More Searches and "eports
8/15/2019 Splunk Ppt satinder singh sandhu
95/146
More Searches and "eports
E&a#ple 84 Co#pare cou!ts o3 user actio!sIn this e4ample( calculate the number o% !ie)s( purchases( and adds to cart %or each typeo% product& +his report re0uires the productame %ield %rom the %ields lookup e4ample& I% you did not add the lookup( re%er to that e4ample and %ollo) the procedure&
=& "un this search9
sourcetypeOaccessB@ statusO.. chart count AS !ie)s countJe!alJactionO5addtocart5KK AS addtocart countJe!alJactionO5purchase5KK AS purchases by productame renameproductame AS 5:roduct ame5( !ie)s AS 5ie)s5( addtocart AS 5Adds to #art5(purchases AS 5:urchases5
More Searches and "eports
8/15/2019 Splunk Ppt satinder singh sandhu
96/146
More Searches and "eports
+his search uses the chart command to count the number o% e!ents thatare actionOpurchase andactionOaddtocart&
More Searches and "eports
http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Charthttp://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Charthttp://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Chart
8/15/2019 Splunk Ppt satinder singh sandhu
97/146
More Searches and "eports
& Use the isuali*ation !ie) options to %ormat the results as a column chart&
More Searches and "eports
8/15/2019 Splunk Ppt satinder singh sandhu
98/146
More Searches and "eports
$4ample 9 1!erlay Actions and #on!ersion "ates on one chart
=& "un this search9
sourcetypeOaccessB@ statusO.. stats count AS !ie)s countJe!alJactionO5addtocart5KK AS addtocart countJe!alJactionO5purchase5KK AS purchases by productame e!al
!ie)s+o:urchaseOJpurchases?!ie)sK@=.. e!alcart+o:urchaseOJpurchases?addtocartK@=.. table productame !ie)s addtocartpurchases !ie)s+o:urchase cart+o:urchase rename productame AS 5:roduct ame5 !ie)s AS 5ie)s5( addtocart as 5Adds +o #art5( purchases AS 5:urchasesP
Instead o% the chart command( this search uses the stats command to count the useractions& +hen( it uses the e!al command to de%ine t)o ne) %ields )hich calculatecon!ersation rates %or 5:roduct ie)s to :urchases5 and 5Adds to cart to :urchases5&
More Searches and "eports
8/15/2019 Splunk Ppt satinder singh sandhu
99/146
More Searches and "eports
More Searches and "eports
8/15/2019 Splunk Ppt satinder singh sandhu
100/146
More Searches and "eports
Steps to 7 re%ormat the !isuali*ation to o!erlay the #on!ersion series onto the Actionsseries&
9. Clic* 5isuali6atio!.
+his is the same chart as in $4ample =( )ith t)o additional series( 5!ie)s+o:urchase5 and5cart+o:urchase5&
More Searches and "eports
8/15/2019 Splunk Ppt satinder singh sandhu
101/146
More Searches and "eports
/& #lick ormat and N-A4is&
/&= "otate the label -
8/15/2019 Splunk Ppt satinder singh sandhu
102/146
o e Sea c es a d epo ts
8/15/2019 Splunk Ppt satinder singh sandhu
103/146
p
8& #lick ormat and #hart 1!erlay&
More Searches and "eports
8/15/2019 Splunk Ppt satinder singh sandhu
104/146
p
8&= +ype in or select the %ields( 5!ie)s+o:urchase5 and 5cart+o:urchase5& 8& or ie) as A4is( click 1n&
8&/ or +itle( choose #ustom and type in #on!ersion "ates&
8&< or Scale( choose Linear&
8&8 Set the Ma4 alue to =.. and the Inter!al to .&
8&7 #lick Apply&
More Searches and "eports
8/15/2019 Splunk Ppt satinder singh sandhu
105/146
p
7& #lick Sa!e As and select "eport&
7&= In the Sa!e "eport As dialog bo4( enter a +itle( 5#omparison o% Actions and#on!ersion "ates by :roduct5&
7& J1ptionalK $nter a Description( 5+he number o% times a product is !ie)ed( added tocart( and purchased and the rates o% purchases %rom these actions&5
More Searches and "eports
8/15/2019 Splunk Ppt satinder singh sandhu
106/146
p
T& #lick Sa!e&
More Searches and "eports
8/15/2019 Splunk Ppt satinder singh sandhu
107/146
p
E&a#ple :4 Pro"ucts purc2ase" o,er ti#e
or this report( chart the number o% purchases that )ere completed %or each item&
+his report re0uires the productame %ield %rom the %ields lookup e4ample& I% you didn't addthe lookup( re%er to that e4ample and %ollo) the procedure&
=& Search %or9sourcetypeOaccessB@ timechart countJe!alJactionO5purchase5KK by productameusenullO5%5 useotherO5%5
Use the countJK %unction to count the number o% e!ents that ha!e the%ield actionOpurchase& Use the usenulland useother arguments to make sure the chart
