SlideShare ist ein Scribd-Unternehmen logo

Getting Started Handout Guide

Splunk
Splunk

Getting Started Handout Guide

Technologie
1 von 11
Downloaden Sie, um offline zu lesen
                                                                       Getting Started with Splunk   Page  1  of  11   What  you  need     1. Download  latest  version  of  Splunk  from  http://www.splunk.com/download     2. Download  http://docs.splunk.com/images/Tutorial/tutorialdata.zip     3. https://splunk.box.com/v/splunklivetoronto         Demo     1. Install  latest  version  of  Splunk.     2. Start  up  the  new  installed  instance  of  Splunk.       • If  not  installing  on  a  Windows  based  machine  please  mention  it’s  installed  as  a  Service.    Its  start   up  status  can  be  modified  there.   • On  *nix  platforms  the  following  command  can  be  run  to  ensure  Splunk  starts  at  boot  time:   • $SPLUNK_HOME/bin/splunk  enable  boot-­‐start     3. Ingest  Tutorial  Data     Click  Path  –  Screen  Action   Say  -­‐  Description   Display   Emulate  that  you  download   tutorialdata.zip  and  show  it’s   contents.         Tutorial  Data     Splunk  provides  an  online  tutorial  for   getting  data  into  Splunk.    It  includes  a   sample  data  file  that  comes  from  the   fictitious  “Butter  Cup  Games,  Inc.”:  A   worldwide  game  company  selling  it’s   products  through  it’s  online  store.         This  zip  file  is  collection  of  web  access   logs,  security  logs,  and  vendor  sales   generated  from  web  site   infrastructure.         Login  to  newly  installed  Splunk   instance  on  your  laptop.   There  are  two  ways  to  get  to  the   appropriate  menu.    After  you  login   you  see  the  option  “Add  Data”    
                                                                       Getting Started with Splunk   Page  2  of  11   -­‐>  Settings  -­‐>  Add  Data     OR     -­‐>  Settings  -­‐>  Data  Input   There  are  two  more  options  under  the   Settings  menu.    You  see  the  “Add   Data”  image  again,  but  under  Data   you  also  have  “Data  Inputs”.    I’m   going  to  click  on  “Add  Data”     Click  Upload  after  saying  the   following:   Besides  uploading  data  you  also  see   you  can  monitor  files,  use  Windows   Management  Instrumentation  (WMI),   TCP/UDP,  Scripts,  and  Modular  input   for  external  data  sources.    Splunk’s   Universal  Forwarder  allows  you  to   securely  and  efficiently  forward  data   from  remote  server.    We  are  going  to   choose  the  upload  option.     Select  File  -­‐>  browse  to   tutorialdata  -­‐>  www3  -­‐>   access.log         OR     Click  and  Drag   tutorialdata/www3/access.log   to  “Drop  your  data  file  here”     Click  green  Next  button  at  top   of  the  screen.   Once  selected,  Splunk  will  show  me  a   sample  of  my  events  and  make  a  best   guess  on  the  type  of  data,  the   timestamp,  and  determine  if  the  data   is  single  line  or  multi-­‐line.  I  can   override  Splunk’s  best  guess,  or  define   my  own  settings  for  how  I  want  the   data  to  be  treated  with  the  user   interface.    This  one  time  configuration   provides  support  for  a  variety  of  out-­‐ of-­‐box  source  types  while  giving  you   the  flexibility  to  define  a  new  source   type  based  on  any  custom  sources  you   may  have.         Click  Back  on  the  Web   Browser.    Click  and  drag   tutorialdata.zip  into  “Drop   your  data  file  here”.         Click  green  Next  button  at  top   of  the  screen   You  can  even  ingest  compressed  files.     So  I  lets  upload  the  tutorialdata.zip  file   to  “bulk”  upload  all  of  this  data.    
                                                                       Getting Started with Splunk   Page  3  of  11   Click  Review  top  of  the  screen   after  saying  -­‐>   Here  you  can  set  additional  input   parameters  for  this  data.         Sourcetype:  Tells  Splunk  what  kind  of   data  you  have,  allowing  Splunk   categorize  your  data  so  you  can   search  it  easily.     Host:  Name  of  machine  which  the   data  originated     Index:  A  logical  container  /  destination   for  your  data.     →  Apps→  Searching  &   Reporting   With  data  ingested  we  can   immediately  begin  to  Search  our  data   and  gain  meaningful  insight.       4. Search  Basics     Lets  say  you  are  a  Web  Site  Administrator.    You  recently  received  user  complaints  that  that  web  pages  are  failing  and  not   returning  content  when  it  should.    Let’s  use  Splunk  to  search  this  data,  to  not  only  determine  problems  that  happened   but  factors  associated  with  or  contributing  to  it.     Search  Bar  -­‐>  *      Do  this  before   you  say  -­‐>   At  top  of  the  screen  you  have  a  Search   Bar,  similar  to  what  you  would  use  if   searching  the  Internet.      I  can  simply   type  what  I’d  like  to  search  for.     Notice  that  when  you  do  search  it’s   across  all  your  data,  structured,   unstructured,  and  very  likely   heterogeneous.         Search  Bar  -­‐>  buttercupgames   (returns  36,819  events)   Similar  to  Google,  I  can  use  whole   words,  such  as  typing  in  the  word   “buttercupgames”.    Please  notice  that   as  you  type  Splunk  displays  “Matching   terms”  just  below  the  search  bar.     Splunk  also  displays  different  ways  to   use  search  to  return  events.  Splunk’s   goal  is  to  enable  our  customers  to  use   many  of  the  skills  they  already  have   when  searching,  making  it  easy  to  do   while  providing  quick  time  to  value.         Executing  the  search  for    
                                                                       Getting Started with Splunk   Page  4  of  11   “buttercupgames”  returns  events   containing  that  word.    Splunk  returns   events  containing  that  term,     highlighting  the  term  in  the  events   returned.   Search  Bar  -­‐>  buttercupgames   403   (returns  282  events)   Lets  say  a  customer  made  a  valid   request  but  buttercupgames  web   service  simply  failed  to  respond,  the   web  server  would  respond  with  a  403   code.    Expand  our  search  for  403.     When  searching  for  two  terms  the   AND  is  implied.           Search  Bar  -­‐>  buttercupgames   403  OR  404   (returns  1013  events)   Maybe  a  web  page  resource  was   missing,  that  would  be  encoded  as  a   404,  so  we  can  look  for  either  403  OR   404     Search  Bar  -­‐>  buttercupgames   40*   (returns  5268  events)   Instead  of  OR  maybe  we  use  a   wildcard,  search  for  40*.    Notice  that   returns  terms  starting  with  “40”,   dramatically  increasing  our  result  set.     You  can  see  terms  408,  404,  406,  etc.   highlighted.          
                                                                       Getting Started with Splunk   Page  5  of  11   5. Time  Picker     Search  Bar  -­‐>  buttercupgames   403     →  Time  Drop  Down     All  events  in  Splunk  are  time-­‐based.     Keying  off  time  is  another  way  to   enable  efficient  searching.    Splunk   provides  a  Time-­‐Picker,  giving  you   flexibility  to  search  real-­‐time  data,   relative  time  ranges,  such  as  previous   business  week,  last  30  minutes,  or  all   time.    You  can  also  define  specific   time  or  date  ranges.     Highlight  the  histogram   Below  the  search  bar  is  a  histogram   displaying  the  frequency  of  events.     This  can  be  very  helpful  if  I’m  looking   for  gaps  or  spikes  in  certain  types  of   events.    I  also  have  the  option  of   zooming  in  on  the  histogram  or   focusing  all  the  way  down  to   milliseconds.     6. Extracted  Fields     Expand  on  the  first  event.   The  real  secret  sauce  to  Splunk  is  it’s   ability  to  recognize  and  extract   information  contain  within  the  events.   Splunk  will  automatically  pull  out  any   key/value  pairs,  IP  addresses,  time   and  date  fields,  as  well  as  common   formats  such  as  comma,  tab  delimited   fields  in  a  csv  file.    Splunk  does  this   while  retaining  the  entire  raw  event.         Click  on  the  value  of  status  –   Add  to  search   By  clicking  on  any  given  value  you  can   Add  it  or  Exclude  it  from  a  search,  or   even  start  a  new  search  based  on  that   value.        Adding  it  to  our  existing   search  you’ll  notice  a  key-­‐value  pair   added  to  our  search.    Now,  instead  of   just  searching  for  a  given  term  in  any   event  you  can  further  refine  your   search  to  events  who’s  given   extracted  field  contains  a  specific   value.    
                                                                       Getting Started with Splunk   Page  6  of  11   Highlight  left  hand  pane   On  the  left,  I  can  see  ALL  the  fields   that  were  dynamically  extracted  and   are  available  to  me  for  searching  and   reporting  purposes.    Splunk  also   shows  the  number  of  unique  values  it   found  for  every  given  field  it  found.     -­‐>  Smart  Mode   You  can  also  adjust  Splunk’s   “discovery  mode”  for  field  data   extraction  during  searches.       7. Dynamic  Field  Extraction   a Expand  an  Event,  click  on  Event  Actions  -­‐>  Extract  Fields     b Extract  the  field  after  status  code,  should  be  the  response  size.       • It  will  miss  some,  no  worries,  just  highlight  the  values  missed  in  events  and  add  to  extraction.     8. Alerts     -­‐>  Save  As  -­‐>  Alert   Now,  if  a  server  refuses  to  responds  to   a  users  request,  status=403,  Splunk   can  detect  that  and  alert  us  to  it.       Click  Real  Time,  Provide  a   Title,  then  click  Next   I  can  choose  to  constantly  monitor  for   this  in  real-­‐time  or  to  schedule  this   alert  based  on  a  variety  of   frequencies.        
                                                                       Getting Started with Splunk   Page  7  of  11     Splunk  provides  flexible  notification   options,  allowing  you  to  assign   severity  to  the  Alert,  to  automatically   distribute  an  email  (or  SMS  text)  and   include  output  inline  or  as  an   attachment.    You  can  even  do  more   advanced  actions  like  run  a  script   native  to  the  OS  Splunk  runs  for  such   things  as  mitigation  or  remediation.        
                                                                       Getting Started with Splunk   Page  8  of  11   9. Statistics  and  Reporting     Search  Bar  -­‐>  buttercupgames   status=403     →  Statistics  tab     Splunk  makes  gathering  statistics  and   reporting  a  snap.    Let’s  click  on  the   “Statistics”  tab  underneath  the  search   bar.     -­‐>  Quick  Reports   You  are  presented  with  three  different   options.    Quick  Reports  lets  you  click   on  any  field  for  a  list  of  quick  reports.     -­‐>  uri_path   To  find  out  those  web  pages   associated  with  the  server  failing  to   respond  to  a  request,  click  on   uri_path.    Here  Splunk  provides  you   with  different  reporting  options:  Top   Values,  Top  Values  by  Time,  etc.     -­‐>  uri_path  -­‐>  Top  values   Clicking  on  Top  Values  I  get  a  break   down  of  the  total  number  of  events   associated  with  the  server  failing  to   respond,  broken  down  per  uri_path  or   web  page.           -­‐>Bar  -­‐>  Pie   Reporting  is  agile,  you  can  easily   modify  the  reporting  visualization.     Maybe  we  want  a  pie  chart  instead  of   a  bar  chart,  no  problem.     -­‐>  Save  As  -­‐>  Dashboard  Panel     • Fill  in  Dashboard  title   • Enable  “Shared  in  App”  for   Dashboard  Permissions   • Panel  Title  “Failures  by  Web   Page”   • Click  Save      
                                                                       Getting Started with Splunk   Page  9  of  11   • Click  View  Dashboard   Search  -­‐>  Search  Bar  -­‐>   buttercupgames       Click  on  Statistics  tab,  choose   Pivot.    Click  OK.     Splunk  also  allows  you  to  build  tables   and  visualizations  using  multiple  fields   and  metrics  without  writing  searches.     Pivot  automatically  generates  data   models  based  on  your  data,  allowing   you  to  pivot  around  your  data  to   extract  statistics  and  reports.     -­‐>  +  (Next  to  time  filter),   status,  then  match  =  403   We  can  select  the  status  attribute,   then  enter  in  a  value  of  403       Split  Rows  -­‐>  +  -­‐>  uri_path,   Add  to  Table   We  can  split  the  number  of  server   refused  responses  by  uri_path.     Click  on  Horizontal  Bar  Chart     on  reporting  panel.   We  can  leave  the  data  in  tabular  form   or  simply  choose  another   visualization.     -­‐>  Save  As  -­‐>  Dashboard  Panel   -­‐>  Existing.            
                                                                       Getting Started with Splunk   Page  10  of  11   Make  sure  the  previous   Dashboard  “Server  Failures”   appears.    Provide  a  Model  Title   and  ID.    Click  Save  -­‐>  View   Dashboard.           10. Command  Language     Search  -­‐>  Search  Bar  -­‐>   buttercupgames  |  stats  count   by  status     Save  As  -­‐>  Report   There  are  nearly  140  search   commands  that  can  be  applied  to   data.    When  searching  data  you   isolated  events  you  are  interested  in,   then  apply  Splunk’s  commands  to   transform  data,  further  reduce  data   sets,  generate  statistics  or  perform   analytics  on  the  data.    To  do  this  we   apply  a  pipe  character  (|)  then  issue   the  desired  command.         I.e.  If  we  wanted  to  get  a  count  of  all   status  codes  found  in  our  data,  we  can   use  the  stats  command,  count  all   events  with  status  values,  then  split   the  count  by  individual  status  values.     Lets  save  that  as  a  report:     Search  Bar  -­‐>   buttercupgames  |  stats   count  by  status  |  where   status=403  OR  status=404     Save  As  -­‐>  Dashboard   Maybe  we’re  only  interested  in  403’s   and  404’s?    No  problem  lets  just  use  a   WHERE  command  to  isolate  those.     Cool.    Let’s  make  this  part  of  a   dashboard.    
                                                                       Getting Started with Splunk   Page  11  of  11   Search  Bar  -­‐>   buttercupgames  |  stats   count,  sparkline  by  uri_path   |  where  status=403  OR   status=404   In  addition  to  counting  you  can  see   trending  information  by  adding  a   sparkline  command  to  stats.    Heck,   lets  even  break  it  down  by  web  page   too.    We’ll  add  that  our  dashboard.     Search  Bar  -­‐>   buttercupgames  NOT   status=200|  timechart   count  by  uri_path   What  if  we  want  to  see  any  response   that  wasn’t  OK,  basically  any  non  200   code,  and  we  like  to  see  an  actual   time  distribution  of  those.    The   timechart  function  handles  that  quite   nicely.    Because  Splunk’s  reporting  is   agile  you  can  easily  change  the   visualization  on  the  fly.    Maybe  want   stack  our  values  for  a  given  day.     Totally  cool!    Lets  save  that  to  our   dashboard.     Search  Bar  -­‐>   buttercupgames  NOT   status=200  |  iplocation   clientip  |  geostats  count   Want  to  see  where  your  clients  are   located  encountering  these  browser   requests  problems,  just  use  the   iplocation  and  geostats  commands.     Definitely  want  to  add  that  to  my   dashboard!       These  are  just  a  few  ways  to  apply  the   over  140  commands  available  in   Splunk.           11. Splunk  Applications     https://splunkbase.splunk.com   The  collections  of  these  saved  reports,   dashboards,  alerts,  input  settings,  etc.   is  what  Splunk  refers  to  as  an   Application.    There  are  over  1000   readily  available  applications  on  the   splunkbase  website  –  meant  to   provide  you  instant  value  by  providing   prebuild  dashboards,  alerts,  and   reports  for  your  datasources.            

Empfohlen

SplunkLive Melbourne Enterprise Security & User Behaviour Analytics
SplunkLive Melbourne Enterprise Security & User Behaviour Analytics SplunkLive Melbourne Enterprise Security & User Behaviour Analytics
SplunkLive Melbourne Enterprise Security & User Behaviour Analytics Splunk
 
SplunkLive Melbourne Scaling and best practice for Splunk on premise and in t...
SplunkLive Melbourne Scaling and best practice for Splunk on premise and in t...SplunkLive Melbourne Scaling and best practice for Splunk on premise and in t...
SplunkLive Melbourne Scaling and best practice for Splunk on premise and in t...Splunk
 
Power of SPL
Power of SPLPower of SPL
Power of SPLSplunk
 
Power of SPL Workshop
Power of SPL WorkshopPower of SPL Workshop
Power of SPL WorkshopSplunk
 
Rage WITH the machine, not against it: Machine learning for Event Management
Rage WITH the machine, not against it: Machine learning for Event ManagementRage WITH the machine, not against it: Machine learning for Event Management
Rage WITH the machine, not against it: Machine learning for Event ManagementSplunk
 
.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routineSplunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTVSplunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)Splunk
 

Empfohlen

SplunkLive Melbourne Enterprise Security & User Behaviour Analytics
SplunkLive Melbourne Enterprise Security & User Behaviour Analytics SplunkLive Melbourne Enterprise Security & User Behaviour Analytics
SplunkLive Melbourne Enterprise Security & User Behaviour Analytics Splunk
 
SplunkLive Melbourne Scaling and best practice for Splunk on premise and in t...
SplunkLive Melbourne Scaling and best practice for Splunk on premise and in t...SplunkLive Melbourne Scaling and best practice for Splunk on premise and in t...
SplunkLive Melbourne Scaling and best practice for Splunk on premise and in t...Splunk
 
Power of SPL
Power of SPLPower of SPL
Power of SPLSplunk
 
Power of SPL Workshop
Power of SPL WorkshopPower of SPL Workshop
Power of SPL WorkshopSplunk
 
Rage WITH the machine, not against it: Machine learning for Event Management
Rage WITH the machine, not against it: Machine learning for Event ManagementRage WITH the machine, not against it: Machine learning for Event Management
Rage WITH the machine, not against it: Machine learning for Event ManagementSplunk
 
.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routineSplunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTVSplunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)Splunk
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank InternationalSplunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)Splunk
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College LondonSplunk
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSplunk
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability SessionSplunk
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - KeynoteSplunk
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform SessionSplunk
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security SessionSplunk
 
Inside SecOps at bet365
Inside SecOps at bet365 Inside SecOps at bet365
Inside SecOps at bet365 Splunk
 
Best of .conf22 Session Recommendations
Best of .conf22 Session RecommendationsBest of .conf22 Session Recommendations
Best of .conf22 Session RecommendationsSplunk
 
IT Sicherheitsgesetz 2.0
IT Sicherheitsgesetz 2.0 IT Sicherheitsgesetz 2.0
IT Sicherheitsgesetz 2.0Splunk
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Weitere ähnliche Inhalte

Mehr von Splunk

.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank InternationalSplunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)Splunk
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College LondonSplunk
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSplunk
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability SessionSplunk
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - KeynoteSplunk
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform SessionSplunk
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security SessionSplunk
 
Inside SecOps at bet365
Inside SecOps at bet365 Inside SecOps at bet365
Inside SecOps at bet365 Splunk
 
Best of .conf22 Session Recommendations
Best of .conf22 Session RecommendationsBest of .conf22 Session Recommendations
Best of .conf22 Session RecommendationsSplunk
 
IT Sicherheitsgesetz 2.0
IT Sicherheitsgesetz 2.0 IT Sicherheitsgesetz 2.0
IT Sicherheitsgesetz 2.0Splunk
 

Mehr von Splunk (20)

.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 
Inside SecOps at bet365
Inside SecOps at bet365 Inside SecOps at bet365
Inside SecOps at bet365
 
Best of .conf22 Session Recommendations
Best of .conf22 Session RecommendationsBest of .conf22 Session Recommendations
Best of .conf22 Session Recommendations
 
IT Sicherheitsgesetz 2.0
IT Sicherheitsgesetz 2.0 IT Sicherheitsgesetz 2.0
IT Sicherheitsgesetz 2.0
 

Kürzlich hochgeladen

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Kürzlich hochgeladen (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Getting Started Handout Guide

  • 1.                                                                        Getting Started with Splunk   Page  1  of  11   What  you  need     1. Download  latest  version  of  Splunk  from  http://www.splunk.com/download     2. Download  http://docs.splunk.com/images/Tutorial/tutorialdata.zip     3. https://splunk.box.com/v/splunklivetoronto         Demo     1. Install  latest  version  of  Splunk.     2. Start  up  the  new  installed  instance  of  Splunk.       • If  not  installing  on  a  Windows  based  machine  please  mention  it’s  installed  as  a  Service.    Its  start   up  status  can  be  modified  there.   • On  *nix  platforms  the  following  command  can  be  run  to  ensure  Splunk  starts  at  boot  time:   • $SPLUNK_HOME/bin/splunk  enable  boot-­‐start     3. Ingest  Tutorial  Data     Click  Path  –  Screen  Action   Say  -­‐  Description   Display   Emulate  that  you  download   tutorialdata.zip  and  show  it’s   contents.         Tutorial  Data     Splunk  provides  an  online  tutorial  for   getting  data  into  Splunk.    It  includes  a   sample  data  file  that  comes  from  the   fictitious  “Butter  Cup  Games,  Inc.”:  A   worldwide  game  company  selling  it’s   products  through  it’s  online  store.         This  zip  file  is  collection  of  web  access   logs,  security  logs,  and  vendor  sales   generated  from  web  site   infrastructure.         Login  to  newly  installed  Splunk   instance  on  your  laptop.   There  are  two  ways  to  get  to  the   appropriate  menu.    After  you  login   you  see  the  option  “Add  Data”    
  • 2.                                                                        Getting Started with Splunk   Page  2  of  11   -­‐>  Settings  -­‐>  Add  Data     OR     -­‐>  Settings  -­‐>  Data  Input   There  are  two  more  options  under  the   Settings  menu.    You  see  the  “Add   Data”  image  again,  but  under  Data   you  also  have  “Data  Inputs”.    I’m   going  to  click  on  “Add  Data”     Click  Upload  after  saying  the   following:   Besides  uploading  data  you  also  see   you  can  monitor  files,  use  Windows   Management  Instrumentation  (WMI),   TCP/UDP,  Scripts,  and  Modular  input   for  external  data  sources.    Splunk’s   Universal  Forwarder  allows  you  to   securely  and  efficiently  forward  data   from  remote  server.    We  are  going  to   choose  the  upload  option.     Select  File  -­‐>  browse  to   tutorialdata  -­‐>  www3  -­‐>   access.log         OR     Click  and  Drag   tutorialdata/www3/access.log   to  “Drop  your  data  file  here”     Click  green  Next  button  at  top   of  the  screen.   Once  selected,  Splunk  will  show  me  a   sample  of  my  events  and  make  a  best   guess  on  the  type  of  data,  the   timestamp,  and  determine  if  the  data   is  single  line  or  multi-­‐line.  I  can   override  Splunk’s  best  guess,  or  define   my  own  settings  for  how  I  want  the   data  to  be  treated  with  the  user   interface.    This  one  time  configuration   provides  support  for  a  variety  of  out-­‐ of-­‐box  source  types  while  giving  you   the  flexibility  to  define  a  new  source   type  based  on  any  custom  sources  you   may  have.         Click  Back  on  the  Web   Browser.    Click  and  drag   tutorialdata.zip  into  “Drop   your  data  file  here”.         Click  green  Next  button  at  top   of  the  screen   You  can  even  ingest  compressed  files.     So  I  lets  upload  the  tutorialdata.zip  file   to  “bulk”  upload  all  of  this  data.    
  • 3.                                                                        Getting Started with Splunk   Page  3  of  11   Click  Review  top  of  the  screen   after  saying  -­‐>   Here  you  can  set  additional  input   parameters  for  this  data.         Sourcetype:  Tells  Splunk  what  kind  of   data  you  have,  allowing  Splunk   categorize  your  data  so  you  can   search  it  easily.     Host:  Name  of  machine  which  the   data  originated     Index:  A  logical  container  /  destination   for  your  data.     →  Apps→  Searching  &   Reporting   With  data  ingested  we  can   immediately  begin  to  Search  our  data   and  gain  meaningful  insight.       4. Search  Basics     Lets  say  you  are  a  Web  Site  Administrator.    You  recently  received  user  complaints  that  that  web  pages  are  failing  and  not   returning  content  when  it  should.    Let’s  use  Splunk  to  search  this  data,  to  not  only  determine  problems  that  happened   but  factors  associated  with  or  contributing  to  it.     Search  Bar  -­‐>  *      Do  this  before   you  say  -­‐>   At  top  of  the  screen  you  have  a  Search   Bar,  similar  to  what  you  would  use  if   searching  the  Internet.      I  can  simply   type  what  I’d  like  to  search  for.     Notice  that  when  you  do  search  it’s   across  all  your  data,  structured,   unstructured,  and  very  likely   heterogeneous.         Search  Bar  -­‐>  buttercupgames   (returns  36,819  events)   Similar  to  Google,  I  can  use  whole   words,  such  as  typing  in  the  word   “buttercupgames”.    Please  notice  that   as  you  type  Splunk  displays  “Matching   terms”  just  below  the  search  bar.     Splunk  also  displays  different  ways  to   use  search  to  return  events.  Splunk’s   goal  is  to  enable  our  customers  to  use   many  of  the  skills  they  already  have   when  searching,  making  it  easy  to  do   while  providing  quick  time  to  value.         Executing  the  search  for    
  • 4.                                                                        Getting Started with Splunk   Page  4  of  11   “buttercupgames”  returns  events   containing  that  word.    Splunk  returns   events  containing  that  term,     highlighting  the  term  in  the  events   returned.   Search  Bar  -­‐>  buttercupgames   403   (returns  282  events)   Lets  say  a  customer  made  a  valid   request  but  buttercupgames  web   service  simply  failed  to  respond,  the   web  server  would  respond  with  a  403   code.    Expand  our  search  for  403.     When  searching  for  two  terms  the   AND  is  implied.           Search  Bar  -­‐>  buttercupgames   403  OR  404   (returns  1013  events)   Maybe  a  web  page  resource  was   missing,  that  would  be  encoded  as  a   404,  so  we  can  look  for  either  403  OR   404     Search  Bar  -­‐>  buttercupgames   40*   (returns  5268  events)   Instead  of  OR  maybe  we  use  a   wildcard,  search  for  40*.    Notice  that   returns  terms  starting  with  “40”,   dramatically  increasing  our  result  set.     You  can  see  terms  408,  404,  406,  etc.   highlighted.          
  • 5.                                                                        Getting Started with Splunk   Page  5  of  11   5. Time  Picker     Search  Bar  -­‐>  buttercupgames   403     →  Time  Drop  Down     All  events  in  Splunk  are  time-­‐based.     Keying  off  time  is  another  way  to   enable  efficient  searching.    Splunk   provides  a  Time-­‐Picker,  giving  you   flexibility  to  search  real-­‐time  data,   relative  time  ranges,  such  as  previous   business  week,  last  30  minutes,  or  all   time.    You  can  also  define  specific   time  or  date  ranges.     Highlight  the  histogram   Below  the  search  bar  is  a  histogram   displaying  the  frequency  of  events.     This  can  be  very  helpful  if  I’m  looking   for  gaps  or  spikes  in  certain  types  of   events.    I  also  have  the  option  of   zooming  in  on  the  histogram  or   focusing  all  the  way  down  to   milliseconds.     6. Extracted  Fields     Expand  on  the  first  event.   The  real  secret  sauce  to  Splunk  is  it’s   ability  to  recognize  and  extract   information  contain  within  the  events.   Splunk  will  automatically  pull  out  any   key/value  pairs,  IP  addresses,  time   and  date  fields,  as  well  as  common   formats  such  as  comma,  tab  delimited   fields  in  a  csv  file.    Splunk  does  this   while  retaining  the  entire  raw  event.         Click  on  the  value  of  status  –   Add  to  search   By  clicking  on  any  given  value  you  can   Add  it  or  Exclude  it  from  a  search,  or   even  start  a  new  search  based  on  that   value.        Adding  it  to  our  existing   search  you’ll  notice  a  key-­‐value  pair   added  to  our  search.    Now,  instead  of   just  searching  for  a  given  term  in  any   event  you  can  further  refine  your   search  to  events  who’s  given   extracted  field  contains  a  specific   value.    
  • 6.                                                                        Getting Started with Splunk   Page  6  of  11   Highlight  left  hand  pane   On  the  left,  I  can  see  ALL  the  fields   that  were  dynamically  extracted  and   are  available  to  me  for  searching  and   reporting  purposes.    Splunk  also   shows  the  number  of  unique  values  it   found  for  every  given  field  it  found.     -­‐>  Smart  Mode   You  can  also  adjust  Splunk’s   “discovery  mode”  for  field  data   extraction  during  searches.       7. Dynamic  Field  Extraction   a Expand  an  Event,  click  on  Event  Actions  -­‐>  Extract  Fields     b Extract  the  field  after  status  code,  should  be  the  response  size.       • It  will  miss  some,  no  worries,  just  highlight  the  values  missed  in  events  and  add  to  extraction.     8. Alerts     -­‐>  Save  As  -­‐>  Alert   Now,  if  a  server  refuses  to  responds  to   a  users  request,  status=403,  Splunk   can  detect  that  and  alert  us  to  it.       Click  Real  Time,  Provide  a   Title,  then  click  Next   I  can  choose  to  constantly  monitor  for   this  in  real-­‐time  or  to  schedule  this   alert  based  on  a  variety  of   frequencies.        
  • 7.                                                                        Getting Started with Splunk   Page  7  of  11     Splunk  provides  flexible  notification   options,  allowing  you  to  assign   severity  to  the  Alert,  to  automatically   distribute  an  email  (or  SMS  text)  and   include  output  inline  or  as  an   attachment.    You  can  even  do  more   advanced  actions  like  run  a  script   native  to  the  OS  Splunk  runs  for  such   things  as  mitigation  or  remediation.        
  • 8.                                                                        Getting Started with Splunk   Page  8  of  11   9. Statistics  and  Reporting     Search  Bar  -­‐>  buttercupgames   status=403     →  Statistics  tab     Splunk  makes  gathering  statistics  and   reporting  a  snap.    Let’s  click  on  the   “Statistics”  tab  underneath  the  search   bar.     -­‐>  Quick  Reports   You  are  presented  with  three  different   options.    Quick  Reports  lets  you  click   on  any  field  for  a  list  of  quick  reports.     -­‐>  uri_path   To  find  out  those  web  pages   associated  with  the  server  failing  to   respond  to  a  request,  click  on   uri_path.    Here  Splunk  provides  you   with  different  reporting  options:  Top   Values,  Top  Values  by  Time,  etc.     -­‐>  uri_path  -­‐>  Top  values   Clicking  on  Top  Values  I  get  a  break   down  of  the  total  number  of  events   associated  with  the  server  failing  to   respond,  broken  down  per  uri_path  or   web  page.           -­‐>Bar  -­‐>  Pie   Reporting  is  agile,  you  can  easily   modify  the  reporting  visualization.     Maybe  we  want  a  pie  chart  instead  of   a  bar  chart,  no  problem.     -­‐>  Save  As  -­‐>  Dashboard  Panel     • Fill  in  Dashboard  title   • Enable  “Shared  in  App”  for   Dashboard  Permissions   • Panel  Title  “Failures  by  Web   Page”   • Click  Save      
  • 9.                                                                        Getting Started with Splunk   Page  9  of  11   • Click  View  Dashboard   Search  -­‐>  Search  Bar  -­‐>   buttercupgames       Click  on  Statistics  tab,  choose   Pivot.    Click  OK.     Splunk  also  allows  you  to  build  tables   and  visualizations  using  multiple  fields   and  metrics  without  writing  searches.     Pivot  automatically  generates  data   models  based  on  your  data,  allowing   you  to  pivot  around  your  data  to   extract  statistics  and  reports.     -­‐>  +  (Next  to  time  filter),   status,  then  match  =  403   We  can  select  the  status  attribute,   then  enter  in  a  value  of  403       Split  Rows  -­‐>  +  -­‐>  uri_path,   Add  to  Table   We  can  split  the  number  of  server   refused  responses  by  uri_path.     Click  on  Horizontal  Bar  Chart     on  reporting  panel.   We  can  leave  the  data  in  tabular  form   or  simply  choose  another   visualization.     -­‐>  Save  As  -­‐>  Dashboard  Panel   -­‐>  Existing.            
  • 10.                                                                        Getting Started with Splunk   Page  10  of  11   Make  sure  the  previous   Dashboard  “Server  Failures”   appears.    Provide  a  Model  Title   and  ID.    Click  Save  -­‐>  View   Dashboard.           10. Command  Language     Search  -­‐>  Search  Bar  -­‐>   buttercupgames  |  stats  count   by  status     Save  As  -­‐>  Report   There  are  nearly  140  search   commands  that  can  be  applied  to   data.    When  searching  data  you   isolated  events  you  are  interested  in,   then  apply  Splunk’s  commands  to   transform  data,  further  reduce  data   sets,  generate  statistics  or  perform   analytics  on  the  data.    To  do  this  we   apply  a  pipe  character  (|)  then  issue   the  desired  command.         I.e.  If  we  wanted  to  get  a  count  of  all   status  codes  found  in  our  data,  we  can   use  the  stats  command,  count  all   events  with  status  values,  then  split   the  count  by  individual  status  values.     Lets  save  that  as  a  report:     Search  Bar  -­‐>   buttercupgames  |  stats   count  by  status  |  where   status=403  OR  status=404     Save  As  -­‐>  Dashboard   Maybe  we’re  only  interested  in  403’s   and  404’s?    No  problem  lets  just  use  a   WHERE  command  to  isolate  those.     Cool.    Let’s  make  this  part  of  a   dashboard.    
  • 11.                                                                        Getting Started with Splunk   Page  11  of  11   Search  Bar  -­‐>   buttercupgames  |  stats   count,  sparkline  by  uri_path   |  where  status=403  OR   status=404   In  addition  to  counting  you  can  see   trending  information  by  adding  a   sparkline  command  to  stats.    Heck,   lets  even  break  it  down  by  web  page   too.    We’ll  add  that  our  dashboard.     Search  Bar  -­‐>   buttercupgames  NOT   status=200|  timechart   count  by  uri_path   What  if  we  want  to  see  any  response   that  wasn’t  OK,  basically  any  non  200   code,  and  we  like  to  see  an  actual   time  distribution  of  those.    The   timechart  function  handles  that  quite   nicely.    Because  Splunk’s  reporting  is   agile  you  can  easily  change  the   visualization  on  the  fly.    Maybe  want   stack  our  values  for  a  given  day.     Totally  cool!    Lets  save  that  to  our   dashboard.     Search  Bar  -­‐>   buttercupgames  NOT   status=200  |  iplocation   clientip  |  geostats  count   Want  to  see  where  your  clients  are   located  encountering  these  browser   requests  problems,  just  use  the   iplocation  and  geostats  commands.     Definitely  want  to  add  that  to  my   dashboard!       These  are  just  a  few  ways  to  apply  the   over  140  commands  available  in   Splunk.           11. Splunk  Applications     https://splunkbase.splunk.com   The  collections  of  these  saved  reports,   dashboards,  alerts,  input  settings,  etc.   is  what  Splunk  refers  to  as  an   Application.    There  are  over  1000   readily  available  applications  on  the   splunkbase  website  –  meant  to   provide  you  instant  value  by  providing   prebuild  dashboards,  alerts,  and   reports  for  your  datasources.