Professional Documents
Culture Documents
Course goals
Using Splunk Web, run searches and save results
Create and use knowledge objects, such as:
- Saved searches
- Custom field extractions
- Tags
- Event types
- Views (Dashboards)
Create reports
Find out where and how to get help
Listen to your data.
Course outline
1. Starting Searches
2. Saving Results and Searches
3. Using Fields
4. Creating and Using Tags and Event Types
5. Creating Alerts
6. Creating Reports and Dashboards
Section 1:
Start Searching
Section objectives
Describe Splunk and its uses
Describe the Search app
Run basic searches
Identify the contents of search results
Use the output of a search to refine your search
Control a search job
Set the time range of a search
access
admin
power
- User
10
user
Using
Splunk
5.0
Copyright
2013
Splunk,
Inc.
All
rights
reserved
|
3
March
2013
User settings
To display and edit your user
settings, click your name in the
main menu
- The Time zone setting allows you to
11
12
app navigation
current view
search bar
time range
picker
global stats
start
search
data sources
13
other input
Sourcetype
- specific data type or data
format
Host
- hostname, IP address, or
14
Events
Searches return events
In Splunk, an event is a single
piece of data, such as a record
in a log file or other data input
Splunk breaks up input data
into individual events and
gives each a timestamp, host,
source, and sourcetype
15
Everything is searchable
* wildcard supported
Search terms are case
insensitive
Booleans AND, OR, NOT
fail*
fail*
nfs
error OR 404
- Must be uppercase
- Implied AND between terms
- Use () for complex searches
Quote phrases
16
Search assistant
Quick reference for Splunk search language that updates as you type
- Includes links to documentation
- Shows matching searches, matching terms, and examples
17
Search results
Matching results are
returned immediately
- Displayed in reverse
chronological order
- Matching search terms
are highlighted
18
search mode
time range picker
timeline
paginator
Fields sidebar
event data
timestamp
selected fields
Search mode
Three modes
1. Smart [default]
2. Fast Performance over completeness
3. Verbose Completeness over performance
You learn more about search mode in
Section 3: Using Fields
20
21
of resources
- Ideal for looking at long
term patterns, such as,
advanced persistent threat
22
drill down
23
24
Zoom out
- Expands the time focus &
Zoom to selection
- Narrows the time focus &
Deselect
- If in a drill down, returns to the
25
26
27
Select Real-time
Select a time window
28
Search actions
Every search is a job
Available actions are:
Send to background
Pause [toggles to resume]
Finalize
Cancel
29
Lab 1
Log into the Search app
Perform a search and remove unwanted events from results
Change the search time range
Use the flash timeline
Drill-down into results
30
Section 2: Saving
Results and Searches
31
Section objectives
Export search results
Save and share search results
Save searches
Schedule searches
32
33
Saving results
1. From the Save menu,
select Save results
2. From the jobs manager,
manage the results
34
Sharing results
Can save and share your results with other Splunk users
Generates a link you can copy and paste anywhere
Accessible in the Jobs Manager
35
functionality
36
37
38
39
appropriate sub-menu
- A green dot indicates a private search
40
41
42
43
44
Run a script
- Enter the name of the script file
- All scripts must be in Splunks bin/script directory
- Administrators have access to this location
Listen to your data.
45
46
47
48
Lab 2
Save and share search results
Create, edit, and run a saved search
49
Section 3:
Using Fields
50
Section objectives
Understand fields
Use fields in searches
Use the fields sidebar
51
All fields have names and can be searched with those names
- Example: Separating an http status code of 404 from Atlantas area code
data-specific fields
52
sourcetype
53
host
- Sometimes not
http://docs.splunk.com/Documentation/Splunk/latest/Data/Listofpretrainedsourcetypes
Listen to your data.
54
Fields sidebar
selected fields
interesting fields
- Interesting fields
55
Field discovery
A field is a name/value pair extracted by Splunk
At search time, Splunk automatically extracts
- Fields used in the search
- Default fields, such as _time, _raw, host, source, and sourcetype
Field discovery also extracts other fields in the event data not directly
related to the search
The fields that display in the fields sidebar depends on the search
mode that you select
56
Fast mode
Emphasizes performance, returning only essential
and required data
Field discovery is OFF
- Returns data on default fields and fields required to fulfill
your search
Reporting
Fields sidebar
Timeline
Chart/visualization
Listen to your data.
