Implementing Splunk (Update)

Book Image

Implementing Splunk (Update)

Book Image

Implementing Splunk (Update)

Overview of this book

Implementing Splunk Second Edition

Implementing Splunk Second Edition

Credits

About the Authors

About the Authors

About the Reviewers

About the Reviewers

www.PacktPub.com

www.PacktPub.com

Preface

Free Chapter

The Splunk Interface

The Splunk Interface

Logging into Splunk

The search & reporting app

Using the time picker

Using the field picker

The settings section

Understanding Search

Understanding Search

Using search terms effectively

Boolean and grouping operators

Clicking to modify your search

Using fields to search

Using wildcards efficiently

Making searches faster

Sharing results with others

Search job settings

Saving searches for reuse

Creating alerts from searches

Tables, Charts, and Fields

Tables, Charts, and Fields

About the pipe symbol

Using top to show common field values

Using stats to aggregate values

Using chart to turn data

Using timechart to show values over time

Working with fields

Data Models and Pivots

Data Models and Pivots

What is a data model?

What does a data model search?

Creating a data model

Lookup attributes

What is a pivot?

A quick example

Simple XML Dashboards

Simple XML Dashboards

The purpose of dashboards

Using wizards to build dashboards

Converting the panel to a report

Back to the dashboard

Editing XML directly

UI examples app

Features replaced

Autorun dashboard

Scheduling the generation of dashboards

Advanced Search Examples

Advanced Search Examples

Using subsearches to find loosely related events

Using transaction

Determining concurrency

Calculating events per slice of time

Extending Search

Extending Search

Using tags to simplify search

Using event types to categorize results

Using lookups to enrich data

Using macros to reuse logic

Creating workflow actions

Using external commands

Working with Apps

Working with Apps

Defining an app

Installing apps

Building your first app

Editing navigation

Customizing the appearance of your app

Object permissions

The app directory structure

Building Advanced Dashboards

Building Advanced Dashboards

Reasons for working with advanced XML

Reasons for not working with advanced XML

The development process

The advanced XML structure

Converting simple XML to advanced XML

Module logic flow

Understanding layoutPanel

Reusing a query

Using intentions

Creating a custom drilldown

Third-party add-ons

Summary Indexes and CSV Files

Summary Indexes and CSV Files

Understanding summary indexes

When to use a summary index

When not to use a summary index

Populating summary indexes with saved searches

Using summary index events in a query

Using sistats, sitop, and sitimechart

How latency affects summary queries

How and when to backfill summary data

Reducing summary index size

Calculating top for a large time frame

Using CSV files to store transient data

Configuring Splunk

Configuring Splunk

Locating Splunk configuration files

The structure of a Splunk configuration file

The configuration merging logic

An overview of Splunk .conf files

User interface resources

Advanced Deployments

Advanced Deployments

Planning your installation

Splunk instance types

Common data sources

Sizing indexers

Planning redundancy

Working with multiple indexes

Deploying the Splunk binary

Using apps to organize configuration

Configuration distribution

Using LDAP for authentication

Using Single Sign On

Load balancers and Splunk

Multiple search heads

Extending Splunk

Extending Splunk

Writing a scripted input to gather data

Using Splunk from the command line

Querying Splunk via REST

Writing commands

Writing a scripted lookup to enrich data

Writing an event renderer

Writing a scripted alert action to process results

Index

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Using stats to aggregate values

While top is very convenient, stats is extremely versatile. The basic structure of a stats statement is:

stats functions by fields

Many of the functions available in stats mimic similar functions in SQL or Excel, but there are many functions unique to Splunk. The simplest stats function is count. Given the following query, the results will contain exactly one row, with a value for the field count:

sourcetype=tm1* error | stats count

Using the by clause, stats will produce a row per unique value for each field listed, which is similar to the behavior of top. Run the following query:

sourcetype=tm1* error | stats count by date_month date_wday

It will produce a table like that shown in the following screenshot:

There are a few things to notice about these results:

The results are sorted against the values of the by fields, in this case date_month followed by date_wday. Unlike top, the largest value will not necessarily be at the top of the list. You can sort in the...