售 价:¥
温馨提示:数字商品不支持退换货,不提供源文件,不支持导出打印
为你推荐
Title Page
Copyright and Credits
Implementing Splunk 7 Third Edition
Packt Upsell
Why subscribe?
PacktPub.com
Contributors
About the author
About the reviewer
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Conventions used
Get in touch
Reviews
The Splunk Interface
Logging in to Splunk
The home app
The top bar
The Search & Reporting app
Data generator
The Summary view
Search
Actions
Timeline
The field picker
Fields
Search results
Options
Events viewer
Using the time picker
Using the field picker
The settings section
Splunk Cloud
Try before you buy
A quick cloud tour
The top bar in Splunk Cloud
Splunk reference app – PAS
Universal forwarder
eventgen
Next steps
Summary
Understanding Search
Using search terms effectively
Boolean and grouping operators
Clicking to modify your search
Event segmentation
Field widgets
Time
Using fields to search
Using the field picker
Using wildcards efficiently
Supplementing wildcards in fields
All about time
How Splunk parses time
How Splunk stores time
How Splunk displays time
How time zones are determined and why it matters
Different ways to search against time
Presets
Relative
Real-time
Windowed real-time versus all-time real-time searches
Date range
Date and time range
Advanced
Specifying time in-line in your search
_indextime versus _time
Making searches faster
Sharing results with others
The URL
Save As Report
Save As Dashboard Panel
Save As Alert
Save As Event Type
Searching job settings
Saving searches for reuse
Creating alerts from searches
Enable Actions
Action Options
Sharing
Event annotations
An illustration
Summary
Tables, Charts, and Fields
About the pipe symbol
Using top to show common field values
Controlling the output of top
Using stats to aggregate values
Using chart to turn data
Using timechart to show values over time
The timechart options
Working with fields
A regular expression primer
Commands that create fields
eval
rex
Extracting loglevel
Using the extract fields interface
Using rex to prototype a field
Using the admin interface to build a field
Indexed fields versus extracted fields
Indexed field case 1 - rare instances of a common term
Indexed field case 2 - splitting words
Indexed field case 3 - application from source
Indexed field case 4 - slow requests
Indexed field case 5 - unneeded work
Chart enhancements in version 7.0
charting.lineWidth
charting.data.fieldHideList
charting.legend.mode
charting.fieldDashStyles
charting.axis Y.abbreviation
Summary
Data Models and Pivots
What is a data model?
What does a data model search?
Data model objects
Object constraining
Attributes
Acceleration in version 7.0
Creating a data model
Filling in the new data model dialog
Editing fields (attributes)
Lookup attributes
Children
What is a pivot?
The Pivot Editor
Working with pivot elements
Filtering pivots
Split (row or column)
Column values
Pivot table formatting
A quick example
Sparklines
Summary
Simple XML Dashboards
The purpose of dashboards
Using wizards to build dashboards
Adding another panel
A cool trick
Converting the panel to a report
More options
Back to the dashboard
Add input
Editing source
Edit UI
Editing XML directly
UI examples app
Building forms
Creating a form from a dashboard
Driving multiple panels from one form
Post-processing search results
Post-processing limitations
Features replaced
Autorun dashboard
Scheduling the generation of dashboards
Summary
Advanced Search Examples
Using subsearches to find loosely related events
Subsearch
Subsearch caveats
Nested subsearches
Using transaction
Using transaction to determine session length
Calculating the aggregate of transaction statistics
Combining subsearches with transaction
Determining concurrency
Using transaction with concurrency
Using concurrency to estimate server load
Calculating concurrency with a by clause
Calculating events per slice of time
Using timechart
Calculating average requests per minute
Calculating average events per minute, per hour
Rebuilding top
Acceleration
Big data – summary strategy
Report acceleration
Report acceleration availability
Version 7.0 advancements in metrics
Definition of a Splunk metric
Using Splunk metrics
Creating a metrics index
Creating a UDP or TCP data input
Summary
Extending Search
Using tags to simplify search
Using event types to categorize results
Using lookups to enrich data
Defining a lookup table file
Defining a lookup definition
Defining an automatic lookup
Troubleshooting lookups
Using macros to reuse logic
Creating a simple macro
Creating a macro with arguments
Creating workflow actions
Running a new search using values from an event
Linking to an external site
Building a workflow action to show field context
Building the context workflow action
Building the context macro
Using external commands
Extracting values from XML
xmlkv
XPath
Using Google to generate results
Summary
Working with Apps
Defining an app
Included apps
Installing apps
Installing apps from Splunkbase
Using Geo Location Lookup Script
Using Google Maps
Installing apps from a file
Building your first app
Editing navigation
Customizing the appearance of your app
Customizing the launcher icon
Using custom CSS
Using custom HTML
Custom HTML in a simple dashboard
Using server-side include in a complex dashboard
Object permissions
How permissions affect navigation
How permissions affect other objects
Correcting permission problems
App directory structure
Adding your app to Splunkbase
Preparing your app
Confirming sharing settings
Cleaning up our directories
Packaging your app
Uploading your app
Self-service app management
Summary
Building Advanced Dashboards
Reasons for working with advanced XML
Reasons for not working with advanced XML
