book

Mastering Splunk

Name: Mastering Splunk
Author: James D. Miller
ISBN: 9781782173830

by James D. Miller

December 2014

Beginner to intermediate

344 pages

7h 34m

English

Packt Publishing

Read now

Unlock full access

Mastering Splunk
Table of Contents
Mastering Splunk
Credits
About the Author
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and moreWhy subscribe?Free access for Packt account holdersInstant updates on new Packt books
Preface
What this book covers
What you need for this book
Who this book is for

Conventions
Reader feedback
Customer support
Downloading the color images of this bookErrataPiracyQuestions
1. The Application of Splunk
The definition of SplunkKeeping it simple
Universal file handling
Confidentiality and security
The evolution of SplunkThe Splunk approachThe correlation of information
Conventional use cases
Investigational searchingSearching with pivotThe event timelineMonitoringAlertingReportingVisibility in the operational worldOperational intelligenceA technology-agnostic approachDecision support – analysis in real timeETL analytics and preconceptionsThe complements of SplunkODBC
Splunk – outside the box
Customer Relationship ManagementEmerging technologiesKnowledge discovery and data miningDisaster recoveryVirus protectionThe enhancement of structured dataProject managementFirewall applicationsEnterprise wireless solutionsHadoop technologiesMedia measurementSocial mediaGeographical Information SystemsMobile Device Management
Splunk in action
Summary
2. Advanced Searching
Searching in SplunkThe search dashboardThe new search dashboardThe Splunk search mechanismThe Splunk quick reference guidePlease assist me, let me goBasic optimizationFast, verbose, or smart?The breakdown of commandsUnderstanding the difference between sparse and denseSearching for operators, command formats, and tagsThe process flowBoolean expressionsYou can quote me, I'm escapingTag me Splunk!Assigning a search tagTagging field-value pairsWild tags!Wildcards – generally speakingDisabling and deleting tagsTransactional searching
Knowledge management
Some working examples
Subsearching
Output settings for subsearchesSearch Job Inspector
Searching with parameters
The eval statementA simple example
Splunk macros
Creating your own macroUsing your macrosThe limitations of Splunk
Search results
Some basic Splunk search examplesAdditional formatting
Summary
3. Mastering Tables, Charts, and Fields
Tables, charts, and fieldsSplunking into tablesThe table commandThe Splunk rename commandLimitsFieldsAn example of the fields commandReturning search results as chartsThe chart commandThe split-by fieldsThe where clauseMore visualization examplesSome additional functions
Splunk bucketing
Reporting using the timechart commandArguments required by the timechart commandBucket time spans versus per_* functions
Drilldowns
The drilldown optionsThe basic drilldown functionalityRow drilldownsCell drilldownsChart drilldownsLegends
Pivot
The pivot editorWorking with pivot elementsFiltering your pivots
Split
Column values
Pivot table formatting
A quick example
Sparklines
Summary
4. Lookups
Introduction
Configuring a simple field lookup
Defining lookups in Splunk WebAutomatic lookupsThe Add new pageConfiguration filesImplementing a lookup using configuration files – an examplePopulating lookup tablesHandling duplicates with dedupDynamic lookupsUsing Splunk WebUsing configuration files instead of Splunk WebExternal lookupsExplanationTime-based lookupsAn easier way to create a time-based lookupSeeing double?
Command roundup
The lookup commandThe inputlookup and outputlookup commandsThe inputcsv and outputcsv commands
Summary
5. Progressive Dashboards
Creating effective dashboardsViewsPanelsModules
Form searching
An example of a search formDashboards versus forms
Going back to dashboards
The Panel EditorThe Visualization EditorXMLLet's walk through the Dashboard EditorConstructing a dashboardConstructing the frameworkAdding panels and panel contentAdding a panelSpecifying visualizations for the dashboard panelThe time range pickerAdding panels to your dashboardControlling access to your dashboardCloning and deletingKeeping in contextSome further customizationUsing panelsAdding and editing dashboard panelsVisualize this!The visualization typeThe visualization formatDashboards and XMLEditing the dashboard XML codeDashboards and the navigation barColor my world
More on searching
Inline searchesA saved search reportThe inline pivotThe saved pivot report
Dynamic drilldowns
The essentialsExamplesNo drilldowns
Real-world, real-time solutions
Summary
6. Indexes and Indexing
The importance of indexing
What is a Splunk index?
Event processingParsingIndexingIndex compositionDefault indexes
Indexes, indexers, and clusters
Managing Splunk indexes
Getting started
Dealing with multiple indexes
Reasons for multiple indexesCreating and editing Splunk indexesImportant details about indexesOther indexing methodsEditing the indexes.conf fileUsing your new indexesSending all events to be indexedSending specific eventsA transformation exampleSearching for a specified index
Deleting your indexes and indexed data
Deleting Splunk eventsNot all events!Deleting dataAdministrative CLI commandsThe clean commandDeleting an indexDisabling an indexRetirements
Configuring indexes
Moving your index database
Spreading out your Splunk index
Size matters
Index-by-index attributesBucket typesVolumesCreating and using volumes
Hitting the limits
Setting your own minimum free disk space
Summary
7. Evolving your Apps
Basic applicationsThe app listMore about appsOut of the box appsAdd-onsSplunk WebInstalling an appDisabling and removing a Splunk app
BYO or build your own apps
App FAQs
The end-to-end customization of Splunk
Preparation for app development
Beginning Splunk app developmentCreating the app's workspaceAdding configurationsThe app.conf fileGiving your app an iconOther configurationsCreating the app objectsSetting the ownershipSetting the app's permissionsAnother approach to permissionsA default.meta exampleBuilding navigationsLet's adjust the navigationUsing the default.xml file rather than Splunk WebCreating an app setup and deploymentCreating a setup screenThe XML syntax usedPackaging apps for deployment
Summary
8. Monitoring and Alerting
What to monitorRecipesPointing Splunk to dataSplunk WebSplunk CLISplunk configuration filesAppsMonitoring categories
Advanced monitoring
Location, location, location
Leveraging your forwarders
Can I use apps?
Windows inputs in Splunk
Getting started with monitoring
Custom dataInput typing
What does Splunk do with the data it monitors?
The Splunk data pipeline
Splunk
Where is this app?Let's Install!
Viewing the Splunk Deployment Monitor app
All about alerts
Alerting a quick startupYou can't do thatSetting enabling actionsListing triggered alertsSending e-mailsRunning a scriptAction options – when triggered, execute actionsThrottling
Editing alerts
Editing the descriptionEditing permissionsEditing the alert type and triggerEditing actionsDisabling alertsCloning alertsDeleting alerts
Scheduled or real time
Extended functionalities
Splunk accelerationExpirationSummary indexing
Summary
9. Transactional Splunk
Transactions and transaction typesLet's get back to transactions
Transaction search
An example of a Splunk transactionThe Transaction commandTransactions and macro searchesA refresher on search macrosDefining your argumentsApplying a macro
Advanced use of transactions
Configuring transaction typesThe transactiontypes.conf fileAn example of transaction typesGrouping – event grouping and correlationConcurrent eventsExamples of concurrency command useWhat to avoid – stats instead of transaction
Summary
10. Splunk – Meet the Enterprise
General concepts
Best practices
Definition of Splunk knowledge
Data interpretationClassification of dataData enrichmentNormalizationModeling
Strategic knowledge management
Splunk object management with knowledge management
Naming conventions for documentation
Developing naming conventions for knowledge objectsOrganized naming conventionsObject naming conventionsHintsAn example of naming conventionsSplunk's Common Information Model
Testing
Testing before sharingLevels of testingUnit testingIntegration testingComponent interface testingSystem testingAcceptance testingPerformance testingSplunk's performance test kitRegression testing
Retrofitting
The enterprise vision
Evaluation and implementationBuild, use, and repeatManagement and optimizationMore on the visionA structured approachSplunk – all you need for a search engine
Summary
A. Quick Start
Topics
Where and how to learn Splunk
Certifications
Knowledge managerAdministratorArchitectSupplemental certificationsSplunk partnersProper training
The Splunk documentation
www.splunk.com
Splunk answers
Splunkbase
The support portal
The Splexicon
The "How-to" tutorials
User conferences, blogs, and news groups
Professional services
Obtaining the Splunk software
DisclaimerDisk space requirementsTo go physical or logical?The Splunk architectureCreating your Splunk accountInstallation and configurationInstallationSplunk home
An environment to learn in
Summary
Index

Content preview from Mastering Splunk

Size matters

When it comes to the sizing of indexes, it is important to allow appropriate extra or buffer space as Splunk, during normal processing, can sporadically exceed indexes' set maximum size. Again, configuring the sizes of indexes is done by editing the indexes.conf file.

Index-by-index attributes

You can set index sizes (using the maxTotalDataSizeMB attribute) in the indexes.conf file based on your knowledge of the data.

Bucket types

Index sizing can also be done using bucket types. A bucket is a location or folder on a disk that contains all or parts of a Splunk index. You can set a maximum size for all hot and warm buckets using the following syntax:

homePath.maxDataSizeMB = 10000

To set the maximum size for all cold bucket storage, you ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781782173830

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Mastering Splunk

by James D. Miller

Size matters