Book Image

Splunk Operational Intelligence Cookbook

Book Image

Splunk Operational Intelligence Cookbook

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
Splunk Operational Intelligence Cookbook
Oct, 2014 | 414 pages
No titles found
Table of Contents (17 chapters)
Splunk Operational Intelligence Cookbook
Splunk Operational Intelligence Cookbook
Credits
Credits
About the Authors
About the Authors
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Play Time – Getting Data In
Play Time – Getting Data In
Introduction
Indexing files and directories
Getting data through network ports
Using scripted inputs
Using modular inputs
Using the Universal Forwarder to gather data
Loading the sample data for this book
Defining field extractions
Defining event types and tags
Summary
2
Diving into Data – Search and Report
Diving into Data – Search and Report
Introduction
Making raw event data readable
Finding the most accessed web pages
Finding the most used web browsers
Identifying the top-referring websites
Charting web page response codes
Displaying web page response time statistics
Listing the top viewed products
Charting the application's functional performance
Charting the application's memory usage
Counting the total number of database connections
Summary
3
Dashboards and Visualizations – Make Data Shine
Dashboards and Visualizations – Make Data Shine
Introduction
Creating an Operational Intelligence dashboard
Using a pie chart to show the most accessed web pages
Displaying the unique number of visitors
Using a gauge to display the number of errors
Charting the number of method requests by type and host
Creating a timechart of method requests, views, and response times
Using a scatter chart to identify discrete requests by size and response time
Creating an area chart of the application's functional statistics
Using a bar chart to show the average amount spent by category
Creating a line chart of item views and purchases over time
Summary
4
Building an Operational Intelligence Application
Building an Operational Intelligence Application
Introduction
Creating an Operational Intelligence application
Adding dashboards and reports
Organizing the dashboards more efficiently
Dynamically drilling down on activity reports
Creating a form to search web activities
Linking web page activity reports to the form
Displaying a geographical map of visitors
Scheduling the PDF delivery of a dashboard
Summary
5
Extending Intelligence – Data Models and Pivoting
Extending Intelligence – Data Models and Pivoting
Introduction
Creating a data model for web access logs
Creating a data model for application logs
Accelerating data models
Pivoting total sales transactions
Pivoting purchases by geographical location
Pivoting slowest responding web pages
Pivot charting top error codes
Summary
6
Diving Deeper – Advanced Searching
Diving Deeper – Advanced Searching
Introduction
Calculating the average session time on a website
Calculating the average execution time for multi-tier web requests
Displaying the maximum concurrent checkouts
Analyzing the relationship of web requests
Predicting website-traffic volumes
Finding abnormally sized web requests
Identifying potential session spoofing
Summary
7
Enriching Data – Lookups and Workflows
Enriching Data – Lookups and Workflows
Introduction
Looking up product code descriptions
Flagging suspicious IP addresses
Creating a session state table
Adding hostnames to IP addresses
Searching ARIN for a given IP address
Triggering a Google search for a given error
Creating a ticket for application errors
Looking up inventory from an external database
Summary
8
Being Proactive – Creating Alerts
Being Proactive – Creating Alerts
Introduction
Alerting on abnormal web page response times
Alerting on errors during checkout in real time
Alerting on abnormal user behavior
Alerting on failure and triggering a scripted response
Alerting when predicted sales exceed inventory
Summary
9
Speed Up Intelligence – Data Summarization
Speed Up Intelligence – Data Summarization
Introduction
Calculating an hourly count of sessions versus completed transactions
Backfilling the number of purchases by city
Displaying the maximum number of concurrent sessions over time
Summary
10
Above and Beyond – Customization, Web Framework, REST API, and SDKs
Above and Beyond – Customization, Web Framework, REST API, and SDKs
Introduction
Customizing the application's navigation
Adding a force-directed graph of web hits
Adding a calendar heatmap of product purchases
Remotely querying Splunk's REST API for unique page views
Creating a Python application to return unique IP addresses
Creating a custom search command to format product names
Summary
Index
Index

Getting data through network ports

Not every machine has the luxury of being able to write logfiles. Sending data over network ports and protocols is still very common. For instance, sending logs via syslog is still the primary method to capture network device data such as firewalls, routers, and switches.

