Splunk Ppt satinder singh sandhu

8/15/2019 Splunk Ppt satinder singh sandhu

1/146


2/146

Course-Ware

-> Introduction

-> Splunk Inc

-> Licensing

-> Installation

-> Login

-> Splunk Home-> Getting Data

-> Search Dashboard

-> Data Summary

-> Search Actions and Modes

-> Search Language

-> Using Sub search-> ield Lookups

-> Sa!ing and Sharing "eports

-> More Searches and "eports

-> #reating Dashboards


3/146

INTRODUCTION

Splunk $nterprise is the leading plat%orm %or real-timeoperational intelligence& It's the easy( %ast and secure )ay to search( analy*e and !isuali*e the massi!e streamso% machine data generated by your I+ systems and

technology in%rastructure,physical( !irtual and in thecloud&

+roubleshoot application problems and in!estigatesecurity incidents in minutes instead o% hours or days(a!oid ser!ice degradation or outages( deli!er complianceat lo)er cost and gain ne) business insights


4/146

INTRODUCTION


5/146

INTRODUCTION


6/146

SPLUNK INC.

ounded in ../ and head0uartered in San rancisco( #ali%ornia

Specialties – “Machine Data +o 1perational Intelligence2 3

+he machine data that %acilitates operational intelligence comes in manydi%%erent %rom many di%%erent sources& Splunk is able to collect and inde4 data

%rom many di%%erent sources( including log%iles )ritten by )eb ser!ers or business applications( syslog data streaming in %rom net)ork de!ices( or theoutput o% custom de!eloped scripts&

Searching( monitoring( and analy*ing machine-generated big data( !ia a )eb-styleinter%ace

According to tech target( Splunk is designated as the SI$M o% the year&

+he name 5Splunk5 is a re%erence to e4ploring ca!es( as in spelunking&


7/146

SPLUNK – LICENSING

6ou'll get a Splunk $nterprise REE license %or 7. days and youcan inde4 up to 8.. megabytes o% data per day&

Perpetual a!" Ter# Lice!si!$

+here are t)o options %or licensing Splunk $nterprise9:erpetual license9 this includes the %ull %unctionality o% Splunk$nterprise and starts as lo) as ;


8/146

SPLUNK – LICENSING


9/146

INST%LL%TION

Li!u& installation instructions

tar 4!*% splunkBpackageBname&tg* -# ?opt

Wi!"o's installation instructions

=& +o start the installer( double-click the splunk&msi %ile&& In the Celcome panel( click e4t&

/& In #ustomer In%ormation( enter the re0uested detailsand click e4t&


10/146

INST%LL%TION

(ac OS ) i!stallatio! i!structio!s

=& a!igate to the %older or directory )here the installer is located&

& Double-click on the DMG %ile&

/& Double-click on splunk&pkg&


11/146

Users

About Splunk $nterprise users


12/146

Users

About Splunk $nterprise users


13/146

irst ti#e Lo$i!

+he Splunk inter%ace is )eb-based( )hich means thatno client needs to be installed&

http9??localhost9...

irst time signing credentials

Username 3 admin

:ass)ord - changeme

It is a good idea to change this pass)ord to pre!entun)anted changes to your deployment&


14/146

Splu!* +o#e

%pps

+he Apps panel lists the apps that are installed on your Splunkinstance that you ha!e permission to !ie)& Select the app %rom thelist to open it&

or an out-o%-the-bo4 Splunk $nterprise installation( you see one App in the )orkspace9 Search F "eporting& Chen you ha!e morethan one app( you can drag and drop the apps )ithin the )orkspaceto rearrange them&

6ou can do t)o actions on this panel9- #lick the gear icon to !ie) and manage the apps that areinstalled in your Splunk instance&

- #lick the plus icon to bro)se %or more apps to install&


15/146

Splu!* +o#e

Splunk ar


16/146

Splu!* +o#e

Setti!$s #e!u

+he Settings menu lists the con%iguration pages %or no)ledgeobects( Distributed en!ironment settings( System and licensing(Data( and Authentication settings& I% you do not see some o% these

options( you do not ha!e the permissions to !ie) or edit them&

User #e!u

+he User menu here is called 5Administrator5 because that is thede%ault user name %or a ne) installation& 6ou can change thisdisplay name by selecting $dit account and changing the ullname& 6ou can also edit the time *one settings( select a de%aultapp %or this account( and change the account's pass)ord& +heUser menu is also )here you Logout o% this Splunk installation&


17/146

Splu!* +o#e

(essa$es #e!u

All system-le!el error messages are listed here& Chen thereis a ne) message to re!ie)( a noti%ication displays as acount ne4t to the Messages menu&

%cti,it #e!u

-#lick obs to open the search obs manager )indo)( )here you can !ie) and manage currently running searches&

-#lick +riggered Alerts to !ie) scheduled alerts that are

triggered& +his tutorial does not discuss sa!ing andscheduling alerts&

-#lick System Acti!ity to see Dashboards about user acti!ityand status o% the system&


