Book Image

Implementing Splunk (Update)

Book Image

Implementing Splunk (Update)

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
Implementing Splunk (Update)
Jul, 2015 | 506 pages
No titles found
Table of Contents (20 chapters)
Implementing Splunk Second Edition
Implementing Splunk Second Edition
Credits
Credits
About the Authors
About the Authors
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
The Splunk Interface
The Splunk Interface
Logging into Splunk
The home app
The top bar
The search & reporting app
Using the time picker
Using the field picker
The settings section
Summary
2
Understanding Search
Understanding Search
Using search terms effectively
Boolean and grouping operators
Clicking to modify your search
Using fields to search
Using wildcards efficiently
All about time
Making searches faster
Sharing results with others
Search job settings
Saving searches for reuse
Creating alerts from searches
Summary
3
Tables, Charts, and Fields
Tables, Charts, and Fields
About the pipe symbol
Using top to show common field values
Using stats to aggregate values
Using chart to turn data
Using timechart to show values over time
Working with fields
Summary
4
Data Models and Pivots
Data Models and Pivots
What is a data model?
What does a data model search?
Creating a data model
Lookup attributes
What is a pivot?
A quick example
Sparklines
Summary
5
Simple XML Dashboards
Simple XML Dashboards
The purpose of dashboards
Using wizards to build dashboards
Converting the panel to a report
Back to the dashboard
Editing XML directly
UI examples app
Building forms
Features replaced
Autorun dashboard
Scheduling the generation of dashboards
Summary
6
Advanced Search Examples
Advanced Search Examples
Using subsearches to find loosely related events
Using transaction
Determining concurrency
Calculating events per slice of time
Rebuilding top
Acceleration
Summary
7
Extending Search
Extending Search
Using tags to simplify search
Using event types to categorize results
Using lookups to enrich data
Using macros to reuse logic
Creating workflow actions
Using external commands
Summary
8
Working with Apps
Working with Apps
Defining an app
Included apps
Installing apps
Building your first app
Editing navigation
Customizing the appearance of your app
Object permissions
The app directory structure
Summary
9
Building Advanced Dashboards
Building Advanced Dashboards
Reasons for working with advanced XML
Reasons for not working with advanced XML
The development process
The advanced XML structure
Converting simple XML to advanced XML
Module logic flow
Understanding layoutPanel
Reusing a query
Using intentions
Creating a custom drilldown
Third-party add-ons
10
Summary Indexes and CSV Files
Summary Indexes and CSV Files
Understanding summary indexes
When to use a summary index
When not to use a summary index
Populating summary indexes with saved searches
Using summary index events in a query
Using sistats, sitop, and sitimechart
How latency affects summary queries
How and when to backfill summary data
Reducing summary index size
Calculating top for a large time frame
Using CSV files to store transient data
Summary
11
Configuring Splunk
Configuring Splunk
Locating Splunk configuration files
The structure of a Splunk configuration file
The configuration merging logic
An overview of Splunk .conf files
User interface resources
Summary
12
Advanced Deployments
Advanced Deployments
Planning your installation
Splunk instance types
Common data sources
Sizing indexers
Planning redundancy
Working with multiple indexes
Deploying the Splunk binary
Using apps to organize configuration
Configuration distribution
Using LDAP for authentication
Using Single Sign On
Load balancers and Splunk
Multiple search heads
Summary
13
Extending Splunk
Extending Splunk
Writing a scripted input to gather data
Using Splunk from the command line
Querying Splunk via REST
Writing commands
Writing a scripted lookup to enrich data
Writing an event renderer
Writing a scripted alert action to process results
Hunk
Summary
Index
Index

The top bar

The bar across the top of the window contains information about where you are, as well as quick links to preferences, other apps, and administration.

The current app is specified in the upper-left corner. The following image shows the upper-left Splunk bar when using the Search & Reporting app:

Clicking on the text takes you to the default page for that app. In most apps, the text next to the logo is simply changed, but the whole block can be customized with logos and alternate text by modifying the app's CSS. We will cover this in Chapter 8, Working with Apps.

The upper-right corner of the window, as seen in the previous image, contains action links that are almost always available:

  • The name of the user who is currently logged in appears first. In this case, the user is Administrator. Clicking on the username allows you to select Edit Account (which will take you to the Your account page) or to Logout (of Splunk). Logout ends the session and forces the user to login again. The following screenshot shows what the Your account page looks like:

    This form presents the global preferences that a user is allowed to change. Other settings that affect users are configured through permissions on objects and settings on roles. (Note: preferences can also be configured using the CLI or by modifying specific Splunk configuration files).

  • Full name and Email address are stored for the administrator's convenience.

  • Time zone can be changed for the logged-in user. This is a new feature in Splunk 4.3.

    Note

    Setting the time zone only affects the time zone used to display the data. It is very important that the date is parsed properly when events are indexed. We will discuss this in detail in Chapter 2, Understanding Search.

  • Default app controls the starting page after login. Most users will want to change this to search.

  • Restart backgrounded jobs controls whether unfinished queries should run again if Splunk is restarted.

  • Set password allows you to change your password. This is only relevant if Splunk is configured to use internal authentication. For instance, if the system is configured to use Windows Active Directory via LDAP (a very common configuration), users must change their password in Windows.

  • Messages allows you to view any system-level error messages you may have pending. When there is a new message for you to review, a notification displays as a count next to the Messages menu. You can click the X to remove a message.

    Tip

    Downloading the example code

    You can download the example code files from your account at http://www.packtpub.com for all the Packt Publishing books you have purchased. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.

  • The Settings link presents the user with the configuration pages for all Splunk Knowledge objects, Distributed Environment settings, System and Licensing, Data, and Users and Authentication settings. If you do not see some of these options, you do not have the permissions to view or edit them.

  • The Activity menu lists shortcuts to Splunk Jobs, Triggered Alerts, and System Activity views. You can click Jobs (to open the search jobs manager window, where you can view and manage currently running searches), click Triggered Alerts (to view scheduled alerts that are triggered) or click System Activity (to see dashboards about user activity and the status of the system).

  • Help lists links to video Tutorials, Splunk Answers, the Splunk Contact Support portal, and online Documentation.

  • Find can be used to search for objects within your Splunk Enterprise instance. For example, if you type in error, it returns the saved objects that contain the term error. These saved objects include Reports, Dashboards, Alerts, and so on. You can also search for error in the Search & Reporting app by clicking Open error in search.

Previous Section
End of Section 4
Next Section