Index
A
- acceleration
- about / Acceleration
- big data / Big data - summary strategy
- report acceleration / Report acceleration
- report acceleration, availability / Report acceleration availability
- admin interface
- used, for building field / Using the admin interface to build a field
- advanced XML
- reasons, for using / Reasons for working with advanced XML
- reasons, for avoiding / Reasons for not working with advanced XML
- simple XML, converting to / Converting simple XML to advanced XML
- advanced XML structure
- about / The advanced XML structure
- alert
- search result, saving as / Save as alert
- alerts
- creating, from searches / Creating alerts from searches
- actions, enabling / Enable actions
- action, options / Action options
- sharing / Sharing
- AND operator / Boolean and grouping operators
- apps
- about / Defining an app
- purpose / Defining an app
- Introspection_generator_addon / Included apps
- Distributed Management Console / Included apps
- gettingstarted / Included apps
- Search & Reporting / Included apps
- splunk_datapreview / Included apps
- SplunkDeploymentMonitor / Included apps
- SplunkForwarder / Included apps
- SplunkLightForwarder / Included apps
- installing / Installing apps
- installing, from Splunkbase / Installing apps from Splunkbase
- installing, from files / Installing apps from a file
- building / Building your first app
- appearance, customizing / Customizing the appearance of your app
- launcher icon, customizing / Customizing the launcher icon
- customizing, custom CSS used / Using custom CSS
- customizing, custom HTML used / Using custom HTML
- directory structure / The app directory structure
- adding, to Splunkbase / Adding your app to Splunkbase
- used, for organizing configuration / Using apps to organize configuration
- apps, Splunkbase
- URL / Adding your app to Splunkbase, Uploading your app
- preparing / Preparing your app
- sharing settings, confirming / Confirming sharing settings
- directories, cleaning up / Cleaning up our directories
- packaging / Packaging your app
- uploading / Uploading your app
- appserver resources
- about / Appserver resources
- arguments
- used, for creating macro / Creating a macro with arguments
- attribute
- attributes, props.conf
- search-time attributes / Search-time attributes
- index-time attributes / Index-time attributes
- parse-time attributes / Parse-time attributes
- input-time attributes / Input-time attributes
- with class / Attributes with class
- authentication
- LDAP, using / Using LDAP for authentication
- authorize.conf
- about / authorize.conf
- automatic lookup
- defining / Defining an automatic lookup
- Autorun dashboard / Autorun dashboard
B
- batch
- logs, consuming in / Consuming logs in batch
- boolean operators
- about / Boolean and grouping operators
- Brackets ( [ ] ) operator / Boolean and grouping operators
- btool
- using / Using btool
- bucket
- lifecycle / The lifecycle of a bucket
- by clause
- used, for calculating concurrency / Calculating concurrency with a by clause
C
- .conf files
- about / An overview of Splunk .conf files
- props.conf / props.conf
- inputs.conf / inputs.conf
- transforms.conf / transforms.conf
- fields.conf / fields.conf
- outputs.conf / outputs.conf
- indexes.conf / indexes.conf
- authorize.conf / authorize.conf
- savedsearches.conf / savedsearches.conf
- times.conf / times.conf
- commands.conf / commands.conf
- web.conf / web.conf
- chart command
- used, for turning data / Using chart to turn data
- about / Using timechart to show values over time
- command line
- Splunk, using from / Using Splunk from the command line
- commands
- URL / Using external commands
- writing / Writing commands, When to write a command
- writing, avoiding / When not to write a command
- configuring / Configuring commands
- fields, adding / Adding fields
- data, manipulating / Manipulating data
- data, transforming / Transforming data
- data, generating / Generating data
- commands.conf
- about / commands.conf
- Comma Separated Values (CSV) / Using lookups to enrich data
- common field values
- displaying, top command used / Using top to show common field values
- complex dashboard
- server side include, using in / Using server-side include in a complex dashboard
- concurrency
- determining / Determining concurrency
- transaction, using with / Using transaction with concurrency
- used, for estimating server load / Using concurrency to estimate server load
- calculating, by clause used / Calculating concurrency with a by clause
- configuration apps
- configuration distribution
- about / Configuration distribution
- deployment system, using / Using your own deployment system
- configuration files
- locating / Locating Splunk configuration files
- structure / The structure of a Splunk configuration file
- configuration merging logic