18/146

GETTING D%T%

A Splunk data repository is called an inde4& During inde4ingJor e!ent processingK( Splunk processes the incoming datastream to enable %ast search and analysis( storing the results inthe inde4 as e!ents&

$!ents are stored in the inde4 as a group o% %iles that %all into t)ocategories9

- "a)data( )hich is the ra) data in a compressed %orm&

- Inde4 %iles and some metadata %iles that point to the ra) data&

+hese %iles reside in sets o% directories( called buckets( organi*ed by age&


19/146

GETTING D%T%


20/146

SE%RC+ D%S+O%RD


21/146

D%T% SU((%R/

+he Data Summary dialogue displays three tabs9 Hosts(Sources( Sourcetypes&

+he host o% an e!ent is the host name( I: address( or%ully 0uali%ied domain name o% the net)ork machine%rom )hich the e!ent originated&

+he source o% an e!ent is the %ile or directory path(net)ork port( or script %rom )hich the e!ent originated&

+he source type o% an e!ent tells you )hat kind o% data itis( usually based on ho) it is %ormatted& +hisclassi%ication lets you search %or the same type o% dataacross multiple sources and hosts&


22/146

D%T% SU((%R/


23/146

+ime "ange :icker

y de%ault( the time range %or a search is set to All time& Chen you search large !olumes o% data( results return %aster )hen yourun the search o!er a smaller time period&

I% one o% the :resets is not )hat you )ant( you can de%ine a

custom time range( such as a "elati!e time range or a Date F+ime "ange&

+o run a search o!er the last t)o hours( use the "elati!e timerange option&


24/146

+ime "ange :icker

or e4ample( to troubleshoot an issue that took placeSeptember /.th at 9


25/146

Search Actions and Modes

#ontrol search ob progress A%ter you launch a search( you can pause it and stopit using the buttons under the search bar& Also( youcan access and manage in%ormation about the

search's ob )ithout lea!ing the Search page&


26/146


#lick ob and choose %rom the a!ailable options there&

- E"it 0o1 setti!$s. Select this option to open the ob Settings dialog bo4( )here you can change the ob's read permissions( e4tend the ob'sli%espan( and get a U"L %or the ob that you can use to share the ob )ith

others or put a link to the ob in your bro)ser's bookmark bar&

- Se!" 0o1 to t2e 1ac*$rou!". Select this option i% the search ob is slo)and you )ant to run the ob in the background )hile you )ork on otherSplunk $nterprise acti!ities Jincluding running a ne) search obK&

- I!spect 0o1. 1pens a separate )indo) and displays in%ormation and

metrics %or the search ob using the Search ob Inspector&- Delete 0o1. Use this option to delete a ob that is running( is paused( or

)hich has %inali*ed& A%ter you delete the ob( you can sa!e the search as areport&


27/146


+he Search mode controls the search e4perience& 6ou canset it to speed up searches by cutting do)n on the e!entdata it returns Jast modeK( or you can set it to return as

much e!ent in%ormation as possible Jerbose modeK& InSmart mode Jthe de%ault settingK it toggles search beha!ior based on the type o% search you're running&


28/146


Sa!e the results

+he Sa!e as menu lists options %or sa!ing the results

o% a search as a "eport( Dashboard :anel( Alert(and $!ent type&


29/146


1ther search actions

- +he S2are options shares the search ob& +his

option e4tends the ob's li%etime to se!en days andset the read permissions to $!eryone&

- +he E&port option e4ports the results& Select thisoption to output to #S( ra) e!ents( NML( or S1

and speci%y the number o% results to e4port&- +he Pri!t option sends the results to a printer that

has been con%igured&


30/146


Search "esults +abs

I% your search retrie!es e!ents( you can !ie) the results in the $!ents taband the :atterns tab( but not in the other tabs& I% your search includestrans%orming commands( you can !ie) the results in the Statistics and isuali*ation tabs&


31/146


$!ents - +he key)ord search used in this screenshotretrie!es e!ents and populates the $!ents results tab&


32/146


+he $!ents tab displays the timeline o% e!ents( the%ields sidebar( and the e!ents !ie)er& +o change thee!ent !ie)( use the List and ormat options& yde%ault( the e!ents appear as a list that is orderedstarting )ith the most recent e!ent& In each e!ent(the matching search terms are highlighted&


33/146


Ti#eli!e o3 e,e!ts4 A !isual representation o% thenumber o% e!ents that occur at each point in time& Asthe timeline updates )ith your search results( youmight notice clusters or patterns o% bars& +he heighto% each bar indicates the count o% e!ents& :eaks or !alleys in the timeline can indicate spikes in acti!ityor ser!er do)ntime& +hus( the timeline highlightspatterns o% e!ents or in!estigates peaks and lo)s ine!ent acti!ity& +he timeline options are located abo!ethe timeline& 6ou can *oom in( *oom out( and changethe scale o% the chart&