counts e!ents that ha!e a !alue %or productame&+his produces the %ollo)ing statistics table&
More Searches and "eports
8/15/2019 Splunk Ppt satinder singh sandhu
108/146
p
8/15/2019 Splunk Ppt satinder singh sandhu
109/146
More Searches and "eports
8/15/2019 Splunk Ppt satinder singh sandhu
110/146
p
/& #lick Sa!e As and select "eport
/&= In the Sa!e "eport As dialog bo4( enter a +itle( 5:roduct :urchases o!er +ime5&
/& J1ptionalK $nter a Description( 5+he number o% purchases %or each product&5
More Searches and "eports
8/15/2019 Splunk Ppt satinder singh sandhu
111/146
p
8/15/2019 Splunk Ppt satinder singh sandhu
112/146
p
E&a#ple =4 Purc2asi!$ tre!"s+his e4ample uses sparklines to trend the count o% purchases made o!er time&
or stats and chart searches( you can add sparklines to their results tables& Sparklines areinline charts that appear )ithin the search results table and are designed to display time- based trends associated )ith the primary key o% each ro)&
+his e4ample re0uires the productame %ield %rom the %ields lookup e4ample& I% you didnot add the lookup( re%er to that e4ample and %ollo) the procedure&
=& "un the %ollo)ing search9
sourcetypeOaccessB@ statusO.. actionOpurchase chart sparklineJcountK AS 5:urchases+rend5 count AS +otal by categoryId rename categoryId AS 5#ategory5
More Searches and "eports
8/15/2019 Splunk Ppt satinder singh sandhu
113/146
+his search uses the chart command to count the number o%purchases( actionO5purchase5( made %or each product( productame& +he di%%erence isthat the count o% purchases is no) an argument o% the sparklineJK%unction&
More Searches and "eports
8/15/2019 Splunk Ppt satinder singh sandhu
114/146
+his search uses the chart command to count the number o%purchases( actionO5purchase5( made %or each product( productame& +he di%%erence isthat the count o% purchases is no) an argument o% the sparklineJK%unction&
More Searches and "eports
8/15/2019 Splunk Ppt satinder singh sandhu
115/146
/& #lick Sa!e As and select "eport&
8/15/2019 Splunk Ppt satinder singh sandhu
116/146
Dashboards are !ie)s that are made up o% panels that can contain modules such as search bo4es( %ields( charts( tables( and lists& Dashboard panels are usually hooked up to sa!edsearches&
A%ter you create a !isuali*ation or report( you can add it to a ne) or e4isting dashboard
using the Sa!e as report dialog bo4& 6ou can also use the Dashboard $ditor to createdashboards and edit e4isting dashboards& Using the Dashboard editor is use%ul )hen youha!e a set o% sa!ed reports that you )ant to 0uickly add to a dashboard&
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
117/146
C2a!$e "as21oar" per#issio!s 6ou can speci%y access to a dashboard %rom the Dashboard $ditor& Ho)e!er( your user
role Jand capabilities de%ined %or that roleK might limit the type o% access you can de%ine&
I% your Splunk user role is admin J)ith the de%ault set o% capabilitiesK( then you can createdashboards that are pri!ate( !isible in a speci%ic app( or !isible in all apps& 6ou can alsopro!ide access to other Splunk user roles( such as user( admin( and other roles )ithspeci%ic capabilities&
C2a!$e "as21oar" pa!el ,isuali6atio!s
A%ter you create a panel )ith the Dashboard $ditor( use the isuali*ation $ditor to changethe !isuali*ation type in the panel( and to determine ho) that !isuali*ation displays and beha!es& +he isuali*ation $ditor lets you choose %rom !isuali*ation types that ha!e theirdata structure re0uirements matched by the search that has been speci%ied %or the panel&
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
118/146
Creati!$ "as21oar"s a!" "as21oar" pa!els
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
119/146
Sa,e a searc2 as a "as21oar" pa!el=& "un the %ollo)ing search9
sourcetypeOaccessB@ statusO.. actionOpurchase top categoryId
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
120/146
& #lick the isuali*ation tab and select the :ie chart type&
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
121/146
/& In the Search !ie)( click Sa!e as and select Dashboard :anel&
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
122/146
/& In the Search !ie)( click Sa!e as and select Dashboard :anel&
+he Sa!e as Dashboard :anel dialog bo4 opens&
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
123/146
