Book Image

Splunk 7 Essentials - Third Edition

By : J-P Contreras, Steven Koelpin, Erickson Delgado, Betsy Page Sigman
Book Image

Splunk 7 Essentials - Third Edition

By: J-P Contreras, Steven Koelpin, Erickson Delgado, Betsy Page Sigman

Overview of this book

Splunk is a search, reporting, and analytics software platform for machine data, which has an ever-growing market adoption rate. More organizations than ever are adopting Splunk to make informed decisions in areas such as IT operations, information security, and the Internet of Things. The first two chapters of the book will get you started with a simple Splunk installation and set up of a sample machine data generator, called Eventgen. After this, you will learn to create various reports, dashboards, and alerts. You will also explore Splunk's Pivot functionality to model data for business users. You will then have the opportunity to test-drive Splunk's powerful HTTP Event Collector. After covering the core Splunk functionality, you'll be provided with some real-world best practices for using Splunk, and information on how to build upon what you've learned in this book. Throughout the book, there will be additional comments and best practice recommendations from a member of the SplunkTrust Community, called "Tips from the Fez".

Related Content you might be interested in

Current Title:

Small book image
Splunk 7 Essentials - Third Edition
J-P Contreras | Steven Koelpin | Erickson Delgado | Betsy Page Sigman
Mar, 2018 | 220 pages
Small book image
Splunk 7.x Quick Start Guide
James H Baxter
Nov, 2018 | 298 pages
Small book image
Splunk Operational Intelligence Cookbook
Paul R Johnson | Derek Mock | Josh Diakun
May, 2018 | 541 pages
Small book image
Mastering Splunk 8
James D Miller
Dec, 2020 | 456 pages
Table of Contents (10 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
Free Chapter
1
Splunk – Getting Started
Splunk – Getting Started
Your Splunk account
Installing Splunk on Windows
Installing Splunk on Linux
Creating a Splunk app
Populating data with Eventgen
Controlling Splunk
Configuring Eventgen
Viewing the Destinations app
Creating your first dashboard
Summary
2
Bringing in Data
Bringing in Data
Splunk and big data
Splunk data sources
Creating indexes
Buckets
Log files as data input
Splunk events and fields
Extracting new fields
Summary
3
Search Processing Language
Search Processing Language
Anatomy of a search
Time modifiers
Filtering search results
Search command – stats
Search command – top/rare
Search commands – chart and timechart
Search command – eval
Search command – rex
Summary
4
Reporting, Alerts, and Search Optimization
Reporting, Alerts, and Search Optimization
Data classification with Event Types
Data normalization with Tags
Data enrichment with Lookups
Creating and scheduling reports
Creating alerts
Search and Report acceleration
Scheduling options
Summary indexing
Summary
5
Dynamic Dashboarding
Dynamic Dashboarding
Creating effective dashboards
Types of dashboards
Form inputs
Creating a time range input
Creating a radio input
Creating a drop-down input
Static real-time dashboard
Creating a choropleth map
Summary
6
Data Models and Pivot
Data Models and Pivot
Creating a data model
Data model acceleration
Rearranging your dashboard
Summary
7
HTTP Event Collector
HTTP Event Collector
What is the HEC?
How does the HEC work?
How data flows to the HEC
Summary
8
Best Practices and Advanced Queries
Best Practices and Advanced Queries
Indexes for testing
Searching within an index
Search within a limited time frame
Quick searches via fast mode
Using event sampling
Use the fields command to improve search performance
Advanced searches
Summary
9
Taking Splunk to the Organization
Taking Splunk to the Organization
Common organizational use cases
Splunk architecture considerations
The Splunk community and online resources
Summary

Search commands – chart and timechart

The chart command aggregates data, providing output in tabular format which can then be used for a visualization. Visualizing data is critical to end user analysis, which makes chart a very important command. Notice that if you run the following search query, it is identical to the output of the stats command:

SPL> index=main | chart count by http_method

For all basic purposes, you can use stats and chart interchangeably. However, there will be differences in how stats and chart group data together. It will be up to you to determine which one is your intended result. To show the differences, here are some examples:

SPL> index=main | stats count by http_method http_uri

You can see the result in the following screenshot:

Following is another example:

SPL> index=main | chart count by http_method http_uri

You can see the result...

Previous Section
End of Section 7
Next Section