Splunk Enterprise Instructor: Summer Partain 3 Day Course
What is Splunk Enterprise? Software Platform: Search data Analyze data Visualize data Indexes data Create Reports Create Visualizations
Splunk Enterprise Features There are 7 main features: 1. Indexing – Splunk indexes machine data 2. Data Model – hierarchically-structured dataset 3. Pivot – data visualization using the Pivot Editor 4. Search – primary navigation of data 5. Alerts – trigger conditions that are met 6. Reports – saved searches and pivots 7. Dashboards – panels that contain a variety of data
Splunk Enterprise Users 5 Main Types of Users: 1. Administrator 2. Knowledge Manager 3. Search User 4. Pivot User 5. Developer
Splunk Enterprise and your IT Infrastructure Splunk can collect data from machines located anywhere Local Remote Cloud Hybrid Majority of users connect to Splunk Enterprise through the web Command-line interface is also available Supports a multi-user and distributed product architecture
Splunk Enterprise Components Apps Forwarder Indexer Receiver Search Head Search Peer
Start Splunk Enterprise and Launch Splunk Web If you run Splunk on a local Machine the Splunk Web Interface is at You will automatically be brought to the home page If you use an Enterprise License, this login screen appears Username: admin Password: changeme
Navigating Splunk Web: Splunk Home You can do two actions on this panel: 1. Click the gear icon to view and manage apps 2. Click the plus icon to browse for more apps
Navigating Splunk Web: Splunk Bar Use the Splunk Bar to: 1. Switch Between Apps 2. Manage and edit your Splunk Configuration 3. View System-level messages 4. Monitor the progress of search jobs
Navigating Splunk Web Returning to Home: Click the Splunk logo on the Navigation Bar We can see the Settings menu to the right
Navigating Splunk Web The User Menu The Messages Menu
Navigating Splunk Web The Activity Menu The Help Menu
Navigating Splunk Web Use Find to search within your Splunk instance
Getting Data Into Splunk Enterprise Ways to categorize input sources: 1. Files and Directories 2. Network Events 3. Windows Sources 4. Other Sources
How to Specify Data Inputs How to define the input sources: 1. Splunk Web 2. Apps 3. Splunk’s CLI 4. The inputs.conf configuration file
Where Splunk Stores Data Index: Splunk Data Repository Indexing is also known as event processing Events are stored in the index as group files: 1. Rawdata 2. Index Files Files are located in directories Buckets are sets of directories
Getting tutorial data into Splunk Enterprise Download (do not uncompress) the tutorial data file here: To add the data into Splunk: 1. Make sure you are in Splunk Home 2. Explore Splunk Enterprise select Add Data
Getting tutorial data into Splunk Enterprise 3. How do you want to add data? 4. Click Upload 5. Select Source 6. Click Select File 7. Or you can drag and drop your file
Getting tutorial data into Splunk Enterprise 8. Click Next to continue to Input Settings 9. Modify the host settings to assign host names 10. Select Segment in path 11. Type in 1
Getting tutorial data into Splunk Enterprise 12. Click Review
Getting tutorial data into Splunk Enterprise 13. Click Submit
Getting tutorial data into Splunk Enterprise 14. Click Start Searching
Using Splunk Search Splunk Home Search & Reporting Apps
Using Splunk Search Use the search bar to run searches on Splunk Web Use the time range picker to retrieve events Use the “How to search” panel to see the Search Tutorial and Search Manual Use the “What to search” panel to see a summary of your data
Using Splunk Search
The Time Range Picker Use the time range picker to set time boundaries on searches
The Time Range Picker Presets
Custom Time Ranges
Search Actions and Modes
Change the search mode Save the results Other search actions
Search Results Tabs
Events
Patterns Patterns can be used to: View the number of events See the search that returns events with pattern Save the pattern search Create an alert based on pattern
Statistics
Visualizations
Searching the Data 1.Click Search in the navigation bar 2.Click Data Summary in the “What to Search” panel
Search Assistant 1.Type “buttercupgames” into the search bar 2.The Search Assistant will open 3.Click the Auto Open option to turn the Search Assistant off
Retrieve events from the index 1. Type in keywords to find errors or failures and use Boolean operators “AND” “OR” “NOT”
Use Fields to Search Fields help to specify exactly which events you want to retrieve from the index
What are fields? A value or a name and value pair A single value to each field name A field can be multivalued Searchable name and value pairings that distinguish one event from another Examples of fields: Clientip for IP addresses _time for the timestamp Host for domain name address fields
Extracted Fields Processed when the data is indexed Splunk extracts different sets of fields when you run a search Use the Field Extractor to create custom fields
Find and Select Fields To search for fields use this syntax: fieldname=“fieldvalue” For this example, type in: sourcetype=“access_*”
Find and Select Fields Scroll through the list of events
Find and Select Fields You can also hide and show the fields sidebar
Find and Select Fields Click All Fields to see the Select Fields dialog box opens
Find and Select Fields
Click the action field under Selected Fields
Find and Select Fields Click on the arrow next to an event to see a list of all fields in that event
Run more targeted searches Example 1: To search for successful purchases sourcetype=access_* status=200 action=purchase Example 2: To search for failed purchases sourcetype=access_* status!=200 action=purchase Example 3: To search for general errors (error OR fail* OR severe) OR (status=404 OR status=500 OR status=503) Example 4: To search for how many simulation games were purchased yesterday sourcetype=access_* status=200 action=purchase categoryId=simulation
Use the Search Language Previously we ran a search to see how many simulation games were purchased: sourcetype=access_* status=200 action=purchase categoryId=simulation In order to find this number for the days of the previous week we have to run it against the data for each day To see which products are more popular than the other, we have to run the search for each of the categoryId values
Learn with search assistant Click back on the Search Dashboard and restrict search to Yesterday: sourcetype=access_* status=200 action=purchase
Learn with search assistant 1. Type a pipe character: | into the search bar 2. Click top under “common next commands”
Learn with search assistant
1. Type the categoryId field into the search bar to complete your search: sourcetype=access_* status=200 action=purchase | top categoryId 2. Run the search
View Reports in the Statistics Tab The results of the top command appear in the Statistics tab
View and Format Reports in the Visualization Tab 1. Click the Visualization tab 2. Click Column to open the Visualization type selector
View and Format Reports in the Visualization Tab Select Pie
View and Format Reports in the Visualization Tab Hover your mouse over each part of the pie to see various values for that categoryId
View and Format Reports in the Visualization Tab Click on “Strategy” in the Pie
Use a subsearch: Example 1 Without a subsearch A subsearch is a search with a search pipeline as an argument sourcetype=access_* status=200 action=purchase | top limit=1 clientip
Use a subsearch: Example 1 Without a subsearch Use the stats command to count the VIP customer’s purchases: sourcetype=access_* status=200 action=purchase clientip= | stats count, dc(productId) by clientip
Use a subsearch: Example 2 With a subsearch sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count, dc(productId), values(productId) by clientip
Use a subsearch: Example 2 With a subsearch Rename the columns to make the information more understandable sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count AS "Total Purchased", dc(productId) AS "Total Products", values(productId) AS "Products ID" by clientip | rename clientip AS "VIP Customer"