Implementing Splunk (Update)

Book Image

Implementing Splunk (Update)

Book Image

Implementing Splunk (Update)

Overview of this book

Implementing Splunk Second Edition

Implementing Splunk Second Edition

Credits

About the Authors

About the Authors

About the Reviewers

About the Reviewers

www.PacktPub.com

www.PacktPub.com

Preface

Free Chapter

The Splunk Interface

The Splunk Interface

Logging into Splunk

The search & reporting app

Using the time picker

Using the field picker

The settings section

Understanding Search

Understanding Search

Using search terms effectively

Boolean and grouping operators

Clicking to modify your search

Using fields to search

Using wildcards efficiently

Making searches faster

Sharing results with others

Search job settings

Saving searches for reuse

Creating alerts from searches

Tables, Charts, and Fields

Tables, Charts, and Fields

About the pipe symbol

Using top to show common field values

Using stats to aggregate values

Using chart to turn data

Using timechart to show values over time

Working with fields

Data Models and Pivots

Data Models and Pivots

What is a data model?

What does a data model search?

Creating a data model

Lookup attributes

What is a pivot?

A quick example

Simple XML Dashboards

Simple XML Dashboards

The purpose of dashboards

Using wizards to build dashboards

Converting the panel to a report

Back to the dashboard

Editing XML directly

UI examples app

Features replaced

Autorun dashboard

Scheduling the generation of dashboards

Advanced Search Examples

Advanced Search Examples

Using subsearches to find loosely related events

Using transaction

Determining concurrency

Calculating events per slice of time

Extending Search

Extending Search

Using tags to simplify search

Using event types to categorize results

Using lookups to enrich data

Using macros to reuse logic

Creating workflow actions

Using external commands

Working with Apps

Working with Apps

Defining an app

Installing apps

Building your first app

Editing navigation

Customizing the appearance of your app

Object permissions

The app directory structure

Building Advanced Dashboards

Building Advanced Dashboards

Reasons for working with advanced XML

Reasons for not working with advanced XML

The development process

The advanced XML structure

Converting simple XML to advanced XML

Module logic flow

Understanding layoutPanel

Reusing a query

Using intentions

Creating a custom drilldown

Third-party add-ons

Summary Indexes and CSV Files

Summary Indexes and CSV Files

Understanding summary indexes

When to use a summary index

When not to use a summary index

Populating summary indexes with saved searches

Using summary index events in a query

Using sistats, sitop, and sitimechart

How latency affects summary queries

How and when to backfill summary data

Reducing summary index size

Calculating top for a large time frame

Using CSV files to store transient data

Configuring Splunk

Configuring Splunk

Locating Splunk configuration files

The structure of a Splunk configuration file

The configuration merging logic

An overview of Splunk .conf files

User interface resources

Advanced Deployments

Advanced Deployments

Planning your installation

Splunk instance types

Common data sources

Sizing indexers

Planning redundancy

Working with multiple indexes

Deploying the Splunk binary

Using apps to organize configuration

Configuration distribution

Using LDAP for authentication

Using Single Sign On

Load balancers and Splunk

Multiple search heads

Extending Splunk

Extending Splunk

Writing a scripted input to gather data

Using Splunk from the command line

Querying Splunk via REST

Writing commands

Writing a scripted lookup to enrich data

Writing an event renderer

Writing a scripted alert action to process results

Index

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

User interface resources

Most Splunk apps consist mainly of resources for the web application. The app layout for these resources is completely different from all other configurations.

Views and navigation

Like .conf files, view and navigation documents take precedence in the following order:

$SPLUNK_HOME/etc/users/$username/$appname/local: When a new dashboard is created, it lands here. It will remain here until the permissions are changed to App or Global.
$SPLUNK_HOME/etc/apps/$appname/local: Once a document is shared, it will be moved to this directory.
$SPLUNK_HOME/etc/apps/$appname/default: Documents can only be placed here manually. You should do this if you are going to share an app. Unlike .conf files, these documents do not merge.

Within each of these directories, views and navigation end up under the directories data/ui/views and data/ui/nav, respectively. So, given a view foo, for the user bob, in the app app1, the initial location for the document will be as follows:

$SPLUNK_HOME/etc...