Development process
Advanced XML structure
Converting simple XML to advanced XML
Module logic flow
Understanding layoutPanel
Panel placement
Reusing a query
Using intentions
stringreplace
addterm
Creating a custom drilldown
Building a drilldown to a custom query
Building a drilldown to another panel
Building a drilldown to multiple panels using HiddenPostProcess
Third-party add-ons
Google Maps
Sideview Utils
The Sideview search module
Linking views with Sideview
Sideview URLLoader
Sideview forms
Summary
Summary Indexes and CSV Files
Understanding summary indexes
Creating a summary index
When to use a summary index
When to not use a summary index
Populating summary indexes with saved searches
Using summary index events in a query
Using sistats, sitop, and sitimechart
How latency affects summary queries
How and when to backfill summary data
Using fill_summary_index.py to backfill
Using collect to produce custom summary indexes
Reducing summary index size
Using eval and rex to define grouping fields
Using a lookup with wildcards
Using event types to group results
Calculating top for a large time frame
Summary index searches
Using CSV files to store transient data
Pre-populating a dropdown
Creating a running calculation for a day
Summary
Configuring Splunk
Locating Splunk configuration files
The structure of a Splunk configuration file
The configuration merging logic
The merging order
The merging order outside of search
The merging order when searching
The configuration merging logic
Configuration merging – example 1
Configuration merging – example 2
Configuration merging – example 3
Configuration merging – example 4, search
Using btool
An overview of Splunk.conf files
props.conf
Common attributes
Search-time attributes
Index-time attributes
Parse-time attributes
Input-time attributes
Stanza types
Priorities inside a type
Attributes with class
inputs.conf
Common input attributes
Files as inputs
Using patterns to select rolled logs
Using blacklist and whitelist
Selecting files recursively
Following symbolic links
Setting the value of the host from the source
Ignoring old data at installation
When to use crcSalt
Destructively indexing files
Network inputs
Native Windows inputs
Scripts as inputs
transforms.conf
Creating indexed fields
Creating a loglevel field
Creating a session field from the source
Creating a tag field
Creating host categorization fields
Modifying metadata fields
Overriding the host
Overriding the source
Overriding sourcetype
Routing events to a different index
Lookup definitions
Wildcard lookups
CIDR wildcard lookups
Using time in lookups
Using REPORT
Creating multivalue fields
Creating dynamic fields
Chaining transforms
Dropping events
fields.conf
outputs.conf
indexes.conf
authorize.conf
savedsearches.conf
times.conf
commands.conf
web.conf
User interface resources
Views and navigation
Appserver resources
Metadata
Summary
Advanced Deployments
Planning your installation
Splunk instance types
Splunk forwarders
Splunk indexer
Splunk search
Common data sources
Monitoring logs on servers
Monitoring logs on a shared drive
Consuming logs in batch
Receiving syslog events
Receiving events directly on the Splunk indexer
Using a native syslog receiver
Receiving syslog with a Splunk forwarder
Consuming logs from a database
Using scripts to gather data
Sizing indexers
Planning redundancy
The replication factor
Configuring your replication factors
Syntax
Indexer load balancing
Understanding typical outages
Working with multiple indexes
Directory structure of an index
When to create more indexes
Testing data
Differing longevity
Differing permissions
Using more indexes to increase performance
The life cycle of a bucket
Sizing an index
Using volumes to manage multiple indexes
Deploying the Splunk binary
Deploying from a tar file
Deploying using msiexec
Adding a base configuration
Configuring Splunk to launch at boot
Using apps to organize configuration
Separate configurations by purpose
Configuration distribution
Using your own deployment system
Using the Splunk deployment server
Step 1 – deciding where your deployment server will run
Step 2 - defining your deploymentclient.conf configuration
Step 3 - defining our machine types and locations
Step 4 - normalizing our configurations into apps appropriately
Step 5 - mapping these apps to deployment clients in serverclass.conf
Step 6 - restarting the deployment server
Step 7 - installing deploymentclient.conf
Using LDAP for authentication
Using single sign-on
Load balancers and Splunk
web
splunktcp
deployment server
Multiple search heads
Summary
Extending Splunk
Writing a scripted input to gather data
Capturing script output with no date
Capturing script output as a single event
Making a long-running scripted input
Using Splunk from the command line
Querying Splunk via REST
Writing commands
When not to write a command
When to write a command
Configuring commands
Adding fields
Manipulating data
Transforming data
Generating data
Writing a scripted lookup to enrich data
Writing an event renderer
Using specific fields
A table of fields based on field value
Pretty printing XML
Writing a scripted alert action to process results
Hunk
Summary
Machine Learning Toolkit
What is machine learning?
Content recommendation engines
Natural language processing
Operational intelligence
Defining the toolkit
Time well spent
Obtaining the Kit
Prerequisites and requirements
Installation
The toolkit workbench
Assistants
Extended SPL (search processing language)
ML-SPL performance app
Building a model
Time series forecasting
Using Splunk
Launching the toolkit
Validation
Deployment
Saving a report
Exporting data
Summary
买过这本书的人还买过
读了这本书的人还在读
同类图书排行榜