Book Image

Implementing Splunk 7, Third Edition - Third Edition

Book Image

Implementing Splunk 7, Third Edition - Third Edition

Overview of this book

Splunk is the leading platform that fosters an efficient methodology and delivers ways to search, monitor, and analyze growing amounts of big data. This book will allow you to implement new services and utilize them to quickly and efficiently process machine-generated big data. We introduce you to all the new features, improvements, and offerings of Splunk 7. We cover the new modules of Splunk: Splunk Cloud and the Machine Learning Toolkit to ease data usage. Furthermore, you will learn to use search terms effectively with Boolean and grouping operators. You will learn not only how to modify your search to make your searches fast but also how to use wildcards efficiently. Later you will learn how to use stats to aggregate values, a chart to turn data, and a time chart to show values over time; you'll also work with fields and chart enhancements and learn how to create a data model with faster data model acceleration. Once this is done, you will learn about XML Dashboards, working with apps, building advanced dashboards, configuring and extending Splunk, advanced deployments, and more. Finally, we teach you how to use the Machine Learning Toolkit and best practices and tips to help you implement Splunk services effectively and efficiently. By the end of this book, you will have learned about the Splunk software as a whole and implemented Splunk services in your tasks at projects

Related Content you might be interested in

Current Title:

Small book image
Implementing Splunk 7, Third Edition - Third Edition
Mar, 2018 | 576 pages
Small book image
Splunk 7.x Quick Start Guide
James H Baxter
Nov, 2018 | 298 pages
Small book image
Mastering Splunk 8
James D Miller
Dec, 2020 | 456 pages
Small book image
Splunk 7 Essentials
Steven Koelpin | Erickson Delgado | JP Contreras | Betsy Page Sigman
Mar, 2018 | 220 pages
Table of Contents (19 chapters)
Title Page
Title Page
Packt Upsell
Packt Upsell
Contributors
Contributors
Preface
Preface
Free Chapter
1
The Splunk Interface
The Splunk Interface
Logging in to Splunk
The home app
The top bar
The Search & Reporting app
Using the time picker
Using the field picker
The settings section
Splunk Cloud
Try before you buy
A quick cloud tour
The top bar in Splunk Cloud
Splunk reference app – PAS
Universal forwarder
eventgen
Next steps
Summary
2
Understanding Search
Understanding Search
Using search terms effectively
Boolean and grouping operators
Clicking to modify your search
Using fields to search
Using wildcards efficiently
All about time
Making searches faster
Sharing results with others
Searching job settings
Saving searches for reuse
Creating alerts from searches
Event annotations
Summary
3
Tables, Charts, and Fields
Tables, Charts, and Fields
About the pipe symbol
Using top to show common field values
Using stats to aggregate values
Using chart to turn data
Using timechart to show values over time
Working with fields
Chart enhancements in version 7.0
Summary
4
Data Models and Pivots
Data Models and Pivots
What is a data model?
What does a data model search?
Acceleration in version 7.0
Creating a data model
Lookup attributes
What is a pivot?
A quick example
Sparklines
Summary
5
Simple XML Dashboards
Simple XML Dashboards
The purpose of dashboards
Using wizards to build dashboards
Converting the panel to a report
Back to the dashboard
Editing XML directly
UI examples app
Building forms
Features replaced
Autorun dashboard
Scheduling the generation of dashboards
Summary
6
Advanced Search Examples
Advanced Search Examples
Using subsearches to find loosely related events
Using transaction
Determining concurrency
Calculating events per slice of time
Rebuilding top
Acceleration
Version 7.0 advancements in metrics
Summary
7
Extending Search
Extending Search
Using tags to simplify search
Using event types to categorize results
Using lookups to enrich data
Using macros to reuse logic
Creating workflow actions
Using external commands
Summary
8
Working with Apps
Working with Apps
Defining an app
Included apps
Installing apps
Building your first app
Editing navigation
Customizing the appearance of your app
Object permissions
App directory structure
Self-service app management
Summary
9
Building Advanced Dashboards
Building Advanced Dashboards
Reasons for working with advanced XML
Reasons for not working with advanced XML
Development process
Advanced XML structure
Converting simple XML to advanced XML
Module logic flow
Understanding layoutPanel
Reusing a query
Using intentions
Creating a custom drilldown
Third-party add-ons
Summary
10
Summary Indexes and CSV Files
Summary Indexes and CSV Files
Understanding summary indexes
When to use a summary index
When to not use a summary index
Populating summary indexes with saved searches
Using summary index events in a query
Using sistats, sitop, and sitimechart
How latency affects summary queries
How and when to backfill summary data
Reducing summary index size
Calculating top for a large time frame
Using CSV files to store transient data
Summary
11
Configuring Splunk
Configuring Splunk
Locating Splunk configuration files
The structure of a Splunk configuration file
The configuration merging logic
An overview of Splunk.conf files
User interface resources
Summary
12
Advanced Deployments
Advanced Deployments
Planning your installation
Splunk instance types
Common data sources
Sizing indexers
Planning redundancy
Working with multiple indexes
Deploying the Splunk binary
Using apps to organize configuration
Configuration distribution
Using LDAP for authentication
Using single sign-on
Load balancers and Splunk
Multiple search heads
Summary
13
Extending Splunk
Extending Splunk
Writing a scripted input to gather data
Using Splunk from the command line
Querying Splunk via REST
Writing commands
Writing a scripted lookup to enrich data
Writing an event renderer
Writing a scripted alert action to process results
Hunk
Summary
14
Machine Learning Toolkit
Machine Learning Toolkit
What is machine learning?
Defining the toolkit
The toolkit workbench
Assistants
Extended SPL (search processing language)
Building a model
Validation
Summary
Index
Index

Writing a scripted input to gather data

Scripted inputs allow you to run a piece of code on a scheduled basis and capture the output as if it were simply being written to a file. It does not matter what language the script is written in, or where it lives, as long as it is executable.

We touched on this topic in the Using scripts to gather data section in Chapter 12, Advanced Deployments. Let's write a few more examples.

Capturing script output with no date

One common problem with script output is the lack of a predictable date or date format. In this situation, the easiest thing to do is to tell Splunk not to try to parse a date at all and instead use the current date. Let's make a script that lists open network connections:

from subprocess import Popen 
from subprocess import PIPE 
from collections import defaultdict 
import re 
def add_to_key(fieldname, fields): 
  return " " + fieldname + "+" + fields[fieldname] 
output = Popen("netstat -n -p tcp", stdout=PIPE, 
  shell=True).stdout.read...
Previous Section
End of Section 2
Next Section