Book Image

Improving Your Splunk Skills

By : James D. Miller, Paul R. Johnson, Josh Diakun, Derek Mock

Book Image

Improving Your Splunk Skills

By: James D. Miller, Paul R. Johnson, Josh Diakun, Derek Mock

Overview of this book

Splunk makes it easy for you to take control of your data and drive your business with the cutting edge of operational intelligence and business analytics. Through this Learning Path, you'll implement new services and utilize them to quickly and efficiently process machine-generated big data. You'll begin with an introduction to the new features, improvements, and offerings of Splunk 7. You'll learn to efficiently use wildcards and modify your search to make it faster. You'll learn how to enhance your applications by using XML dashboards and configuring and extending Splunk. You'll also find step-by-step demonstrations that'll walk you through building an operational intelligence application. As you progress, you'll explore data models and pivots to extend your intelligence capabilities. By the end of this Learning Path, you'll have the skills and confidence to implement various Splunk services in your projects. This Learning Path includes content from the following Packt products: Implementing Splunk 7 - Third Edition by James Miller Splunk Operational Intelligence Cookbook - Third Edition by Paul R Johnson, Josh Diakun, et al

Title Page

Copyright and Credits

Copyright and Credits

Improving Your Splunk Skills

About Packt

Contributors

About the authors

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Free Chapter

The Splunk Interface

The Splunk Interface

Logging in to Splunk

The Search & Reporting app

Using the time picker

Using the field picker

The settings section

Try before you buy

A quick cloud tour

The top bar in Splunk Cloud

Splunk reference app – PAS

Universal forwarder

Understanding Search

Understanding Search

Using search terms effectively

Boolean and grouping operators

Clicking to modify your search

Using fields to search

Using wildcards efficiently

Making searches faster

Sharing results with others

Searching job settings

Saving searches for reuse

Creating alerts from searches

Event annotations

Tables, Charts, and Fields

Tables, Charts, and Fields

About the pipe symbol

Using top to show common field values

Using stats to aggregate values

Using chart to turn data

Using timechart to show values over time

Working with fields

Chart enhancements in version 7.0

Data Models and Pivots

Data Models and Pivots

What is a data model?

What does a data model search?

Acceleration in version 7.0

Creating a data model

Lookup attributes

What is a pivot?

A quick example

Simple XML Dashboards

Simple XML Dashboards

The purpose of dashboards

Using wizards to build dashboards

Converting the panel to a report

Back to the dashboard

Editing XML directly

UI examples app

Features replaced

Autorun dashboard

Scheduling the generation of dashboards

Extending Search

Extending Search

Using tags to simplify search

Using event types to categorize results

Using lookups to enrich data

Using macros to reuse logic

Creating workflow actions

Using external commands

Working with Apps

Working with Apps

Defining an app

Installing apps

Building your first app

Editing navigation

Customizing the appearance of your app

Object permissions

App directory structure

Self-service app management

Building Advanced Dashboards

Building Advanced Dashboards

Reasons for working with advanced XML

Reasons for not working with advanced XML

Development process

Advanced XML structure

Converting simple XML to advanced XML

Module logic flow

Understanding layoutPanel

Reusing a query

Using intentions

Creating a custom drilldown

Third-party add-ons

Summary Indexes and CSV Files

Summary Indexes and CSV Files

Understanding summary indexes

When to use a summary index

When to not use a summary index

Populating summary indexes with saved searches

Using summary index events in a query

Using sistats, sitop, and sitimechart

How latency affects summary queries

How and when to backfill summary data

Reducing summary index size

Calculating top for a large time frame

Using CSV files to store transient data

Configuring Splunk

Configuring Splunk

Locating Splunk configuration files

The structure of a Splunk configuration file

The configuration merging logic

An overview of Splunk.conf files

User interface resources

Play Time – Getting Data In

Play Time – Getting Data In

Indexing files and directories

Getting data through network ports

Using scripted inputs

Using modular inputs

Using the Universal Forwarder to gather data

Receiving data using the HTTP Event Collector

Getting data from databases using DB Connect

Loading the sample data for this book

Data onboarding – defining field extractions

Data onboarding - defining event types and tags

Installing the Machine Learning Toolkit

Building an Operational Intelligence Application

Building an Operational Intelligence Application

Creating an Operational Intelligence application

Adding dashboards and reports

Organizing the dashboards more efficiently

Dynamically drilling down on activity reports

Creating a form for searching web activity

Linking web page activity reports to the form

Displaying a geographical map of visitors

Highlighting average product price

Scheduling the PDF delivery of a dashboard

Diving Deeper – Advanced Searching, Machine Learning and Predictive Analytics

Diving Deeper – Advanced Searching, Machine Learning and Predictive Analytics

Calculating the average session time on a website

Calculating the average execution time for multi-tier web requests

Displaying the maximum concurrent checkouts

Analyzing the relationship of web requests

Predicting website traffic volumes

Finding abnormally-sized web requests

Identifying potential session spoofing

Detecting outliers in server response times

Forecasting weekly sales

Speeding Up Intelligence – Data Summarization

Speeding Up Intelligence – Data Summarization

Calculating an hourly count of sessions versus completed transactions

Backfilling the number of purchases by city

Displaying the maximum number of concurrent sessions over time

Above and Beyond – Customization, Web Framework, HTTP Event Collector, REST API, and SDKs

Above and Beyond – Customization, Web Framework, HTTP Event Collector, REST API, and SDKs

Customizing the application navigation

Adding a Sankey diagram of web hits

Developing a tag cloud of purchases by country

Adding Cell Icons to Highlight Average Product Price

Remotely querying Splunk's REST API for unique page views

Creating a Python application to return unique IP addresses

Creating a custom search command to format product names

Collecting data from remote scanning devices

Other Books You May Enjoy

Other Books You May Enjoy

Leave a review - let other readers know what you think

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

The structure of a Splunk configuration file

The .conf files used by Splunk look very similar to .ini files. A simple configuration looks like this:

#settings for foo 
[foo] 
bar=1 
la = 2

Let's look at the following couple of definitions:

stanza: A stanza is used to group attributes. Our stanza in this example is [foo]. A common synonym for this is section. Keep in mind the following key points:
- A stanza name must be unique in a single file
- The order does not matter
attribute: An attribute is a name-value pair. Our attributes in this example are bar and la. A common synonym is parameter. Keep in mind the following key points:
- The attribute name must not contain whitespace or the equals sign.
- Each attribute belongs to the stanza defined previously; if the attribute appears before all stanzas, the attribute belongs to the stanza [default].
- The attribute name must be unique...