Sending data to Splunk over network ports doesn't need to be limited to network devices. Applications and scripts can use socket communication to the network ports that Splunk is listening on. This can be a very useful tool in your back pocket, as there can be scenarios where you need to get data into Splunk but don't necessarily have the ability to write to a file.

This recipe will show you how to configure Splunk to receive syslog data on a UDP network port, but it is also applicable to the TCP port configuration.

Getting ready

To step through this recipe, you will need a running Splunk Enterprise server. There are no other prerequisites.

How to do it...

Follow the steps in the recipe to configure Splunk to receive network UDP data:

  1. Log in to your Splunk server.

  2. From the home launcher in the top-right corner, click on the Add Data button.

  3. In the Or Choose a Data Source list, click on the From a UDP port link.

  4. In the Source section, enter 514 in the UDP port field. On Unix/Linux, Splunk must be running as root to access privileged ports such as 514. An alternative would be to specify a higher port such as port 1514 or route data from 514 to another port using routing rules in iptables.

  5. In the Source type section, select From list from the Set sourcetype drop-down list, and then, select syslog from the Select source type from list drop-down list.

  6. Click on Save, and on the next screen, click on Start searching. Splunk is now configured to listen on UDP port 514. Any data sent to this port now will be assigned the syslog source type. To search for the syslog source type, you can run the following search:

    sourcetype=syslog

    Understandably, you will not see any data unless you happen to be sending data to your Splunk server IP on UDP port 514.

How it works...

When you add a new network port input, you are basically adding a new configuration stanza into an inputs.conf file behind the scenes. The Splunk server can contain one or more inputs.conf files, and these files are either located in the $SPLUNK_HOME/etc/system/local or local directory of a Splunk app.

To collect data on a network port, Splunk will set up a socket to listen on the specified TCP or UDP port and will index any data it receives on that port. For example, in this recipe, you configured Splunk to listen on port 514 for UDP data. If data was received on that port, then Splunk would index it and assign a syslog source type to it.

Splunk also provides many configuration options that can be used with network inputs, such as how to resolve the host value to use on the collected data.

Note

For more information on Splunk's configuration files, visit http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles.

There's more...

While adding inputs to receive data from network ports can be done through the web interface of Splunk as outlined in this recipe, there are other approaches to add multiple inputs quickly; these inputs allow for customization of the many configuration options that Splunk provides.

Adding a network input via the CLI

You can also add a file or directory input via the Splunk CLI. Navigate to your $SPLUNK_HOME/bin directory and execute the following command (just replace the protocol, port, and source type you wish to use):

For Unix:

./splunk add udp 514 –sourcetype syslog

For Windows:

splunk add udp 514 –sourcetype syslog

There are a number of different parameters that can be passed along with the port. See the Splunk documentation for more on data inputs using the CLI (http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorfilesanddirectoriesusingtheCLI).

Adding a network input via inputs.conf

Network inputs can be manually added to the inputs.conf configuration files. Edit $SPLUNK_HOME/etc/system/local/inputs.conf and add your input. You will need to restart Splunk after modifying the file.

[udp://514]
sourcetype = syslog

Tip

It is best practice to not send syslog data directly to an indexer. Instead, always place a forwarder between the network device and the indexer. The Splunk forwarder would be set up to receive the incoming syslog data (inputs.conf) and will load balance the data across your Splunk indexers (outputs.conf). The forwarder can also be configured to cache the syslog data in the event that communication to the indexers is lost.

See also

  • The Indexing files and directories recipe

  • The Using scripted inputs recipe

  • The Using modular inputs recipe

Previous Section
End of Section 4
Next Section