34/146


Ti#eli!e o3 e,e!ts4 A !isual representation o% thenumber o% e!ents that occur at each point in time& Asthe timeline updates )ith your search results( youmight notice clusters or patterns o% bars& +he heighto% each bar indicates the count o% e!ents& :eaks or !alleys in the timeline can indicate spikes in acti!ityor ser!er do)ntime& +hus( the timeline highlightspatterns o% e!ents or in!estigates peaks and lo)s ine!ent acti!ity& +he timeline options are located abo!ethe timeline& 6ou can *oom in( *oom out( and changethe scale o% the chart&


35/146


iel"s si"e1ar9 Chen you inde4 data( Splunk by de%aulte4tracts in%ormation %rom your data that is %ormatted asname and !alue pairs( )hich )e call %ields& Chen you run asearch( Splunk lists all o% the %ields it disco!ers in the %ields

sidebar ne4t to your search results& 6ou can select other %ieldsto sho) in your e!ents& Also( you can hide this sidebar andma4imi*e the results area&

Selected %ields are set to be !isible in your search results& yde%ault( host( source( and sourcetype appear&

Interesting %ields are other %ields that Splunk has e4tracted%rom your search results&


36/146


Patter!s

+he :atterns tab simpli%ies e!ent pattern detection& It displaysa list o% the most common patterns among the set o% e!entsreturned by your search& $ach o% these patterns represents a

number o% e!ents that all share a similar structure& /ou ca! clic* o! a patter! to4 ie) the appro4imate number o% e!ents in your results that %it

the pattern& See the search that returns e!ents )ith this pattern& Sa!e the pattern search as an e!ent type( i% it 0uali%ies& #reate an alert based on the pattern&


37/146


Statistics+he Statistics tab populates )hen you run a search )ith

trans%orming commands such as stats( top( chart( andso on& +he pre!ious key)ord search %or5buttercupgames5 does not display any results in thistab because it does not ha!e any trans%ormingcommands&

Cith a trans%orming search( such as one to %ind thepopular categories o% items sold on the uttercupGames online store( the Statistics tab displays a table o%results&


38/146



39/146


5isuali6atio!s

+rans%orming searches also populate the isuali*ation tab& +he resultsarea o% the isuali*ations tab includes a chart and the statistics tableused to generated the chart& y de%ault( the !isuali*ation type isthe #olumnchart&


40/146

Start Searching

Retrie,e e,e!ts 3ro# t2e i!"e& =& +ype in key)ords to %ind errors or %ailures and use oolean

operators9 AD( 1"( 1+&

$NAM:L$9 buttercupgames Jerror 1" %ail@ 1" se!ereK

oolean operators need to be capitali*ed& +he AD directi!e is implied bet)een terms( so you do not need to )rite it& 6ou can use parenthesesto group terms& Chen e!aluating boolean e4pressions( precedence isgi!en to terms inside parentheses& AD or 1+ clauses are e!aluated be%ore 1" clauses& +he asterisk )ildcard is used to match terms thatstart )ith 5%ail5& +hese terms can include9 %ailure( %ailed( and so on&


41/146

Start Searching

Use 3iel"s to searc2

ields e4ist in machine data in many %orms& 1%ten( a %ield is a !alue J)ith a%i4ed( delimited position on the lineK or a name and !alue pair( )here there is asingle !alue to each %ield name& A %ield can be multi!alued( that is( it can appear

more than once in an e!ent and has a di%%erent !alue %or each appearance& Some e4amples o% %ields are clientip %or I: addresses accessing your Ceb

ser!er( Btime %or the timestamp o% an e!ent( and host %or domain name o% aser!er& 1ne o% the more common e4amples o% multi!alue %ields is email address%ields& Chile the rom %ield )ill contain only a single email address(the +o and #c %ields ha!e one or more email addresses associated )ith them&

In Splunk $nterprise( %ields are searchable name and !alue pairings thatdistinguish one e!ent %rom another because not all e!ents )ill ha!e the same%ields and %ield !alues& ields let you )rite more tailored searches to retrie!e thespeci%ic e!ents that you )ant&


42/146

Start Searching

i!" a!" select 3iel"s S$A"#H A"9 sourcetypeO5accessB@P

Search %or %ields use the synta49 %ieldnameO5%ield!alue5 & ield names are casesensiti!e( but %ield !alues are not& 6ou can use )ildcards in %ield !alues& Quotes arere0uired )hen the %ield !alues include spaces&

+his search indicates that you )ant to retrie!e only e!ents %rom your )eb access logs

and nothing else&

+his search uses the )ildcard accessB@ to match any Apache )eb access sourcetype( )hich can be accessBcommon( accessBcombined( or accessBcombinedB)cookie&

I! t2e E,e!ts ta17 scroll t2rou$2 t2e list o3 e,e!ts.

