Presentation is loading. Please wait.

Presentation is loading. Please wait.

Splunk Enterprise Instructor: Summer Partain 3 Day Course.

Published byClinton Anderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Splunk Enterprise Instructor: Summer Partain 3 Day Course."— Presentation transcript:

1 Splunk Enterprise Instructor: Summer Partain 3 Day Course

2 What is Splunk Enterprise?  Software Platform:  Search data  Analyze data  Visualize data  Indexes data  Create Reports  Create Visualizations

3 Splunk Enterprise Features  There are 7 main features:  1. Indexing – Splunk indexes machine data  2. Data Model – hierarchically-structured dataset  3. Pivot – data visualization using the Pivot Editor  4. Search – primary navigation of data  5. Alerts – trigger conditions that are met  6. Reports – saved searches and pivots  7. Dashboards – panels that contain a variety of data

4 Splunk Enterprise Users  5 Main Types of Users:  1. Administrator  2. Knowledge Manager  3. Search User  4. Pivot User  5. Developer

5 Splunk Enterprise and your IT Infrastructure  Splunk can collect data from machines located anywhere  Local  Remote  Cloud  Hybrid  Majority of users connect to Splunk Enterprise through the web  Command-line interface is also available  Supports a multi-user and distributed product architecture

6 Splunk Enterprise Components  Apps  Forwarder  Indexer  Receiver  Search Head  Search Peer

7 Start Splunk Enterprise and Launch Splunk Web If you run Splunk on a local Machine the Splunk Web Interface is at http://localhost:8000 You will automatically be brought to the home page If you use an Enterprise License, this login screen appears Username: admin Password: changeme

8 Navigating Splunk Web: Splunk Home You can do two actions on this panel: 1. Click the gear icon to view and manage apps 2. Click the plus icon to browse for more apps

9 Navigating Splunk Web: Splunk Bar Use the Splunk Bar to: 1. Switch Between Apps 2. Manage and edit your Splunk Configuration 3. View System-level messages 4. Monitor the progress of search jobs

10 Navigating Splunk Web Returning to Home: Click the Splunk logo on the Navigation Bar We can see the Settings menu to the right

11 Navigating Splunk Web The User Menu The Messages Menu

12 Navigating Splunk Web The Activity Menu The Help Menu

13 Navigating Splunk Web Use Find to search within your Splunk instance

14 Getting Data Into Splunk Enterprise  Ways to categorize input sources: 1. Files and Directories 2. Network Events 3. Windows Sources 4. Other Sources

15 How to Specify Data Inputs  How to define the input sources: 1. Splunk Web 2. Apps 3. Splunk’s CLI 4. The inputs.conf configuration file

16 Where Splunk Stores Data  Index: Splunk Data Repository  Indexing is also known as event processing  Events are stored in the index as group files: 1. Rawdata 2. Index Files  Files are located in directories  Buckets are sets of directories

17 Getting tutorial data into Splunk Enterprise Download (do not uncompress) the tutorial data file here: http://docs.splunk.com/images/Tutorial/tutorialdata.zip To add the data into Splunk: 1. Make sure you are in Splunk Home 2. Explore Splunk Enterprise select Add Data

18 Getting tutorial data into Splunk Enterprise 3. How do you want to add data? 4. Click Upload 5. Select Source 6. Click Select File 7. Or you can drag and drop your file

19 Getting tutorial data into Splunk Enterprise 8. Click Next to continue to Input Settings 9. Modify the host settings to assign host names 10. Select Segment in path 11. Type in 1

20 Getting tutorial data into Splunk Enterprise 12. Click Review

21 Getting tutorial data into Splunk Enterprise 13. Click Submit

22 Getting tutorial data into Splunk Enterprise 14. Click Start Searching

23 Using Splunk Search Splunk Home  Search & Reporting  Apps

24 Using Splunk Search Use the search bar to run searches on Splunk Web Use the time range picker to retrieve events Use the “How to search” panel to see the Search Tutorial and Search Manual Use the “What to search” panel to see a summary of your data

25 Using Splunk Search

26

27

28

29 The Time Range Picker Use the time range picker to set time boundaries on searches

30 The Time Range Picker Presets

31 Custom Time Ranges

32

33 Search Actions and Modes

34 Change the search mode Save the results Other search actions

35 Search Results Tabs

36 Events

37 Patterns  Patterns can be used to:  View the number of events  See the search that returns events with pattern  Save the pattern search  Create an alert based on pattern

38 Statistics

39

40 Visualizations

41

42 Searching the Data 1.Click Search in the navigation bar 2.Click Data Summary in the “What to Search” panel

43 Search Assistant 1.Type “buttercupgames” into the search bar 2.The Search Assistant will open 3.Click the Auto Open option to turn the Search Assistant off

44 Retrieve events from the index 1. Type in keywords to find errors or failures and use Boolean operators “AND” “OR” “NOT”

45 Use Fields to Search Fields help to specify exactly which events you want to retrieve from the index

46 What are fields?  A value or a name and value pair  A single value to each field name  A field can be multivalued  Searchable name and value pairings that distinguish one event from another  Examples of fields:  Clientip for IP addresses  _time for the timestamp  Host for domain name  Email address fields

47 Extracted Fields  Processed when the data is indexed  Splunk extracts different sets of fields when you run a search  Use the Field Extractor to create custom fields

48 Find and Select Fields To search for fields use this syntax: fieldname=“fieldvalue” For this example, type in: sourcetype=“access_*”

