Advanced Splunk电子书

Advanced Splunk

Table of Contents

Advanced Splunk

Credits

About the Author

Acknowledgements

About the Reviewer

www.PacktPub.com

eBooks, discount offers, and more

Why subscribe?

Instant updates on new Packt books

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the color images of this book

Errata

Piracy

Questions

1. What's New in Splunk 6.3?

Splunk's architecture

The need for parallelization

Index parallelization

Search parallelization

Pipeline parallelization

The search scheduler

Summary parallelization

Data integrity control

Intelligent job scheduling

The app key-value store

System requirements

Uses of the key-value store

Components of the key-value store

Managing key-value store collections via REST

Examples

Replication of the key-value store

Splunk Enterprise Security

Enabling HTTPS for Splunk Web

Enabling HTTPS for the Splunk forwarder

Securing a password with Splunk

The access control list

Authentication using SAML

Summary

2. Developing an Application on Splunk

Splunk apps and technology add-ons

What is a Splunk app?

What is a technology add-on?

Developing a Splunk app

Creating the Splunk application and technology add-on

Packaging the application

Installing a Splunk app via Splunk Web

Installing the Splunk app manually

Developing a Splunk add-on

Building an add-on

Installing a technology add-on

Managing Splunk apps and add-ons

Splunk apps from the app store

Summary

3. On-boarding Data in Splunk

Deep diving into various input methods and sources

Data sources

Structured data

Web and cloud services

IT operations and network security

Databases

Application and operating system data

Data input methods

Files and directories

Network sources

Windows data

Adding data to Splunk – new interfaces

HTTP Event Collector and configuration

HTTP Event Collector

Configuration via Splunk Web

Managing the Event Collector token

The JSON API format

Authentication

Metadata

Event data

Data processing

Event configuration

Character encoding

Event line breaking

Timestamp configuration

Host configuration

Configuring a static host value – files and directories

Configuring a dynamic host value – files and directories

Configuring a host value – events

Managing event segmentation

Improving the data input process

Summary

4. Data Analytics

Data and indexes

Accessing data

The index command

The eventcount command

The datamodel command

The dbinspect command

The crawl command

Managing data

The input command

The delete command

The clean command

Summary indexing

Search

The search command

The sendmail command

The localop command

Subsearch

The append command

The appendcols command

The appendpipe command

The join command

Time

The reltime command

The localize command

Fields

The eval command

The xmlkv command

The spath command

The makemv command

The fillnull command

The filldown command

The replace command

Results

The fields command

The searchtxn command

The head / tail command

The inputcsv command

The outputcsv command

Summary

5. Advanced Data Analytics

Reports

The makecontinuous command

The addtotals command

The xyseries command

Geography and location

The iplocation command

The geostats command

Anomalies

The anomalies command

The anomalousvalue command

The cluster command

The kmeans command

The outlier command

The rare command

Predicting and trending

The predict command

The trendline command

The x11 command

Correlation

The correlate command

The associate command

The diff command

The contingency command

Machine learning

Summary

6. Visualization

Prerequisites – configuration settings

Tables

Tables – Data overlay

Tables – Sparkline

Sparkline – Filling and changing color

Sparkline – The max value indicator

Sparkline – A bar style

Tables – An icon set

Single value

Charts

Charts – Coloring

Chart overlay

Bubble charts

Drilldown

Dynamic drilldown

The x-axis or y-axis value as a token to a form

Dynamic drilldown to pass a respective row's specific column value

Dynamic drilldown to pass a fieldname of a clicked value

Contextual drilldown

The URL field value drilldown

Single value drilldown

Summary

7. Advanced Visualization

Sunburst sequence

What is a sunburst sequence?

Example

Implementation

Geospatial visualization

Example

Syntax

Search query

Implementation

Punchcard visualization

Example

Search query

Implementation

Calendar heatmap visualization

Example

Search query

Implementation

The Sankey diagram

Example

Implementation

Parallel coordinates

Example

Search query

Implementation

The force directed graph

Example

Implementation

Custom chart overlay

Example

Implementation

Custom decorations

Example

What is the use of such custom decorations?

Implementation

Summary

8. Dashboard Customization

Dashboard controls

HTML dashboard

Display controls

Example and implementation

Syntax

Form input controls

Example and implementation

Panel controls

Example and implementation

Enabling/disabling refresh time

Disabling the manual refresh link

Enabling auto refresh

Multi-search management

Example

Implementation

Tokens

Eval tokens

Syntax of the eval token

Example

Implementation

Custom tokens

Example

Implementation

Null search swapper

Example

Implementation

Switcher

Link switcher

Example and implementation

Button switcher

Example and implementation

Summary

9. Advanced Dashboard Customization

Layout customization

Panel width

Example

Implementation

Grouping

Example

Single-value grouping

Visualization grouping

Implementation

Panel toggle

Example

Implementation

Image overlay

Example

What is the use of image overlay?

Where can image overlay be used?

Implementation

Custom look and feel

Example and implementation

The custom alert action

What is alerting?

Alerting

The features

Implementation

Example

Summary

10. Tweaking Splunk

Index replication

Standalone environment

Distributed environment

Replication

Searching

Failures

Indexer auto-discovery

Example

Implementation

Sourcetype manager

Field extractor

Accessing field extractor

Using field extractor

Example

Regular expression

Delimiter

Search history

Event pattern detection

Data acceleration

Need for data acceleration

Data model acceleration

Splunk buckets

Search optimizations

Time range

Search modes

Scope of searching

Search terms

Splunk health

splunkd log

Search log

Summary

11. Enterprise Integration with Splunk

The Splunk SDK

Installing the Splunk SDK

The Splunk SDK for Python

Importing the Splunk API in Python

Connecting and authenticating the Splunk server

Splunk APIs

Creating and deleting an index

Creating input

Uploading files

Saved searches

Splunk searches

Splunk with R for analytics

The setup

Using R with Splunk

Splunk with Tableau for visualization

The setup

Using Tableau with Splunk

Summary

12. What Next? Splunk 6.4

Storage optimization

Machine learning

Management and admin

Indexer and search head enhancement

Visualizations

Multi-search management

Enhanced alert actions

Summary

Index