- I% you are %amiliar )ith the accessBcombined %ormat o% Apache logs( you recogni*esome o% the in%ormation in each e!ent( such as9

- I: addresses %or the users accessing the )ebsite&

- U"Is and U"Ls %or the pages re0uested and re%erring pages&

- H++: status codes %or each page re0uest&

- G$+ or :1S+ page re0uest methods&


43/146

Start Searching


44/146

Start Searching

Select action( categoryId( and productId and close the Select ields )indo)&+he three %ields appear under Selected ields in the sidebar& +he selected %ieldsappear under the e!ents in your search results i% they e4ist in that particulare!ent& $!ery e!ent might not ha!e the same %ields&


45/146

Start Searching

Under Selected ields( click the action %ield& +his opens the %ield summary %or the action %ield&


46/146

Start Searching

Ru! #ore tar$ete" searc2es E&a#ple84 Search %or success%ul purchases %rom the uttercup Games store&

sourcetypeOaccessB@ statusO.. actionOpurchase

6ou can search %or %ailed purchases in a similar manner using statusRO..( )hich looks %or all e!ents )here the H++: status code is not e0ual to ..&

sourcetypeOaccessB@ statusRO.. actionOpurchase

E&a#ple 94 Search %or general errors&

Jerror 1" %ail@ 1" se!ereK 1" JstatusO


47/146

Use +he Search Language

+he searches you ha!e run to this point ha!e retrie!ed e!ents %rom your Splunkinde4& 6ou )ere limited to asking 0uestions that could only be ans)ered by thenumber o% e!ents returned&

or e4ample( )e can run this search to see ho) many simulation games )erepurchased9

sourcetypeOaccessB@ statusO.. actionOpurchase categoryIdOsimulation

+o %ind this number %or the days o% the pre!ious )eek( you ha!e to run it againstthe data %or each day o% that )eek& +o see )hich products are more popularthan the other( you ha!e to run the search %or each o% the eightcategoryId !aluesand compare the results&


48/146


Lear! 'it2 searc2 assista!t Here )e are going to talk about the search assistant to learn about the Splunksearch processing language and construct searches&

"eturn to the search dashboard and restrict your search to 6esterday9

sourcetypeOaccessB@ statusO.. actionOpurchase

As you type in the search bar( search assistant opens )ith synta4 and usagein%ormation %or the search command Jon the right sideK& I% search assistantdoesn't open( click the do)n arro) under the le%t side o% the search bar& 6ou'!eseen be%ore that search assistant displays typeahead %or key)ords that you typeinto the search bar& It also e4plains brie%ly ho) to search&


49/146



50/146


Tpe a pipe c2aracter7 ; < ;7 i!to t2e searc2 1ar.

+he pipe indicates to Splunk that you're about to use a command( and that you )ant to use the results o% the search to the le%t o% the pipe as the input to thiscommand& 6ou can pass the results o% one command into another command in

a series( or pipeline( o% search commands&


51/146



52/146


6ou )ant Splunk to gi!e you the most popular items bought at the online store&


53/146


+ype the categoryId %ield into the search bar to complete your search& sourcetypeOaccessB@ statusO.. actionOpurchase top categoryId

5ie' reports i! t2e Statistics ta1

+he results o% a search are reports& +he top command is a trans%orming

command and returns a tabulated report %or the most common !alueso% categoryId& 6ou can !ie) the results o% trans%orming searches inthe Statistics tab&


54/146



55/146


ie) and %ormat reports in the isuali*ation tab 6ou can also !ie) the results o% trans%orming searches in the isuali*ations tab )here you can %ormat the chart type&


56/146


SELECT PIE


57/146


Mouse o!er each slice o% the pie to see the count and percentage !alues %or eachcategoryId&


58/146



59/146

Use a Subsearch

+his topic )alks you through e4amples o% correlating e!ents )ith subsearches&

A subsearch is a search )ith a search pipeline as an argument& Subsearches arecontained in s0uare brackets and e!aluated %irst& +he result o% the subsearch is thenused as an argument to the primary( or outer( search&

$4ample =9 Cithout a subsearch

Let's try to %ind the single most %re0uent shopper on the uttercup Games online storeand )hat this customer has purchased&

+o do this( search %or the customer )ho accessed the online shop the most&

=& Use the top command9

sourcetypeOaccessB@ statusO.. actionOpurchase top limitO= clientip

Limit the top command to return only one result %or the clientip& +o see more than one5top purchasing customer5( change this limit !alue&


60/146

Use a Subsearch

+his search returns one clientip !alue( )hich )e'll use to identi%y our I:customer&


61/146

Use a Subsearch

Use the stats command to count this I: customer's purchases9

sourcetypeOaccessB@ statusO.. actionOpurchase clientipOT&=


62/146

Use a Subsearch

+he dra)back to this approach is that you ha!e to run t)o searches each time you )ant to build this table& +he top purchaser is not likely to be the sameperson at any gi!en time range&