8/15/2019 Splunk Ppt satinder singh sandhu
124/146
8/15/2019 Splunk Ppt satinder singh sandhu
125/146
8& #lick Sa!e&
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
126/146
7& #lick ie) Dashboard&
+his creates a dashboard )ith one report panel& +o add more report panels( you can run ne)searches and sa!e them to this dashboard( or you can add sa!ed reports&
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
127/146
ie) and edit dashboard panels
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
128/146
=& #lick Dashboards in the app na!igation bar&+his takes you to the Dashboards listing page&
6ou can #reate a ne) dashboard and edit e4isting dashboards& 6ou see the uttercup
Games :urchasesdashboard that you created&
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
129/146
& Under the i column( click the arro) ne4t to uttercup Games :urchases to see morein%ormation about the dashboard9 Chat app conte4t it is in( )hether or not it isscheduled( and its permissions&
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
130/146
& Under the i column( click the arro) ne4t to uttercup Games :urchases to see morein%ormation about the dashboard9 Chat app conte4t it is in( )hether or not it isscheduled( and its permissions&
6ou can use the 0uick links that are inline )ith the in%ormation to edit the dashboard'sSchedule and :ermissions&
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
131/146
%"" a! i!put to t2e "as21oar"
=& In the Dashboards list( click uttercup Games :urchases to return to the sa!eddashboard&
& #lick $dit and select $dit :anels&
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
132/146
+his changes the !ie) so that edit options appear in the panels and modules on thedashboard&
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
133/146
/& #lick Add Input and select +ime&
8/15/2019 Splunk Ppt satinder singh sandhu
134/146
ASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
135/146
%"" #ore pa!els to t2e "as21oar"
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
136/146
Add sa!ed reports to the dashboard
=& "eturn to the uttercup Games :urchases dashboard&
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
137/146
& #lick $dit and select $dit :anels&
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
138/146
/& In the uttercup Games :urchases dashboard editor( click Add :anel&
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
139/146
+he Add :anel sidebar menu slides opens&
8/15/2019 Splunk Ppt satinder singh sandhu
140/146
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
141/146
8& Select :urchasing +rends&
+his opens a pre!ie) o% the sa!ed "eport&
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
142/146
7& #lick Add to Dashboard&
+he ne) panel is placed in the dashboard editor& 6ou can click any)here to close the Add:anel sidebar menu or choose another report to add to the dashboard&
T& Select the report #omparison o% Actions and #on!ersion "ates by :roduct and add it tothe dashboard&
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
143/146
& #lose the Add :anel sidebar and rearrange the panels on the dashboard&
Chile in the dashboard editor( you can drag and drop a panel to rearrange it on thedashboard&
DASH1A"DS
8/15/2019 Splunk Ppt satinder singh sandhu
144/146
& #lick Done&
6our %inished dashboard should look like this9
Deployment
8/15/2019 Splunk Ppt satinder singh sandhu
145/146
Splu!* E!terprise a!" our IT i!3rastructure
Splunk $nterprise inde4es data %rom the ser!ers( applications( databases( net)orkde!ices( !irtual machines( and so on( that make up your I+ in%rastructure& As long as themachine that generates the data is a part o% your net)ork( Splunk $nterprise can collectthe data %rom machines located any)here( )hether it is local Jon-the-premises in a ser!erroomK( remote Jo%%-the-premises in a datacenterK( entirely in the cloud( or a hybrid Jsuchas on-premise and in the cloudK&
Most users connect to Splunk $nterprise )ith a )eb bro)ser and use Splunk Ceb toadminister their deployment( manage and create kno)ledge obects( run searches( createpi!ots and reports( and so on& 6ou can also use the command-line inter%ace to administer your Splunk $nterprise deployment&
Splunk $nterprise #omponents
8/15/2019 Splunk Ppt satinder singh sandhu
146/146
Recommended