Book Image

Splunk Essentials - Second Edition

By : Betsy Page Sigman, Erickson Delgado
Book Image

Splunk Essentials - Second Edition

By: Betsy Page Sigman, Erickson Delgado

Overview of this book

Splunk is a search, analysis, and reporting platform for machine data, which has a high adoption on the market. More and more organizations want to adopt Splunk to use their data to make informed decisions. This book is for anyone who wants to manage data with Splunk. You’ll start with very basics of Splunk— installing Splunk—and then move on to searching machine data with Splunk. You will gather data from different sources, isolate them by indexes, classify them into source types, and tag them with the essential fields. After this, you will learn to create various reports, XML forms, and alerts. You will then continue using the Pivot Model to transform the data models into visualization. You will also explore visualization with D3 in Splunk. Finally you’ll be provided with some real-world best practices in using Splunk.

Related Content you might be interested in

Current Title:

Small book image
Splunk Essentials - Second Edition
Betsy Page Sigman | Erickson Delgado
Sep, 2016 | 236 pages
No titles found
Table of Contents (15 chapters)
Splunk Essentials Second Edition
Splunk Essentials Second Edition
Credits
Credits
About the Authors
About the Authors
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Splunk in Action
Splunk in Action
Your Splunk.com account
Installing Splunk on Windows
Creating a Splunk app
Populating data with Eventgen
Controlling Splunk
Configuring Eventgen
Viewing the Destinations app
Creating your first dashboard
Summary
2
Bringing in Data
Bringing in Data
Splunk and big data
Splunk data sources
Creating indexes
Buckets
Data inputs
Splunk events and fields
Extracting new fields
Summary
3
Search Processing Language
Search Processing Language
Anatomy of a search
Time modifiers
Filtering search results
Search command - stats
Search command - top/rare
Search commands - chart and timechart
Search command - eval
Search command - rex
Summary
4
Data Models and Pivot
Data Models and Pivot
Creating a data model
Data model acceleration
Rearranging your dashboard
Summary
5
Data Optimization, Reports, Alerts, and Accelerating Searches
Data Optimization, Reports, Alerts, and Accelerating Searches
Data classification with event types
Data normalization with tags
Data enrichment with lookups
Creating reports
Creating alerts
Search and report acceleration
Scheduling best practices
Summary indexing
Summary
6
Panes of Glass
Panes of Glass
Creating effective dashboards
Types of dashboard
Form inputs
Creating a time range input
Creating a radio input
Creating a dropdown input
Static Real-Time dashboard
Creating a map called a choropleth
Summary
7
Splunk SDK for JavaScript and D3.js
Splunk SDK for JavaScript and D3.js
Introduction to Splunk SDKs
Practical applications of Splunk's SDK
Creating the final dashboard\jobs.js
Summary
8
HTTP Event Collector
HTTP Event Collector
What is the HEC?
How does the HEC work?
How data flows to the HEC?
Summary
9
Best Practices and Advanced Queries
Best Practices and Advanced Queries
Temporary indexes and oneshot indexing
Searching within an index
Search within a limited time frame
Quick searches via fast mode
Using event sampling
Splunk Universal Forwarders
Advanced queries
How to improve logs
Summary

Creating a time range input

Let us change our input field into a time range field.

  1. Click on Add Input.

  2. On the list to the left, select Time.

  3. In the General section, type Select Time Range in the Label space.

  4. Click on the Search on Change checkbox.

  5. Set the Default time range to Last 24 Hours.

  6. Use the following screenshot as a guide.

  7. Click Apply when done:

  8. Before you save the dashboard changes, click the Autorun dashboard checkbox, as seen in the following screenshot:

You can now try to change the time range using the time input, but nothing will happen. This is because we have not yet configured the panels to react when the time input has been changed. Let us do that now:

  1. Go back to Edit | Edit Panels mode.

  2. Select Inline Search and edit  Search String on the first panel.

  3. Change Time Range Scope to Shared Time Picker (time).

  4. Click on Save :

Notice that the data on the first panel now reacts to the changes you make on the time range input. Perform the same steps on the other three panels and watch the data...

Previous Section
End of Section 5
Next Section