Hence )e induce the concept o% SUS$A"#H RR


63/146

Use a Subsearch

E&a#ple 94 Wit2 a su1searc2

sourcetypeOaccessB@ statusO.. actionOpurchase searchsourcetypeOaccessB@ statusO.. actionOpurchase top limitO= clientip tableclientipV stats count( dcJproductIdK( !aluesJproductIdK by clientip

Here( the subsearch is the segment that is enclosed in s0uare brackets( V& +hissearch( search sourcetypeOaccessB@ statusO.. actionOpurchase top limitO=clientip table clientip is the same as $4ample = Step =( e4cept %or the last pipedcommand( table clientip

ecause the top command returns count and percent %ields as )ell(

the table command is used to keep only the clientip !alue&


64/146


65/146

Use a Subsearch

"ename the columns to make the in%ormation more understandable&

sourcetypeOaccessB@ statusO.. actionOpurchase searchsourcetypeOaccessB@ statusO.. actionOpurchase top limitO= clientip tableclientipV stats count AS 5+otal :urchased5( dcJproductIdK AS 5+otal :roducts5( !aluesJproductIdK AS 5:roducts ID5 by clientip rename clientip AS 5I:#ustomer5

b h


66/146

Use a Subsearch

i ld k


67/146

Use ield Lookups

+his topic takes you through using %ield lookups to add ne) %ields to youre!ents& ield lookups let you re%erence %ields in an e4ternal #S %ile that match%ields in your e!ent data& Using this match( you can enrich your e!ent data byadding more meaning%ul in%ormation and searchable %ields to each e!ent&

i ld k


68/146

Use ield Lookups

U i ld L k


69/146

Use ield Lookups

U i ld L k


70/146

Use ield Lookups

Upload the lookup table %ile=& In the Lookups manager under 5Actions5 %or Lookup table %iles( click Add ne)&

+his takes you to the Add ne)' lookup table %iles !ie) )here you upload #S%iles to use in your de%initions %or %ield lookups&

U i ld L k


71/146

Use ield Lookups

& +o sa!e your lookup table %ile in the Search app( lea!e the Destination app assearch&

/& Under Upload a lookup %ile( bro)se %or the #S %ile Jprices&cs!K to upload&


72/146

Use ield Lookups

S2are t2e loo*up ta1le 3ile $lo1all I% the lookup %ile is not shared( you can not select it )hen you de%ine the lookup&

=& Go to the Lookup table %iles list&

& Under Sharing %or the prices&cs! lookup table's :ath( click :ermissions&

+his opens the :ermission dialog bo4 %or the prices&cs! lookup %ile&

/& Under 1bect should appear in( select All apps&


73/146

Use ield Lookups

%"" t2e 3iel" loo*up "e3i!itio!%"" t2e 3iel" loo*up "e3i!itio!=& "eturn to the Lookups manager&

& Under Actions %or Lookup de%initions( click Add e)&

+his takes you to the Add ne) lookups de%initions !ie) )here you de%ine your%ield lookup&

U i ld L k


74/146

Use ield Lookups

/& Lea!e the Destination app as search&


75/146

Use ield Lookups

Share the lookup de%inition )ith all apps=& "eturn to the Lookup de%initions list&

& Under Sharing %or pricesBlookup( click :ermissions&

+he :ermission dialog bo4 %or the prices&lookup opens&

/& Under 1bect should appear in( select All apps&


76/146

Use ield Lookups

(a*e t2e loo*up auto#atic=& In the Lookups manager( under Actions %or Automatic lookups( click Add

e)& +his takes you to the Add e) automatic lookups !ie) )here you con%igure the lookup to run automatically&

U i ld L k


77/146

Use ield Lookups

& Lea!e the Destination app as search&/& ame your automatic lookup priceBlookup&


78/146

Use ield Lookups

T& Under Lookup output %ields( type in the name o% the %ields that you )ant to add to youre!ent data based on the input %ield matching and rename the %ields&

T&= In the %irst te4t area( type productBname( )hich contains the descripti!e name %oreach productId&

T&& In the second te4t area( a%ter the e0ual sign( type productame& +his renames the%ield to productame&

T&/& #lick Add another %ield to add more %ields a%ter the %irst one&

T&


79/146

Use ield Lookups

+his returns you to the list o% automatic lookups and you should see your con%igured lookup&

Use ield Lookups


80/146

Use ield Lookups

Sho) the ne) %ields in your search results=& "eturn to Search&

& "un the search %or )eb access acti!ity&

sourcetypeOaccessB@

/& Scroll through the list o% Interesting ields in the %ields sidebar( and %ind the price %ield&