- about / The configuration merging logic, The configuration merging logic
- merging order / The merging order
- examples / Configuration merging – example 1, Configuration merging – example 2, Configuration merging – example 3, Configuration merging – example 4
- btool, using / Using btool
- context macro
- building / Building the context macro
- context workflow action
- building / Building the context workflow action
- CSV files
- used, for storing transient data / Using CSV files to store transient data
- dropdown, pre-populating / Pre-populating a dropdown
- running calculation, creating for day / Creating a running calculation for a day
- custom CSS
- used, for customizing apps / Using custom CSS
- custom HTML
- used, for customizing apps / Using custom HTML
- using, in dashboard / Custom HTML in a simple dashboard
- custom query
- drilldown, building to / Building a drilldown to a custom query
D
- dashboard
- custom HTML, using / Custom HTML in a simple dashboard
- panels, placements / Panel placement
- dashboard panel
- search result, saving as / Save as dashboard panel
- dashboards
- about / The purpose of dashboards, Back to the dashboard
- building, wizards used / Using wizards to build dashboards
- another panel, adding / Adding another panel
- trick / A cool trick
- input, adding / Add input
- Edit Source / Edit source
- generation, scheduling / Scheduling the generation of dashboards
- development process / The development process
- data
- turning, chart command used / Using chart to turn data
- enriching, lookups used / Using lookups to enrich data
- gathering, scripts used / Using scripts to gather data
- database
- logs, consuming from / Consuming logs from a database
- data gathering
- scripted input, writing for / Writing a scripted input to gather data
- data model
- about / What is a data model?
- search / What does a data model search?
- objects / Data model objects
- data model, creating
- about / Creating a data model
- new data model dialog, filling in / Filling in the new data model dialog
- attributes, editing / Editing attributes
- data model, objects
- event objects / Data model objects
- transaction objects / Data model objects
- search objects / Data model objects
- constraining / Object constraining
- attributes / Attributes
- data sources
- about / Common data sources
- date and time range option / Date and time range
- date range option / Date range
- deployment server
- using / Using the Splunk deployment server
- location, for running / Step 1 – deciding where your deployment server will run from
- deploymentclient.conf configuration, defining / Step 2 – defining your deploymentclient.conf configuration
- machine types, defining / Step 3 – defining our machine types and locations
- locations, defining / Step 3 – defining our machine types and locations
- configurations, normalizing into apps / Step 4 – normalizing our configurations into apps appropriately
- apps, mapping to deployment clients in serverclas.conf / Step 5 – mapping these apps to deployment clients in serverclass.conf, Using LDAP for authentication
- restarting / Step 6 – restarting the deployment server
- deploymentclient.conf, installing / Step 7 – installing deploymentclient.conf
- deployment server
- about / The deployment server
- directories, configurations
- $SPLUNK_HOME/etc/system/default / Locating Splunk configuration files
- $SPLUNK_HOME/etc/system/local / Locating Splunk configuration files
- $SPLUNK_HOME/etc/apps/$app_name/default / Locating Splunk configuration files
- $SPLUNK_HOME/etc/apps/$app_name/local / Locating Splunk configuration files
- $SPLUNK_HOME/etc/users/$user_name/$app_name/local / Locating Splunk configuration files
- drilldown
- about / Creating a custom drilldown
- building, to custom query / Building a drilldown to a custom query
- building, to panel / Building a drilldown to another panel
- building, to multiple panels / Building a drilldown to multiple panels using HiddenPostProcess
E
- echo command / When not to write a command
- echo_csv command / When not to write a command
- echo_splunk command / When not to write a command
- epoch time
- about / How Splunk stores time
- equal sign (=) operator / Boolean and grouping operators
- eval command
- about / eval
- event renderer
- about / Writing an event renderer
- writing / Writing an event renderer
- specific fields, using / Using specific fields
- table of fields, based on field value / A table of fields based on field value
- pretty print XML / Pretty print XML
- events
- calculating, per slice of time / Calculating events per slice of time
- timechart, using / Using timechart
- average requests per minute, calculating / Calculating average requests per minute
- average events per minute, calculating / Calculating average events per minute, per hour
- average events per hour, calculating / Calculating average events per minute, per hour