49 Find and Select Fields Scroll through the list of events

50 Find and Select Fields You can also hide and show the fields sidebar

51 Find and Select Fields Click All Fields to see the Select Fields dialog box opens

52 Find and Select Fields

53 Click the action field under Selected Fields

54 Find and Select Fields Click on the arrow next to an event to see a list of all fields in that event

55 Run more targeted searches  Example 1: To search for successful purchases sourcetype=access_* status=200 action=purchase  Example 2: To search for failed purchases sourcetype=access_* status!=200 action=purchase  Example 3: To search for general errors (error OR fail* OR severe) OR (status=404 OR status=500 OR status=503)  Example 4: To search for how many simulation games were purchased yesterday sourcetype=access_* status=200 action=purchase categoryId=simulation

56 Use the Search Language  Previously we ran a search to see how many simulation games were purchased: sourcetype=access_* status=200 action=purchase categoryId=simulation  In order to find this number for the days of the previous week we have to run it against the data for each day  To see which products are more popular than the other, we have to run the search for each of the categoryId values

57 Learn with search assistant Click back on the Search Dashboard and restrict search to Yesterday: sourcetype=access_* status=200 action=purchase

58 Learn with search assistant 1. Type a pipe character: | into the search bar 2. Click top under “common next commands”

59 Learn with search assistant

60 1. Type the categoryId field into the search bar to complete your search: sourcetype=access_* status=200 action=purchase | top categoryId 2. Run the search

61 View Reports in the Statistics Tab The results of the top command appear in the Statistics tab

62 View and Format Reports in the Visualization Tab 1. Click the Visualization tab 2. Click Column to open the Visualization type selector

63 View and Format Reports in the Visualization Tab Select Pie

64 View and Format Reports in the Visualization Tab Hover your mouse over each part of the pie to see various values for that categoryId

65 View and Format Reports in the Visualization Tab Click on “Strategy” in the Pie

66 Use a subsearch: Example 1 Without a subsearch A subsearch is a search with a search pipeline as an argument sourcetype=access_* status=200 action=purchase | top limit=1 clientip

67 Use a subsearch: Example 1 Without a subsearch Use the stats command to count the VIP customer’s purchases: sourcetype=access_* status=200 action=purchase clientip=87.194.216.51 | stats count, dc(productId) by clientip

68 Use a subsearch: Example 2 With a subsearch sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count, dc(productId), values(productId) by clientip

69 Use a subsearch: Example 2 With a subsearch Rename the columns to make the information more understandable sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count AS "Total Purchased", dc(productId) AS "Total Products", values(productId) AS "Products ID" by clientip | rename clientip AS "VIP Customer"

Download ppt "Splunk Enterprise Instructor: Summer Partain 3 Day Course."

Similar presentations

AIMSweb Progress Monitor Online User Training

AIMSweb Progress Monitor Online User Training
Microsoft Office 2010 Office 2010 and Windows 7: Essential Concepts and Skills Mark Worden Instructor Use your spacebar or down arrow key to advance slides.

Microsoft Office 2010 Office 2010 and Windows 7: Essential Concepts and Skills Mark Worden Instructor Use your spacebar or down arrow key to advance slides.
August 2014 Liver quest User Demo: Liver Quality Enhancement Service Tool (QuEST)

August 2014 Liver quest User Demo: Liver Quality Enhancement Service Tool (QuEST)
Customizing the MOSS 2007 Search Results November 2007 Rafael Perez.

Customizing the MOSS 2007 Search Results November 2007 Rafael Perez.
Tutorial 8: Developing an Excel Application

Tutorial 8: Developing an Excel Application
DB2 Tools Pertemuan 3 Matakuliah: T0413 Tahun: 2009.

DB2 Tools Pertemuan 3 Matakuliah: T0413 Tahun: 2009.
DNR-322L & DNR-326.

DNR-322L & DNR-326.
Microsoft Office 2010 Access Chapter 1 Creating and Using a Database.

Microsoft Office 2010 Access Chapter 1 Creating and Using a Database.
Guide to Oracle10G1 Introduction To Forms Builder Chapter 5.

Guide to Oracle10G1 Introduction To Forms Builder Chapter 5.
A Guide to Oracle9i1 Introduction To Forms Builder Chapter 5.

A Guide to Oracle9i1 Introduction To Forms Builder Chapter 5.
1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
1 Introduction to OBIEE: Learning to Access, Navigate, and Find Data in the SWIFT Data Warehouse Lesson 5: Navigation in OBIEE – Touring the Catalog Page.

1 Introduction to OBIEE: Learning to Access, Navigate, and Find Data in the SWIFT Data Warehouse Lesson 5: Navigation in OBIEE – Touring the Catalog Page.
Chapter 2: The Visual Studio.NET Development Environment Visual Basic.NET Programming: From Problem Analysis to Program Design.

Chapter 2: The Visual Studio.NET Development Environment Visual Basic.NET Programming: From Problem Analysis to Program Design.
Introduction To Form Builder

Introduction To Form Builder
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.
MCT260-Operating Systems I Operating Systems I Customizing the User Interface.

MCT260-Operating Systems I Operating Systems I Customizing the User Interface.
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.
MZ790 Print Driver and RINC Software Install and Setup These instructions are to assist you in installation and setup of the MZ790 Print Driver and RINC.

MZ790 Print Driver and RINC Software Install and Setup These instructions are to assist you in installation and setup of the MZ790 Print Driver and RINC.
Introduction to EBSCOhost E-Books Access to thousands of e-books! Available 24/7!

Introduction to EBSCOhost E-Books Access to thousands of e-books! Available 24/7!

Similar presentations

Ads by Google