Book Image

Splunk Essentials - Second Edition

By : Betsy Page Sigman, Soni, Erickson Delgado
Book Image

Splunk Essentials - Second Edition

By: Betsy Page Sigman, Soni, Erickson Delgado

Overview of this book

Splunk is a search, analysis, and reporting platform for machine data, which has a high adoption on the market. More and more organizations want to adopt Splunk to use their data to make informed decisions. This book is for anyone who wants to manage data with Splunk. You’ll start with very basics of Splunk— installing Splunk—and then move on to searching machine data with Splunk. You will gather data from different sources, isolate them by indexes, classify them into source types, and tag them with the essential fields. After this, you will learn to create various reports, XML forms, and alerts. You will then continue using the Pivot Model to transform the data models into visualization. You will also explore visualization with D3 in Splunk. Finally you’ll be provided with some real-world best practices in using Splunk.
Table of Contents (10 chapters)

Data normalization with tags


Tags in Splunk are useful for grouping events with related field values. Unlike event types, which are based on specified search commands, tags are created and mapped to specific fields. You can also have multiple tags assigned to the same field, and each tag can be assigned to that field for a specific reason.

The simplest use-case scenario when using tags is for classifying IP addresses. In our Eventgen logs, three IP addresses are automatically generated. We will create tags against these IP addresses that would allow us to classify them based on different conditions:

IP address

Tags

10.2.1.33

main, patched, east

10.2.1.34

main, patched, west

10.2.1.35

backup, east

In our server farm of three servers, we are going to group them by purpose, patch status, and geolocation. We will achieve this using tags, as shown in the following steps:

  1. Begin by using the following search command:

          SPL> index=main server_ip=10.2.1.33
    
  2. Expand the first event by clicking...