- event segmentation
- about / Event segmentation
- event type
- search result, saving as / Save as event type
- event types
- used, for categorizing results / Using event types to categorize results
- used, for grouping results / Using event types to group results
- Explore Splunk Enterprise pane
- Add data / The home app
- Splunk Apps / The home app
- Splunk Answers / The home app
- external commands
- using / Using external commands
- external site
- workflow action, linking to / Linking to an external site
- extracted fields
- versus indexed fields / Indexed fields versus extracted fields
- extract fields interface
F
- field
- prototyping, rex command used / Using rex to prototype a field
- building, admin interface used / Using the admin interface to build a field
- field context display
- workflow action, building for / Building a workflow action to show field context
- field picker
- about / The field picker
- fields / Fields
- using / Using the field picker, Using the field picker
- fields
- using, for search / Using fields to search
- wildcards, supplementing in / Supplementing wildcards in fields
- working with / Working with fields
- fields.conf
- about / fields.conf
- field widgets
- about / Field widgets
- files
- apps, installing from / Installing apps from a file
- files, inputs.conf
- patterns, using to select rolled logs / Using patterns to select rolled logs
- blacklist, using / Using blacklist and whitelist
- whitelist, using / Using blacklist and whitelist
- selecting / Selecting files recursively
- symbolic links, following / Following symbolic links
- host value, setting / Setting the value of the host from the source
- old installation data, ignoring / Ignoring old data at installation
- crcSalt, using / When to use crcSalt
- indexing / Destructively indexing files
- deleting / Destructively indexing files
- fill_summary_index.py
- used, for backfill / Using fill_summary_index.py to backfill
- forms
- building / Building forms
- creating, from dashboard / Creating a form from a dashboard
- multiple panels, driving / Driving multiple panels from one form
- search results, post-processing / Post-processing search results
- limitations, post-processing / Post-processing limitations
- forwarders
- about / Splunk forwarders
- light forwarder / Splunk forwarders
- heavy forwarder / Splunk forwarders
- configurations / Splunk forwarders
G
- Geo Location Lookup Script
- using / Using Geo Location Lookup Script
- Google
- used, for generating results / Using Google to generate results
- Google Maps
- using / Using Google Maps
- grouping operators
- about / Boolean and grouping operators
H
- Help option
- HiddenPostProcess
- used for building drilldown, to multiple panels / Building a drilldown to multiple panels using HiddenPostProcess
- Home app
- about / The home app
- Explore Splunk Enterprise pane / The home app
- Hunk
I
- index
- directory structure / The directory structure of an index
- sizing / Sizing an index
- index-time attributes
- about / Index-time attributes
- indexed fields
- versus extracted fields / Indexed fields versus extracted fields
- advantages / Indexed fields versus extracted fields
- disadvantages / Indexed fields versus extracted fields
- cases / Indexed field case 1 – rare instances of a common term, Indexed field case 4 – slow requests
- indexer
- about / Splunk indexer
- configurations / Splunk indexer
- indexers
- sizing / Sizing indexers
- indexes
- reasons, for creating / When to create more indexes, Differing longevity, Differing permissions, Using more indexes to increase performance
- indexes.conf
- about / indexes.conf
- input-time attributes
- about / Input-time attributes
- inputs.conf
- about / inputs.conf
- input attributes / Common input attributes
- files as inputs / Files as inputs
- network inputs / Network inputs
- native Windows inputs / Native Windows inputs
- scripts as inputs / Scripts as inputs
- intentions
- stringreplace / stringreplace
- addterm / addterm
L
- latency / How latency affects summary queries
- launcher icon
- customizing / Customizing the launcher icon
- layoutPanel attribute
- about / Understanding layoutPanel
- LDAP
- using, for authentication / Using LDAP for authentication
- Lightweight Directory Access Protocol (LDAP) / Logging into Splunk
- load balancers
- and Splunk / Load balancers and Splunk, splunktcp
- loglevel
- extracting / Extracting loglevel
- extract fields interface, using / Using the extract fields interface
- logs
- monitoring, on servers / Monitoring logs on servers
- on shared drive, monitoring / Monitoring logs on a shared drive
- consuming, in batch / Consuming logs in batch
- consuming, from database / Consuming logs from a database
- lookup attributes
- about / Lookup attributes
- child object / Children
- lookup definition
- defining / Defining a lookup definition
