Book Image

Splunk 7 Essentials - Third Edition

By : J-P Contreras, Steven Koelpin, Erickson Delgado, Betsy Page Sigman
Book Image

Splunk 7 Essentials - Third Edition

By: J-P Contreras, Steven Koelpin, Erickson Delgado, Betsy Page Sigman

Overview of this book

Splunk is a search, reporting, and analytics software platform for machine data, which has an ever-growing market adoption rate. More organizations than ever are adopting Splunk to make informed decisions in areas such as IT operations, information security, and the Internet of Things. The first two chapters of the book will get you started with a simple Splunk installation and set up of a sample machine data generator, called Eventgen. After this, you will learn to create various reports, dashboards, and alerts. You will also explore Splunk's Pivot functionality to model data for business users. You will then have the opportunity to test-drive Splunk's powerful HTTP Event Collector. After covering the core Splunk functionality, you'll be provided with some real-world best practices for using Splunk, and information on how to build upon what you've learned in this book. Throughout the book, there will be additional comments and best practice recommendations from a member of the SplunkTrust Community, called "Tips from the Fez".

Related Content you might be interested in

Current Title:

Small book image
Splunk 7 Essentials - Third Edition
J-P Contreras | Steven Koelpin | Erickson Delgado | Betsy Page Sigman
Mar, 2018 | 220 pages
Small book image
Splunk 7.x Quick Start Guide
James H Baxter
Nov, 2018 | 298 pages
Small book image
Splunk Operational Intelligence Cookbook
Paul R Johnson | Derek Mock | Josh Diakun
May, 2018 | 541 pages
Small book image
Mastering Splunk 8
James D Miller
Dec, 2020 | 456 pages
Table of Contents (10 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
Free Chapter
1
Splunk – Getting Started
Splunk – Getting Started
Your Splunk account
Installing Splunk on Windows
Installing Splunk on Linux
Creating a Splunk app
Populating data with Eventgen
Controlling Splunk
Configuring Eventgen
Viewing the Destinations app
Creating your first dashboard
Summary
2
Bringing in Data
Bringing in Data
Splunk and big data
Splunk data sources
Creating indexes
Buckets
Log files as data input
Splunk events and fields
Extracting new fields
Summary
3
Search Processing Language
Search Processing Language
Anatomy of a search
Time modifiers
Filtering search results
Search command – stats
Search command – top/rare
Search commands – chart and timechart
Search command – eval
Search command – rex
Summary
4
Reporting, Alerts, and Search Optimization
Reporting, Alerts, and Search Optimization
Data classification with Event Types
Data normalization with Tags
Data enrichment with Lookups
Creating and scheduling reports
Creating alerts
Search and Report acceleration
Scheduling options
Summary indexing
Summary
5
Dynamic Dashboarding
Dynamic Dashboarding
Creating effective dashboards
Types of dashboards
Form inputs
Creating a time range input
Creating a radio input
Creating a drop-down input
Static real-time dashboard
Creating a choropleth map
Summary
6
Data Models and Pivot
Data Models and Pivot
Creating a data model
Data model acceleration
Rearranging your dashboard
Summary
7
HTTP Event Collector
HTTP Event Collector
What is the HEC?
How does the HEC work?
How data flows to the HEC
Summary
8
Best Practices and Advanced Queries
Best Practices and Advanced Queries
Indexes for testing
Searching within an index
Search within a limited time frame
Quick searches via fast mode
Using event sampling
Use the fields command to improve search performance
Advanced searches
Summary
9
Taking Splunk to the Organization
Taking Splunk to the Organization
Common organizational use cases
Splunk architecture considerations
The Splunk community and online resources
Summary

Data normalization with Tags

Tags in Splunk are useful for grouping events with related field values. Unlike Event Types, which are based on specified search commands, Tags are created and mapped to specific field-value combinations. Multiple Tags can be assigned to the same field-value combination.

A common scenario of using Tags is for classifying IP addresses. In the Eventgen logs, three IP addresses are automatically generated. We will create Tags against these IP addresses to allow us to classify them:

IP address Tags
10.2.1.33 main, patched, and east
10.2.1.34 main, patched, and west
10.2.1.35 backup and east

We are going to group IP addresses by purpose, patch status, and geolocation in the server farm of three servers represented in our Eventgen data. We will achieve this using Tags, as shown in the following steps:

  1. Begin by using the following search command...
Previous Section
End of Section 3
Next Section