Mastering Splunk

Book Image

Mastering Splunk

By : James D. Miller

Book Image

Mastering Splunk

By: James D. Miller

Overview of this book

Mastering Splunk

Mastering Splunk

Credits

About the Author

About the Author

About the Reviewers

About the Reviewers

www.PacktPub.com

www.PacktPub.com

Preface

Free Chapter

The Application of Splunk

The Application of Splunk

The definition of Splunk

Universal file handling

Confidentiality and security

Conventional use cases

Splunk – outside the box

Splunk in action

Advanced Searching

Advanced Searching

Searching in Splunk

Knowledge management

Searching with parameters

Mastering Tables, Charts, and Fields

Mastering Tables, Charts, and Fields

Tables, charts, and fields

Splunk bucketing

Pivot table formatting

A quick example

Lookups

Configuring a simple field lookup

Command roundup

Progressive Dashboards

Progressive Dashboards

Creating effective dashboards

Going back to dashboards

More on searching

Dynamic drilldowns

Real-world, real-time solutions

Indexes and Indexing

Indexes and Indexing

The importance of indexing

What is a Splunk index?

Indexes, indexers, and clusters

Managing Splunk indexes

Dealing with multiple indexes

Deleting your indexes and indexed data

Configuring indexes

Moving your index database

Spreading out your Splunk index

Hitting the limits

Evolving your Apps

Evolving your Apps

Basic applications

BYO or build your own apps

The end-to-end customization of Splunk

Preparation for app development

Monitoring and Alerting

Monitoring and Alerting

What to monitor

Advanced monitoring

Location, location, location

Leveraging your forwarders

Can I use apps?

Windows inputs in Splunk

Getting started with monitoring

What does Splunk do with the data it monitors?

Viewing the Splunk Deployment Monitor app

All about alerts

Scheduled or real time

Extended functionalities

Transactional Splunk

Transactional Splunk

Transactions and transaction types

Transaction search

Advanced use of transactions

Splunk – Meet the Enterprise

Splunk – Meet the Enterprise

General concepts

Definition of Splunk knowledge

Strategic knowledge management

Splunk object management with knowledge management

Naming conventions for documentation

The enterprise vision

Quick Start

Where and how to learn Splunk

The Splunk documentation

The support portal

The "How-to" tutorials

User conferences, blogs, and news groups

Professional services

Obtaining the Splunk software

An environment to learn in

Index

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Subsearching

A subsearch is a Splunk search that uses a search pipeline as the argument. Subsearches in Splunk are contained in square brackets and evaluated first. Think of a subsearch as being similar to a SQL subquery (a subquery is a SQL query nested inside a larger query).

Subsearches are mainly used for three purposes:

To parameterize one search using the output of another search
To run a separate search but to stitch the output to the first search using the append command
To create a conditional search where you only see the results of your search if the result meets the criteria or perhaps the threshold of the subsearch

Generally, you use a subsearch to take the results of one search and use them in another search, all in a single Splunk search pipeline. Because of how this works, the second search must be able to accept arguments, such as with the append command (as mentioned earlier).

Some examples of subsearching are as follows:

Parameterization: Consider the following code:
```
sourcetype...
```