- lookup definitions, transforms.conf
- about / Lookup definitions
- wildcard lookups / Wildcard lookups
- CIDR wildcard lookups / CIDR wildcard lookups
- temporal lookups / Using time in lookups
- lookups
- used, for enriching data / Using lookups to enrich data
- troubleshooting / Troubleshooting lookups
- using, with wildcards / Using a lookup with wildcards
- lookup table file
- defining / Defining a lookup table file
M
- macro
- about / Using macros to reuse logic
- creating / Creating a simple macro
- creating, with arguments / Creating a macro with arguments
- mako templates
- merging order
- about / The merging order
- outside of search / The merging order outside of search
- when searching / The merging order when searching
- metadata
- about / Metadata
- metadata fields, transforms.conf
- modifying / Modifying metadata fields
- host, overriding / Overriding the host
- source, overriding / Overriding the source
- sourcetype, overriding / Overriding sourcetype
- events, routing to different index / Routing events to a different index
- minidom module
- about / Pretty print XML
- module logic flow
- about / Module logic flow
- multiple indexes
- working with / Working with multiple indexes
- multiple panels
- drilldown, building to / Building a drilldown to multiple panels using HiddenPostProcess
- multiple search heads / Multiple search heads
N
- native syslog receiver
- using / Using a native syslog receiver
- navigation
- editing / Editing navigation
- object permissions, effects / How permissions affect navigation
- about / Views and navigation
- NOT operator / Boolean and grouping operators
O
- object permissions
- about / Object permissions
- effects, on navigation / How permissions affect navigation
- effects, on objects / How permissions affect other objects
- issues, correcting / Correcting permission problems
- object permissions, options
- private / Object permissions
- app / Object permissions
- global / Object permissions
- OR operator / Boolean and grouping operators
- output
- controlling, for top command / Controlling the output of top
- outputs.conf
- about / outputs.conf
P
- panel
- converting, to report / Converting the panel to a report
- options / More options
- drilldown, building to / Building a drilldown to another panel
- Parentheses ( ( ) ) operator / Boolean and grouping operators
- parse-time attributes
- about / Parse-time attributes
- Perl Compatible Regular Expressions (PCRE)
- pipe symbol
- about / About the pipe symbol
- pivot
- about / What is a pivot?
- filtering / Filtering your pivots
- split column / Split (row or column)
- split row / Split (row or column)
- column value element / Column values
- table, formatting / Pivot table formatting
- example / A quick example
- Pivot Editor
- about / The pivot editor
- pivot elements, managing / Working with pivot elements
- presets / Presets
- processing stages
- input / Splunk instance types
- parsing / Splunk instance types
- indexing / Splunk instance types
- searching / Splunk instance types
- props.conf
- about / props.conf
- attributes / Common attributes
- stanza types / Stanza types
- Proxying
- URL / Using Single Sign On
Q
- query
- reusing / Reusing a query
- quote marks (\ / Boolean and grouping operators
R
- real-time option / Real-time
- redundancy
- planning / Planning redundancy
- redundancy, planning
- replication factor / The replication factor
- replication factor, configuring / Configuring your replication factors
- indexer load balancing / Indexer load balancing
- typical outages / Understanding typical outages
- regular expressions
- about / A regular expression primer
- relative presets / Relative
- report
- search result, saving as / Save as report
- REPORT, transforms.conf
- using / Using REPORT
- multivalue fields, creating / Creating multivalue fields
- dynamic fields, creating / Creating dynamic fields
- report acceleration
- about / Report acceleration
- availability / Report acceleration availability
- REST
- used, for querying Splunk / Querying Splunk via REST
- results
- categorizing, event types used / Using event types to categorize results
- generating, Google used / Using Google to generate results
- rex command
- about / rex
- used, for prototyping field / Using rex to prototype a field
S
- saved searches
- summary indexes, populating with / Populating summary indexes with saved searches
- savedsearches.conf
- about / savedsearches.conf
- scripted alert action
- writing, for result processing / Writing a scripted alert action to process results
- scripted input
- about / Writing a scripted input to gather data
- writing, for data gathering / Writing a scripted input to gather data
- creating / Making a long-running scripted input
- scripted lookup
- writing, for data enrichment / Writing a scripted lookup to enrich data
- script output
- capturing, with no date / Capturing script output with no date