81/146

Use ield Lookups

8& e4t to Selected( click 6es&7& #lose the dialog bo4&

+he price %ield appears under Selected ields in the %ields sidebar&

T& "epeat Steps / to 8 %or the productame %ield&

Use ield Lookups


82/146

Use ield Lookups

Searc2 'it2 t2e !e' loo*up 3iel"s

=& #opy and paste or type in the pre!ious subsearch e4ample to see )hat the I: customer bought& +his time( replace the productId %ield )ith productame&

sourcetypeOaccessB@ statusO.. actionOpurchase search sourcetypeOaccessB@

statusO.. actionOpurchase top limitO= clientip table clientipV stats count AS 5+otal:urchased5( dcJproductIdK AS 5+otal :roducts5( !aluesJproductameK AS 5:roductames5 by clientip rename clientip AS 5I: #ustomer5

+he result is the same as in the pre!ious subsearch e4ample( e4cept that the I: customer's

purchases are more meaning%ul )ith the added descripti!e product names&

Use ield Lookups


83/146

Use ield Lookups

Sa!ing and Sharing "eports


84/146


Sa!e as a report=& Select the time range 6esterday and run the subsearch

sourcetypeOaccessB@ statusO.. actionOpurchase search sourcetypeOaccessB@statusO.. actionOpurchase top limitO= clientip table clientipV stats count AS 5+otal:urchased5( dcJproductIdK AS 5+otal :roducts5( !aluesJproductameK AS 5:roductames5 by clientip rename clientip AS 5I: #ustomer5

& +o sa!e it as a report( click Sa!e as abo!e the search bar and select "eport&



85/146


/& $nter a +itle I: #ustomer&


86/146


+here are other options in this )indo)&

#ontinue $diting lets you re%ine the search and report %ormat&

Add to dashboard lets you add the report to a ne) or e4isting dashboard&

ie) lets you !ie) the report&



87/146


& #lick ie)&



88/146


5ie' a!" e"it sa,e" reports 6ou can !ie) and edit the sa!ed report %rom its report !ie)&

=& In the report !ie) %or 5I: #ustomer5( click $dit&

6ou can open the report in the search !ie) and edit the sa!ed search's description(permissions( schedule( and acceleration& 6ou can also clone( embed( and delete the report %romthis menu&



89/146


9. Clic* (ore I!3o.

6ou can !ie) and edit di%%erent properties o% the report( including its schedule(acceleration( permissions( and embedding&



90/146


/& Look at the time range picker( located to the top le%t& 6ou sa!ed this report )ith a time range picker& +he time range picker

lets you change the time period to run this search& or e4ample( you canuse this time range picker to run this search %or the I: #ustomer Ceekto date( Last 7. minutes( Last < hours ust by selecting the :reset time

range or de%ining a custom time range&



91/146


ind and share sa!ed reports 6ou can access your sa!ed reports using the app na!igation bar&

=& #lick "eports to open the "eports listing page&



92/146


Chen you sa!e a ne) report( its :ermissions are set to :ri!ate& +his means that only youcan !ie) and edit the report& 6ou can allo) other apps to !ie)( or edit( or !ie) and editthe reports by changing its :ermissions&

=& Under Actions %or the I: #ustomer report( click $dit and select $dit :ermissions&

+his opens the $dit :ermissions dialog bo4&



93/146


& In the $dit :ermissions dialog bo4( set Display or to App and check the bo4under "ead %or $!eryone&

+his action gi!es e!eryone )ho has access to this app the permission to !ie) it&

/& #lick Sa!e&



94/146


ack at the "eports listing page( you see that the Sharing %or I: #ustomer no) reads App&

More Searches and "eports


95/146


E&a#ple 84 Co#pare cou!ts o3 user actio!sIn this e4ample( calculate the number o% !ie)s( purchases( and adds to cart %or each typeo% product& +his report re0uires the productame %ield %rom the %ields lookup e4ample& I% you did not add the lookup( re%er to that e4ample and %ollo) the procedure&

=& "un this search9

sourcetypeOaccessB@ statusO.. chart count AS !ie)s countJe!alJactionO5addtocart5KK AS addtocart countJe!alJactionO5purchase5KK AS purchases by productame renameproductame AS 5:roduct ame5( !ie)s AS 5ie)s5( addtocart AS 5Adds to #art5(purchases AS 5:urchases5



96/146


+his search uses the chart command to count the number o% e!ents thatare actionOpurchase andactionOaddtocart&


http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Charthttp://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Charthttp://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Chart


97/146


& Use the isuali*ation !ie) options to %ormat the results as a column chart&



98/146


$4ample 9 1!erlay Actions and #on!ersion "ates on one chart

=& "un this search9

sourcetypeOaccessB@ statusO.. stats count AS !ie)s countJe!alJactionO5addtocart5KK AS addtocart countJe!alJactionO5purchase5KK AS purchases by productame e!al

!ie)s+o:urchaseOJpurchases?!ie)sK@=.. e!alcart+o:urchaseOJpurchases?addtocartK@=.. table productame !ie)s addtocartpurchases !ie)s+o:urchase cart+o:urchase rename productame AS 5:roduct ame5 !ie)s AS 5ie)s5( addtocart as 5Adds +o #art5( purchases AS 5:urchasesP