57
Verbose mode
Emphasizes completeness, returning all field and
event data it possibly can
Field discovery is ON
- Splunk returns all of the fields it can
Reporting
Fields sidebar
Timeline
Chart/visualization
58
Reporting [Fast]
Fields sidebar
Timeline
Chart/visualization
59
Fast mode
Smart mode
60
61
62
create charts
vs.
- Field names ARE case sensitive, field values are NOT
64
65
Lab 3
Use fields to refine your search
Use fields to examine search results
66
Section 4:
Creating & Using Tags
and Event Types
Listen to your data.
67
Section objectives
Describe tags
Create tags and use tags in a search
Describe event types and their uses
Create, tag, and use event types in a search
68
Describing tags
Tags allow you to search for events with related field values
- Can assign one or more tags to any field/value combination
- Example:
69
Using tags
Search with tags the same way you search with fields
Tags are case sensitive, in this example, tag=dmz returns no events
70
Managing tags
Use Splunk Manager to enable/disable, copy, delete, and edit tags
youve created
71
72
password
Listen to your data.
73
- risky - password
74
75
76
77
78
79
Lab 4
Add tags to hosts
Use those tags in a search
Create and use event types
80
Section 5:
Creating Alerts
81
Section objectives
Describe alerts
Create alerts
- Run the underlying search
- Set the schedule, conditions, and actions
82
Alerting overview
Splunk alerts are based on searches that can run either
- On a regular scheduled interval
- In real-time
Alerts are triggered when the results of the search meet a specific
condition that you define
Based on your needs, alerts can
- Send emails
- Trigger scripts
- Write to RSS feeds
83
Scheduled alerts
- Run a search on a regular interval that you define
- Triggers based on conditions that you define
84
85
86
run on schedule
87
monitor in real-time
user
- Trigger if more than 5 results are returned
within the selected schedule timeframe
88
89
90
actions for results that have the same field value, within
a specified time range
- Example:
91
Setting permissions
As with any knowledge object you create, you can keep the alert
private or share as read-only to other users
To save the alert, click Finish
92
93
Edit alerts
To display and edit the alert settings, click Edit
search in the alert manager
94
Lab 5
Create an alert
95
Section 6:
Creating Reports &
Dashboards
Listen to your data.
96
Section objectives
Create reports and charts
Create dashboards
Edit dashboards to add panels
97
98
99
This course mainly focuses on creating reports from the Fields sidebar
and Results Chart options
- Searching and Reporting with Splunk course discussed how to create reports
using commands
- Note: Report Builder is not discussed in the Searching and Reporting class
100
101
102
| timechart
Top values overall
| top
Listen to your data.
103
104
Formatting reports
Click the Formatting options link to
display formatting tools
From the chart type menu, you
can select from several types
You can also enter a title for the
chart, adjust the legend
placement, and more
- The Searching and Reporting course
105
106
Splunk dashboards
Dashboards are collections of
searches and reports
A great way to group together
related reports and events
Easy to create and edit
107
items on a dashboard
108
109
110
111
112
113
Editing a panel
From the Edit menu, you can edit the search and/or the visualization
114
115
saved search
116
Lab 6
Create reports
Add reports to a dashboard
Edit dashboard panels
117
Wrap up
Search
- By keywords and booleans
- By time
- By fields
- All of the above
Refine searches
- Click to add/remove terms
118
Support programs
Community
- Splunkbase
Answers: answers.splunk.com
Post specific questions and get them answered by Splunk community experts.
- Splunk
Docs: docs.splunk.com
These are constantly updated. Be sure to select the version of Splunk you are using.
- Wiki:
wiki.splunk.com
A community space where you can share what you know with other Splunk users.
- IRC
Channel: #splunk on the EFNet IRC server Many well-informed Splunk users hang out here.
Global Support
Support for critical issues, a dedicated resource to manage your account 24 x 7 x 365.
- Email: support@splunk.com
- Web: http://www.splunk.com/index.php/submit_issue
Enterprise Support
Access you customer support team by phone and manage your cases online 24 x 7
(depending on support contract).
Listen to your data.
119
Thank You
121
Appendix:
Using IFX
122
But dont go crazy too many extractions will slow things down
123
3. Generate
124
Generating fields
Will tell you if the field
is already extracted
To improve accuracy,
edit sample extractions
125