Mastering Splunk电子书

Mastering Splunk

Table of Contents

Mastering Splunk

Credits

About the Author

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Instant updates on new Packt books

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the color images of this book

Errata

Piracy

Questions

1. The Application of Splunk

The definition of Splunk

Keeping it simple

Universal file handling

Confidentiality and security

The evolution of Splunk

The Splunk approach

The correlation of information

Conventional use cases

Investigational searching

Searching with pivot

The event timeline

Monitoring

Alerting

Reporting

Visibility in the operational world

Operational intelligence

A technology-agnostic approach

Decision support – analysis in real time

ETL analytics and preconceptions

The complements of Splunk

ODBC

Splunk – outside the box

Customer Relationship Management

Emerging technologies

Knowledge discovery and data mining

Disaster recovery

Virus protection

The enhancement of structured data

Project management

Firewall applications

Enterprise wireless solutions

Hadoop technologies

Media measurement

Social media

Geographical Information Systems

Mobile Device Management

Splunk in action

Summary

2. Advanced Searching

Searching in Splunk

The search dashboard

The new search dashboard

The Splunk search mechanism

The Splunk quick reference guide

Please assist me, let me go

Basic optimization

Fast, verbose, or smart?

The breakdown of commands

Understanding the difference between sparse and dense

Searching for operators, command formats, and tags

The process flow

Boolean expressions

You can quote me, I'm escaping

Tag me Splunk!

Assigning a search tag

Tagging field-value pairs

Wild tags!

Wildcards – generally speaking

Disabling and deleting tags

Transactional searching

Knowledge management

Some working examples

Subsearching

Output settings for subsearches

Search Job Inspector

Searching with parameters

The eval statement

A simple example

Splunk macros

Creating your own macro

Using your macros

The limitations of Splunk

Search results

Some basic Splunk search examples

Additional formatting

Summary

3. Mastering Tables, Charts, and Fields

Tables, charts, and fields

Splunking into tables

The table command

The Splunk rename command

Limits

Fields

An example of the fields command

Returning search results as charts

The chart command

The split-by fields

The where clause

More visualization examples

Some additional functions

Splunk bucketing

Reporting using the timechart command

Arguments required by the timechart command

Bucket time spans versus per_* functions

Drilldowns

The drilldown options

The basic drilldown functionality

Row drilldowns

Cell drilldowns

Chart drilldowns

Legends

Pivot

The pivot editor

Working with pivot elements

Filtering your pivots

Split

Column values

Pivot table formatting

A quick example

Sparklines

Summary

4. Lookups

Introduction

Configuring a simple field lookup

Defining lookups in Splunk Web

Automatic lookups

The Add new page

Configuration files

Implementing a lookup using configuration files – an example

Populating lookup tables

Handling duplicates with dedup

Dynamic lookups

Using Splunk Web

Using configuration files instead of Splunk Web

External lookups

Explanation

Time-based lookups

An easier way to create a time-based lookup

Seeing double?

Command roundup

The lookup command

The inputlookup and outputlookup commands

The inputcsv and outputcsv commands

Summary

5. Progressive Dashboards

Creating effective dashboards

Views

Panels

Modules

Form searching

An example of a search form

Dashboards versus forms

Going back to dashboards

The Panel Editor

The Visualization Editor

XML

Let's walk through the Dashboard Editor

Constructing a dashboard

Constructing the framework

Adding panels and panel content

Adding a panel

Specifying visualizations for the dashboard panel

The time range picker

Adding panels to your dashboard

Controlling access to your dashboard

Cloning and deleting

Keeping in context

Some further customization

Using panels

Adding and editing dashboard panels

Visualize this!

The visualization type

The visualization format

Dashboards and XML

Editing the dashboard XML code

Dashboards and the navigation bar

Color my world

More on searching

Inline searches

A saved search report

The inline pivot

The saved pivot report

Dynamic drilldowns

The essentials

Examples

No drilldowns

Real-world, real-time solutions

Summary

6. Indexes and Indexing

The importance of indexing

What is a Splunk index?