Instead o% the chart command( this search uses the stats command to count the useractions& +hen( it uses the e!al command to de%ine t)o ne) %ields )hich calculatecon!ersation rates %or 5:roduct ie)s to :urchases5 and 5Adds to cart to :urchases5&



99/146




100/146


Steps to 7 re%ormat the !isuali*ation to o!erlay the #on!ersion series onto the Actionsseries&

9. Clic* 5isuali6atio!.

+his is the same chart as in $4ample =( )ith t)o additional series( 5!ie)s+o:urchase5 and5cart+o:urchase5&



101/146


/& #lick ormat and N-A4is&

/&= "otate the label -


102/146

o e Sea c es a d epo ts


103/146

p

8& #lick ormat and #hart 1!erlay&



104/146

p

8&= +ype in or select the %ields( 5!ie)s+o:urchase5 and 5cart+o:urchase5& 8& or ie) as A4is( click 1n&

8&/ or +itle( choose #ustom and type in #on!ersion "ates&

8&< or Scale( choose Linear&

8&8 Set the Ma4 alue to =.. and the Inter!al to .&

8&7 #lick Apply&



105/146

p

7& #lick Sa!e As and select "eport&

7&= In the Sa!e "eport As dialog bo4( enter a +itle( 5#omparison o% Actions and#on!ersion "ates by :roduct5&

7& J1ptionalK $nter a Description( 5+he number o% times a product is !ie)ed( added tocart( and purchased and the rates o% purchases %rom these actions&5



106/146

p

T& #lick Sa!e&



107/146

p

E&a#ple :4 Pro"ucts purc2ase" o,er ti#e

or this report( chart the number o% purchases that )ere completed %or each item&

+his report re0uires the productame %ield %rom the %ields lookup e4ample& I% you didn't addthe lookup( re%er to that e4ample and %ollo) the procedure&

=& Search %or9sourcetypeOaccessB@ timechart countJe!alJactionO5purchase5KK by productameusenullO5%5 useotherO5%5

Use the countJK %unction to count the number o% e!ents that ha!e the%ield actionOpurchase& Use the usenulland useother arguments to make sure the chart

counts e!ents that ha!e a !alue %or productame&+his produces the %ollo)ing statistics table&



108/146

p


109/146



110/146

p

/& #lick Sa!e As and select "eport

/&= In the Sa!e "eport As dialog bo4( enter a +itle( 5:roduct :urchases o!er +ime5&

/& J1ptionalK $nter a Description( 5+he number o% purchases %or each product&5



111/146

p


112/146

p

E&a#ple =4 Purc2asi!$ tre!"s+his e4ample uses sparklines to trend the count o% purchases made o!er time&

or stats and chart searches( you can add sparklines to their results tables& Sparklines areinline charts that appear )ithin the search results table and are designed to display time- based trends associated )ith the primary key o% each ro)&

+his e4ample re0uires the productame %ield %rom the %ields lookup e4ample& I% you didnot add the lookup( re%er to that e4ample and %ollo) the procedure&

=& "un the %ollo)ing search9

sourcetypeOaccessB@ statusO.. actionOpurchase chart sparklineJcountK AS 5:urchases+rend5 count AS +otal by categoryId rename categoryId AS 5#ategory5



113/146

+his search uses the chart command to count the number o%purchases( actionO5purchase5( made %or each product( productame& +he di%%erence isthat the count o% purchases is no) an argument o% the sparklineJK%unction&



114/146

+his search uses the chart command to count the number o%purchases( actionO5purchase5( made %or each product( productame& +he di%%erence isthat the count o% purchases is no) an argument o% the sparklineJK%unction&



115/146

/& #lick Sa!e As and select "eport&


116/146

Dashboards are !ie)s that are made up o% panels that can contain modules such as search bo4es( %ields( charts( tables( and lists& Dashboard panels are usually hooked up to sa!edsearches&

A%ter you create a !isuali*ation or report( you can add it to a ne) or e4isting dashboard

using the Sa!e as report dialog bo4& 6ou can also use the Dashboard $ditor to createdashboards and edit e4isting dashboards& Using the Dashboard editor is use%ul )hen youha!e a set o% sa!ed reports that you )ant to 0uickly add to a dashboard&

DASH1A"DS


117/146

C2a!$e "as21oar" per#issio!s 6ou can speci%y access to a dashboard %rom the Dashboard $ditor& Ho)e!er( your user

role Jand capabilities de%ined %or that roleK might limit the type o% access you can de%ine&

I% your Splunk user role is admin J)ith the de%ault set o% capabilitiesK( then you can createdashboards that are pri!ate( !isible in a speci%ic app( or !isible in all apps& 6ou can alsopro!ide access to other Splunk user roles( such as user( admin( and other roles )ithspeci%ic capabilities&

