Implementing Splunk (Update)

Book Image

Implementing Splunk (Update)

Book Image

Implementing Splunk (Update)

Overview of this book

Implementing Splunk Second Edition

Implementing Splunk Second Edition

Credits

About the Authors

About the Authors

About the Reviewers

About the Reviewers

www.PacktPub.com

www.PacktPub.com

Preface

Free Chapter

The Splunk Interface

The Splunk Interface

Logging into Splunk

The search & reporting app

Using the time picker

Using the field picker

The settings section

Understanding Search

Understanding Search

Using search terms effectively

Boolean and grouping operators

Clicking to modify your search

Using fields to search

Using wildcards efficiently

Making searches faster

Sharing results with others

Search job settings

Saving searches for reuse

Creating alerts from searches

Tables, Charts, and Fields

Tables, Charts, and Fields

About the pipe symbol

Using top to show common field values

Using stats to aggregate values

Using chart to turn data

Using timechart to show values over time

Working with fields

Data Models and Pivots

Data Models and Pivots

What is a data model?

What does a data model search?

Creating a data model

Lookup attributes

What is a pivot?

A quick example

Simple XML Dashboards

Simple XML Dashboards

The purpose of dashboards

Using wizards to build dashboards

Converting the panel to a report

Back to the dashboard

Editing XML directly

UI examples app

Features replaced

Autorun dashboard

Scheduling the generation of dashboards

Advanced Search Examples

Advanced Search Examples

Using subsearches to find loosely related events

Using transaction

Determining concurrency

Calculating events per slice of time

Extending Search

Extending Search

Using tags to simplify search

Using event types to categorize results

Using lookups to enrich data

Using macros to reuse logic

Creating workflow actions

Using external commands

Working with Apps

Working with Apps

Defining an app

Installing apps

Building your first app

Editing navigation

Customizing the appearance of your app

Object permissions

The app directory structure

Building Advanced Dashboards

Building Advanced Dashboards

Reasons for working with advanced XML

Reasons for not working with advanced XML

The development process

The advanced XML structure

Converting simple XML to advanced XML

Module logic flow

Understanding layoutPanel

Reusing a query

Using intentions

Creating a custom drilldown

Third-party add-ons

Summary Indexes and CSV Files

Summary Indexes and CSV Files

Understanding summary indexes

When to use a summary index

When not to use a summary index

Populating summary indexes with saved searches

Using summary index events in a query

Using sistats, sitop, and sitimechart

How latency affects summary queries

How and when to backfill summary data

Reducing summary index size

Calculating top for a large time frame

Using CSV files to store transient data

Configuring Splunk

Configuring Splunk

Locating Splunk configuration files

The structure of a Splunk configuration file

The configuration merging logic

An overview of Splunk .conf files

User interface resources

Advanced Deployments

Advanced Deployments

Planning your installation

Splunk instance types

Common data sources

Sizing indexers

Planning redundancy

Working with multiple indexes

Deploying the Splunk binary

Using apps to organize configuration

Configuration distribution

Using LDAP for authentication

Using Single Sign On

Load balancers and Splunk

Multiple search heads

Extending Splunk

Extending Splunk

Writing a scripted input to gather data

Using Splunk from the command line

Querying Splunk via REST

Writing commands

Writing a scripted lookup to enrich data

Writing an event renderer

Writing a scripted alert action to process results

Index

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

The advanced XML structure

Before we dig into the modules provided, let's look at the structure of XML itself and cover a couple of concepts.

The tag structure of an advanced XML document is essentially as follows:

view
module
param
...
module
...

The main concept of Splunk's XML structure is that the effects of modules flow downstream to child modules.

This is a vital concept to understand. The XML structure has almost nothing to do with layout and everything to do with the flow of data.

Let's look at the following simple example:

<view
template="dashboard.html">
<label>Chapter 9, Example 1</label>
<module
name="HiddenSearch"
layoutPanel="panel_row1_col1"
autoRun="True">
<param name="earliest">-99d</param>
<param name="search">error | top user</param>
<module name="SimpleResultsTable"></module>
</module>
</view>

This document produces the following sparse dashboard with one panel:

Let's look through this example line by line...