Event processing

Parsing

Indexing

Index composition

Default indexes

Indexes, indexers, and clusters

Managing Splunk indexes

Getting started

Dealing with multiple indexes

Reasons for multiple indexes

Creating and editing Splunk indexes

Important details about indexes

Other indexing methods

Editing the indexes.conf file

Using your new indexes

Sending all events to be indexed

Sending specific events

A transformation example

Searching for a specified index

Deleting your indexes and indexed data

Deleting Splunk events

Not all events!

Deleting data

Administrative CLI commands

The clean command

Deleting an index

Disabling an index

Retirements

Configuring indexes

Moving your index database

Spreading out your Splunk index

Size matters

Index-by-index attributes

Bucket types

Volumes

Creating and using volumes

Hitting the limits

Setting your own minimum free disk space

Summary

7. Evolving your Apps

Basic applications

The app list

More about apps

Out of the box apps

Add-ons

Splunk Web

Installing an app

Disabling and removing a Splunk app

BYO or build your own apps

App FAQs

The end-to-end customization of Splunk

Preparation for app development

Beginning Splunk app development

Creating the app's workspace

Adding configurations

The app.conf file

Giving your app an icon

Other configurations

Creating the app objects

Setting the ownership

Setting the app's permissions

Another approach to permissions

A default.meta example

Building navigations

Let's adjust the navigation

Using the default.xml file rather than Splunk Web

Creating an app setup and deployment

Creating a setup screen

The XML syntax used

Packaging apps for deployment

Summary

8. Monitoring and Alerting

What to monitor

Recipes

Pointing Splunk to data

Splunk Web

Splunk CLI

Splunk configuration files

Apps

Monitoring categories

Advanced monitoring

Location, location, location

Leveraging your forwarders

Can I use apps?

Windows inputs in Splunk

Getting started with monitoring

Custom data

Input typing

What does Splunk do with the data it monitors?

The Splunk data pipeline

Splunk

Where is this app?

Let's Install!

Viewing the Splunk Deployment Monitor app

All about alerts

Alerting a quick startup

You can't do that

Setting enabling actions

Listing triggered alerts

Sending e-mails

Running a script

Action options – when triggered, execute actions

Throttling

Editing alerts

Editing the description

Editing permissions

Editing the alert type and trigger

Editing actions

Disabling alerts

Cloning alerts

Deleting alerts

Scheduled or real time

Extended functionalities

Splunk acceleration

Expiration

Summary indexing

Summary

9. Transactional Splunk

Transactions and transaction types

Let's get back to transactions

Transaction search

An example of a Splunk transaction

The Transaction command

Transactions and macro searches

A refresher on search macros

Defining your arguments

Applying a macro

Advanced use of transactions

Configuring transaction types

The transactiontypes.conf file

An example of transaction types

Grouping – event grouping and correlation

Concurrent events

Examples of concurrency command use

What to avoid – stats instead of transaction

Summary

10. Splunk – Meet the Enterprise

General concepts

Best practices

Definition of Splunk knowledge

Data interpretation

Classification of data

Data enrichment

Normalization

Modeling

Strategic knowledge management

Splunk object management with knowledge management

Naming conventions for documentation

Developing naming conventions for knowledge objects

Organized naming conventions

Object naming conventions

Hints

An example of naming conventions

Splunk's Common Information Model

Testing

Testing before sharing

Levels of testing

Unit testing

Integration testing

Component interface testing

System testing

Acceptance testing

Performance testing

Splunk's performance test kit

Regression testing

Retrofitting

The enterprise vision

Evaluation and implementation

Build, use, and repeat

Management and optimization

More on the vision

A structured approach

Splunk – all you need for a search engine

Summary

A. Quick Start

Topics

Where and how to learn Splunk

Certifications

Knowledge manager

Administrator

Architect

Supplemental certifications

Splunk partners

Proper training

The Splunk documentation

www.splunk.com

Splunk answers

Splunkbase

The support portal

The Splexicon

The "How-to" tutorials

User conferences, blogs, and news groups

Professional services

Obtaining the Splunk software

Disclaimer

Disk space requirements

To go physical or logical?

The Splunk architecture

Creating your Splunk account

Installation and configuration

Installation

Splunk home

An environment to learn in

Summary

Index