- capturing, as single event / Capturing script output as a single event
- scripts
- used, for gathering data / Using scripts to gather data
- Search
- search
- terms, using effectively / Using search terms effectively
- clicking, for modification / Clicking to modify your search
- fields, using / Using fields to search
- performing, against time / Different ways to search against time
- time in-line, specifying / Specifying time in-line in your search
- making, faster / Making searches faster
- job, settings / Search job settings
- saving, for re-use / Saving searches for reuse
- alerts, creating from / Creating alerts from searches
- simplifying, tags used / Using tags to simplify search
- running, values used / Running a new search using values from an event
- search & reporting app
- about / The search
- data generator / The data generator
- summary view / The summary view
- search / Search
- actions / Actions
- timeline / Timeline
- field picker / The field picker
- search results / Search results
- search-time attributes
- about / Search-time attributes
- search head pooling / Multiple search heads
- search results
- about / Search results
- options / Options
- events viewer / The events viewer
- sharing / Sharing results with others
- URL / The URL
- saving, as report / Save as report
- saving, as dashboard panel / Save as dashboard panel
- saving, as alert / Save as alert
- saving, as event type / Save as event type
- server load
- estimating, concurrency used / Using concurrency to estimate server load
- servers
- logs, monitoring / Monitoring logs on servers
- server side include
- using, in complex dashboard / Using server-side include in a complex dashboard
- Settings section
- about / The settings section
- settings section
- about / The settings section
- shared drive
- logs, monitoring / Monitoring logs on a shared drive
- Sideview
- views, linking with / Linking views with Sideview
- Sideview forms
- about / Sideview forms
- Sideview Search module
- about / The Sideview search module
- Sideview URLLoader module
- about / Sideview URLLoader
- Sideview Utils
- about / Sideview Utils
- simple XML
- converting, to advanced XML / Converting simple XML to advanced XML
- Single Sign On (SSO)
- using / Using Single Sign On
- site_replication_factor
- URL / Syntax
- sparklines
- about / Sparklines
- Splunk
- Apps Marketplace, URL / The home app
- community, URL / The home app
- time, parsing / How Splunk parses time
- time, storing / How Splunk stores time
- time, displaying / How Splunk displays time
- regular expressions / A regular expression primer
- commands / Commands that create fields
- version 6.2 / Features replaced
- apps / Defining an app
- object permissions / Object permissions
- documentation, URL / Packaging your app
- installation, planning / Planning your installation
- instance, types / Splunk instance types
- processing, stages / Splunk instance types
- indexer / Splunk indexer
- configuring, for boot launch / Configuring Splunk to launch at boot
- using, from command line / Using Splunk from the command line
- querying, via REST / Querying Splunk via REST
- Splunk APIs
- Splunkbase
- URL / The home app
- apps, installing from / Installing apps from Splunkbase
- apps, adding to / Adding your app to Splunkbase
- Splunkbase
- Splunk binary
- deploying / Deploying the Splunk binary
- deploying, from tar file / Deploying from a tar file
- deploying, msiexec used / Deploying using msiexec
- Splunk deployment
- -base configuration, adding / Adding a base configuration
- Splunk forwarders
- syslog, receiving with / Receiving syslog with a Splunk forwarder
- Splunk indexer
- syslog events, receiving on / Receiving events directly on the Splunk indexer
- Splunk interface
- logging in to / Logging into Splunk
- Home app / The home app
- home app / The home app
- top bar / The top bar
- time picker / Using the time picker
- field picker / Using the field picker
- Settings section / The settings section
- Splunk search
- about / Splunk search
- splunktcp / splunktcp
- Splunk version 6.2
- URL / Using custom CSS
- Splunk web server / web
- stanza
- stanza types, props.conf
- about / Stanza types
- priorities / Priorities inside a type
- stats function
- used, for aggregating values / Using stats to aggregate values
- subsearches
- used, for finding loosely related events / Using subsearches to find loosely related events
- about / Subsearch
- caveats / Subsearch caveats
- nested subsearches / Nested subsearches
- and transaction, combining / Combining subsearches with transaction
- summary data
- backfill / How and when to backfill summary data
- fill_summary_index.py, used for backfill / Using fill_summary_index.py to backfill
- summary indexes
- about / Understanding summary indexes
- creating / Creating a summary index
- using / When to use a summary index