C2a!$e "as21oar" pa!el ,isuali6atio!s

A%ter you create a panel )ith the Dashboard $ditor( use the isuali*ation $ditor to changethe !isuali*ation type in the panel( and to determine ho) that !isuali*ation displays and beha!es& +he isuali*ation $ditor lets you choose %rom !isuali*ation types that ha!e theirdata structure re0uirements matched by the search that has been speci%ied %or the panel&

DASH1A"DS


118/146

Creati!$ "as21oar"s a!" "as21oar" pa!els

DASH1A"DS


119/146

Sa,e a searc2 as a "as21oar" pa!el=& "un the %ollo)ing search9

sourcetypeOaccessB@ statusO.. actionOpurchase top categoryId

DASH1A"DS


120/146

& #lick the isuali*ation tab and select the :ie chart type&

DASH1A"DS


121/146

/& In the Search !ie)( click Sa!e as and select Dashboard :anel&

DASH1A"DS


122/146

/& In the Search !ie)( click Sa!e as and select Dashboard :anel&

+he Sa!e as Dashboard :anel dialog bo4 opens&

DASH1A"DS


123/146


124/146


125/146

8& #lick Sa!e&

DASH1A"DS


126/146

7& #lick ie) Dashboard&

+his creates a dashboard )ith one report panel& +o add more report panels( you can run ne)searches and sa!e them to this dashboard( or you can add sa!ed reports&

DASH1A"DS


127/146

ie) and edit dashboard panels

DASH1A"DS


128/146

=& #lick Dashboards in the app na!igation bar&+his takes you to the Dashboards listing page&

6ou can #reate a ne) dashboard and edit e4isting dashboards& 6ou see the uttercup

Games :urchasesdashboard that you created&

DASH1A"DS


129/146

& Under the i column( click the arro) ne4t to uttercup Games :urchases to see morein%ormation about the dashboard9 Chat app conte4t it is in( )hether or not it isscheduled( and its permissions&

DASH1A"DS


130/146

& Under the i column( click the arro) ne4t to uttercup Games :urchases to see morein%ormation about the dashboard9 Chat app conte4t it is in( )hether or not it isscheduled( and its permissions&

6ou can use the 0uick links that are inline )ith the in%ormation to edit the dashboard'sSchedule and :ermissions&

DASH1A"DS


131/146

%"" a! i!put to t2e "as21oar"

=& In the Dashboards list( click uttercup Games :urchases to return to the sa!eddashboard&

& #lick $dit and select $dit :anels&

DASH1A"DS


132/146

+his changes the !ie) so that edit options appear in the panels and modules on thedashboard&

DASH1A"DS


133/146

/& #lick Add Input and select +ime&


134/146

ASH1A"DS


135/146

%"" #ore pa!els to t2e "as21oar"

DASH1A"DS


136/146

Add sa!ed reports to the dashboard

=& "eturn to the uttercup Games :urchases dashboard&

DASH1A"DS


137/146

& #lick $dit and select $dit :anels&

DASH1A"DS


138/146

/& In the uttercup Games :urchases dashboard editor( click Add :anel&

DASH1A"DS


139/146

+he Add :anel sidebar menu slides opens&


140/146

DASH1A"DS


141/146

8& Select :urchasing +rends&

+his opens a pre!ie) o% the sa!ed "eport&

DASH1A"DS


142/146

7& #lick Add to Dashboard&

+he ne) panel is placed in the dashboard editor& 6ou can click any)here to close the Add:anel sidebar menu or choose another report to add to the dashboard&

T& Select the report #omparison o% Actions and #on!ersion "ates by :roduct and add it tothe dashboard&

DASH1A"DS


143/146

& #lose the Add :anel sidebar and rearrange the panels on the dashboard&

Chile in the dashboard editor( you can drag and drop a panel to rearrange it on thedashboard&

DASH1A"DS


144/146

& #lick Done&

6our %inished dashboard should look like this9

Deployment


145/146

Splu!* E!terprise a!" our IT i!3rastructure

Splunk $nterprise inde4es data %rom the ser!ers( applications( databases( net)orkde!ices( !irtual machines( and so on( that make up your I+ in%rastructure& As long as themachine that generates the data is a part o% your net)ork( Splunk $nterprise can collectthe data %rom machines located any)here( )hether it is local Jon-the-premises in a ser!erroomK( remote Jo%%-the-premises in a datacenterK( entirely in the cloud( or a hybrid Jsuchas on-premise and in the cloudK&

Most users connect to Splunk $nterprise )ith a )eb bro)ser and use Splunk Ceb toadminister their deployment( manage and create kno)ledge obects( run searches( createpi!ots and reports( and so on& 6ou can also use the command-line inter%ace to administer your Splunk $nterprise deployment&

Splunk $nterprise #omponents


146/146

Documents

Splunk Ppt satinder singh sandhu