Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Mastering Splunk
  • Table Of Contents Toc
  • Feedback & Rating feedback
Mastering Splunk

Mastering Splunk

By : James D. Miller
2.7 (3)
Buy this Book
close
close
Mastering Splunk

Mastering Splunk

2.7 (3)
By: James D. Miller
Buy this Book

Overview of this book

This book is for those Splunk developers who want to learn advanced strategies to deal with big data from an enterprise architectural perspective. You need to have good working knowledge of Splunk.
Table of Contents (13 chapters)
close
close
close
Preface
Icon
Preface
Icon
What this book covers
Icon
What you need for this book
Icon
Who this book is for
Icon
Conventions
Icon
Reader feedback
Icon
Customer support
Lock Free Chapter
1
1. The Application of Splunk
Icon
1. The Application of Splunk
Icon
The definition of Splunk
Icon
Universal file handling
Icon
Confidentiality and security
Icon
Conventional use cases
Icon
Splunk – outside the box
Icon
Splunk in action
Icon
Summary
2
2. Advanced Searching
Icon
2. Advanced Searching
Icon
Searching in Splunk
Icon
Knowledge management
Icon
Subsearching
Icon
Searching with parameters
Icon
Splunk macros
Icon
Search results
Icon
Summary
3
3. Mastering Tables, Charts, and Fields
chevron up
Icon
3. Mastering Tables, Charts, and Fields
Icon
Tables, charts, and fields
Icon
Splunk bucketing
Icon
Drilldowns
Icon
Pivot
Icon
Split
Icon
Column values
Icon
Pivot table formatting
Icon
A quick example
Icon
Sparklines
Icon
Summary
4
4. Lookups
Icon
4. Lookups
Icon
Introduction
Icon
Configuring a simple field lookup
Icon
Command roundup
Icon
Summary
5
5. Progressive Dashboards
Icon
5. Progressive Dashboards
Icon
Creating effective dashboards
Icon
Form searching
Icon
Going back to dashboards
Icon
More on searching
Icon
Dynamic drilldowns
Icon
Real-world, real-time solutions
Icon
Summary
6
6. Indexes and Indexing
Icon
6. Indexes and Indexing
Icon
The importance of indexing
Icon
What is a Splunk index?
Icon
Indexes, indexers, and clusters
Icon
Managing Splunk indexes
Icon
Dealing with multiple indexes
Icon
Deleting your indexes and indexed data
Icon
Configuring indexes
Icon
Moving your index database
Icon
Spreading out your Splunk index
Icon
Size matters
Icon
Hitting the limits
Icon
Summary
7
7. Evolving your Apps
Icon
7. Evolving your Apps
Icon
Basic applications
Icon
BYO or build your own apps
Icon
App FAQs
Icon
The end-to-end customization of Splunk
Icon
Preparation for app development
Icon
Summary
8
8. Monitoring and Alerting
Icon
8. Monitoring and Alerting
Icon
What to monitor
Icon
Advanced monitoring
Icon
Location, location, location
Icon
Leveraging your forwarders
Icon
Can I use apps?
Icon
Windows inputs in Splunk
Icon
Getting started with monitoring
Icon
What does Splunk do with the data it monitors?
Icon
Splunk
Icon
Viewing the Splunk Deployment Monitor app
Icon
All about alerts
Icon
Editing alerts
Icon
Scheduled or real time
Icon
Extended functionalities
Icon
Summary
9
9. Transactional Splunk
Icon
9. Transactional Splunk
Icon
Transactions and transaction types
Icon
Transaction search
Icon
Advanced use of transactions
Icon
Summary
10
10. Splunk – Meet the Enterprise
Icon
10. Splunk – Meet the Enterprise
Icon
General concepts
Icon
Best practices
Icon
Definition of Splunk knowledge
Icon
Strategic knowledge management
Icon
Splunk object management with knowledge management
Icon
Naming conventions for documentation
Icon
Testing
Icon
Retrofitting
Icon
The enterprise vision
Icon
Summary
11
A. Quick Start
Icon
A. Quick Start
Icon
Topics
Icon
Where and how to learn Splunk
Icon
Certifications
Icon
The Splunk documentation
Icon
www.splunk.com
Icon
Splunk answers
Icon
Splunkbase
Icon
The support portal
Icon
The Splexicon
Icon
The "How-to" tutorials
Icon
User conferences, blogs, and news groups
Icon
Professional services
Icon
Obtaining the Splunk software
Icon
An environment to learn in
Icon
Summary
12
Index
Icon
Index

Splunk bucketing

The Splunk bucketing option allows you to group events into discreet buckets of information for better analysis. For example, the number of events returned from the indexed data might be overwhelming, so it makes more sense to group or bucket them by a span (or a time range) of time (seconds, minutes, hours, days, months, or even subseconds).

We can use the following example to illustrate this point:

tm1* error | stats count(_raw) by _time source

Notice the generated output:

Splunk bucketing

Here is an additional example:

tm1* error | bucket _time span=5d | stats count(_raw) by _time source

The output obtained is as follows:

Splunk bucketing

Reporting using the timechart command

Similar to the chart command, timechart is a reporting command for creating time series charts with a corresponding table of statistics. As discussed earlier, timechart always generates a _time x-axis (while with chart, you are able to set your own x-axis for your chart visualization). This is an important difference as the following commands...

Visually different images
CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Mastering Splunk
End of Section 3
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon