Splunk Best Practices电子书

Splunk Best Practices

Splunk Best Practices

Credits

About the Author

About the Reviewer

www.PacktPub.com

eBooks, discount offers, and more

Why subscribe?

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Downloading the color images of this book

Errata

Piracy

Questions

1. Application Logging

Loggers

Anatomy of a log

Log4*

Pantheios

Logging - logging facility for Python

Example of a structured log

Data types

Structured data - best practices

Log events

Common Log Format

Automatic Delimited Value Extraction (IIS/Apache) - best practice

Manual Delimited Value Extraction with REGEX

Step 1 - field mapping - best practice

Step 2 - adding the field map to structure the data (props/transforms)

Use correlation IDs - best practice

Correlation IDs and publication transactions - best practice

Correlation IDs and subscription transactions - best practices

Correlation IDs and database calls - best practices

Unstructured data

Event breaking - best practice

Best practices

Configuration transfer - best practice

Summary

2. Data Inputs

Agents

Splunk Universal Forwarder

Splunk Heavy Forwarder

Search Head Forwarder

Data inputs

API inputs

Database inputs

Monitoring inputs

Scripted inputs

Custom or not

Modular inputs

Windows inputs

Windows event logs / Perfmon

Deployment server

Know your data

Long delay intervals with lots of data

Summary

3. Data Scrubbing

Heavy Forwarder management

Managing your Heavy Forwarder

Manual administration

Deployment server

Important configuration files

Even data distribution

Common root cause

Knowledge management

Handling single- versus multi-line events

Manipulating raw data (pre-indexing)

Routing events to separate indexes

Black-holing unwanted events (filtering)

Masking sensitive data

Pre-index data masking

Post-index data masking

Setting a hostname per event

Summary

4. Knowledge Management

Anatomy of a Splunk search

Root search

Calculation/evaluation

Presentation/action

Best practices with search anatomy

The root search

Calculation/evaluation

Presentation/action

Knowledge objects

Eventtype Creation

Creation through the Splunk UI

Creation through the backend shell

Field extractions

Performing field extractions

Pre-indexing field extractions (index time)

Post-indexing field extractions (search time)

Creating index time field extractions

Creating search time field extractions

Creating field extractions using IFX

Creation through CLI

Summary

5. Alerting

Setting expectations

Time is literal, not relative

To quickly summarize

Be specific

To quickly summarize

Predictions

To quickly summarize

Anatomy of an alert

Search query results

Alert naming

The schedule

The trigger

The action

Throttling

Permissions

Location of action scripts

Example

Custom commands/automated self-healing

A word of warning

Summary

6. Searching and Reporting

General practices

Core fields (root search)

_time

Index

Sourcetype

Host

Source

Case sensitivity

Inclusive versus exclusive

Search modes

Fast Mode

Verbose Mode

Smart Mode (default)

Advanced charting

Overlay

Host CPU / MEM utilization

Xyseries

Appending results

timechart

stats

The Week-over-Week-overlay

Day-over-day overlay

SPL to overlay (the hard way)

Timewrap (the easy way)

Summary

7. Form-Based Dashboards

Dashboards versus reports

Reports

Dashboards

Form-based

Drilldown

Report/data model-based

Search-based

Modules

Data input

Chart

Table

Single value

Map module

Tokens

Building a form-based dashboard

Summary

8. Search Optimization

Types of dashboard search panel

Raw data search panel

Shared search panel (base search)

Report reference panel

Data model/pivot reference panels

Raw data search

Shared searching using a base search

Creating a base search

Referencing a base search

Report referenced panels

Data model/pivot referenced panels

Special notes

Summary

9. App Creation and Consolidation

Types of apps

Search apps

Deployment apps

Indexer/cluster apps

Technical add-ons

Supporting add-ons

Premium apps

Consolidating search apps

Creating a custom app

App migrations

Knowledge objects

Dashboard consolidation

Search app navigation

Consolidating indexing/forwarding apps

Forwarding apps

Indexer/cluster apps

Summary

10. Advanced Data Routing

Splunk architecture

Clustering

Search head clustering

Indexer cluster

Multi-site redundancy

Leveraging load balancers

Failover methods

Putting it all together

Network segments

Production

Standard Integration Testing (SIT)

Quality assurance

Development

The DMZ (App Tier)

The data router

Building roads and maps

Building the UF input/output paths

Building the HF input/output paths

If you build it, they will come

Summary