- usage, avoiding / When not to use a summary index
- populating, with saved searches / Populating summary indexes with saved searches
- events, using in query / Using summary index events in a query
- sistats using / Using sistats, sitop, and sitimechart
- sitop, using / Using sistats, sitop, and sitimechart
- sitimechart, using / Using sistats, sitop, and sitimechart
- latency, effects / How latency affects summary queries
- producing, collect used / Using collect to produce custom summary indexes
- size, reducing / Reducing summary index size
- search / Summary index searches
- summary indexes size, reducing
- eval, used for defining grouping fields / Using eval and rex to define grouping fields
- rex, used for defining grouping fields / Using eval and rex to define grouping fields
- lookup, using with wildcards / Using a lookup with wildcards
- event types, using to group results / Using event types to group results
- syslog
- receiving, with Splunk forwarder / Receiving syslog with a Splunk forwarder
- syslog events
- receiving / Receiving syslog events
- receiving, directly on Splunk indexer / Receiving events directly on the Splunk indexer
T
- tags
- about / Using tags to simplify search
- used, for simplifying search / Using tags to simplify search
- third-party add-ons
- about / Third-party add-ons
- Google Maps / Google Maps
- Sideview Utils / Sideview Utils
- time
- about / Time, All about time
- storing / How Splunk stores time
- displaying / How Splunk displays time
- search, performing against / Different ways to search against time
- presets / Presets
- relative presets / Relative
- real-time option / Real-time
- Windowed real-time versus all-time real-time searches / Windowed real-time versus all-time real-time searches
- date range option / Date range
- date and time range option / Date and time range
- advanced option / Advanced
- in-line, specifying in search / Specifying time in-line in your search
- _indextime versus _time / _indextime versus _time
- timechart command
- about / Using timechart to show values over time
- arguments / Timechart options
- time picker
- using / Using the time picker
- times.conf
- about / times.conf
- time zones
- determining / How time zones are determined and why it matters
- top
- calculating, for large time frame / Calculating top for a large time frame
- top bar
- about / The top bar
- top command
- used, for displaying common field values / Using top to show common field values
- output, controlling for / Controlling the output of top
- URL / Controlling the output of top
- rebuilding / Rebuilding top
- transaction
- uses / Using transaction
- used, for determining session length / Using transaction to determine the session's length
- statistics aggregate, calculating / Calculating the aggregate of transaction statistics
- and subsearches, combining / Combining subsearches with transaction
- using, with concurrency / Using transaction with concurrency
- transforms.conf
- about / transforms.conf
- indexed fields, creating / Creating indexed fields
- loglevel field, creating / Creating a loglevel field
- session field, creating from source / Creating a session field from the source
- tag field, creating / Creating a tag field
- host categorization fields, creating / Creating host categorization fields
- metadata fields, modifying / Modifying metadata fields
- lookup definitions / Lookup definitions
- REPORT, using / Using REPORT
- transforms, chaining / Chaining transforms
- events, dropping / Dropping events
U
- user interface resources
- about / User interface resources
- views / Views and navigation
- navigation / Views and navigation
- appserver resources / Appserver resources
- metadata / Metadata
V
- values
- aggregating, stats function used / Using stats to aggregate values
- extracting, from XML / Extracting values from XML
- views
- linking, with Sideview / Linking views with Sideview
- about / Views and navigation
- volumes
- used, for managing multiple indexes / Using volumes to manage multiple indexes
W
- web.conf
- about / web.conf
- wildcards
- using, efficiently / Using wildcards efficiently
- supplementing, in fields / Supplementing wildcards in fields
- Windows Management Instrumentation (WMI)
- about / Native Windows inputs
- wizards
- used, for creating dashboards / Using wizards to build dashboards
- workflow action
- building, for field context display / Building a workflow action to show field context
- URL / Building the context workflow action
- workflow actions
- creating / Creating workflow actions
- search, running with values / Running a new search using values from an event
- linking, to external site / Linking to an external site
X
- XML
- editing, directly / Editing XML directly
- values, extracting from / Extracting values from XML
- xmlkv command
- about / xmlkv
- XPath
- about / XPath