Getting Started with Splunk Enterprise
•
4 gefällt mir•1,439 views
Here’s your chance to get hands-on with Splunk for the first time! Bring your modern Mac, Windows, or Linux laptop and we’ll go through a simple install of Splunk. Then, we’ll load some sample data, and see Splunk in action – we’ll cover searching, pivot, reporting, alerting, and dashboard creation. At the end of this session you’ll have a hands-on understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll experience practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (20)
Ähnlich wie Getting Started with Splunk Enterprise
Ähnlich wie Getting Started with Splunk Enterprise (20)
Mehr von Splunk
Mehr von Splunk (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Getting Started with Splunk Enterprise
- 1. Copyright © 2016 Splunk Inc. Getting Started with Splunk Enterprise
- 2. 2 Set up: Before We Can Play Please Download the Following Download Splunk Enterprise https://www.splunk.com/download Dowload the Tutorial Data http://splk.it/2ey34P8 Dowload the lookup file http://splk.it/2fCgpXw Download the Search Tutorial http://splk.it/2ePSYKB
- 3. 3 Disclaimer During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
- 5. Copyright © 2016 Splunk Inc. Splunk Overview
- 6. 6 Making machine data accessible, usable and valuable to everyone.
- 7. 7 Industry Leading Platform For Machine Data Machine Data: Any Location, Type, Volume Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom ApplicationsMessaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID On- Premises Private Cloud Public Cloud Platform Support (Apps / API / SDKs) Enterprise Scalability Universal Indexing Answer Any Question Developer Platform Report and analyze Custom dashboards Monitor and alert Ad hoc search
- 8. 8 Machine Data Contains Critical Insights Order ID Customer’s Tweet Time Waiting On Hold Product ID Company’s Twitter ID Order ID Customer ID Twitter ID Customer ID Customer ID Sources Order Processing Twitter Care IVR Middleware Error
- 9. 9 Turning Machine Data Into Business Value Index Untapped Data: Any Source, Type, Volume Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom ApplicationsMessaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID On- Premises Private Cloud Public Cloud Ask Any Question Application Delivery Security, Compliance and Fraud IT Operations Business Analytics Industrial Data and the Internet of Things
- 10. 10 Industry Leading Platform for Machine Data Index Untapped Data: Any Source, Type, Volume Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom ApplicationsMessaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID On- Premises Private Cloud Public Cloud Ask Any Question Application Delivery Security, Compliance and Fraud IT Operations Business Analytics Industrial Data and the Internet of Things Any amount, any location, any source Schema- on-the-fly Universal indexing No back-end RDBMS No need to filter data
- 11. Disruptive Approach to Unstructured Data Structured RDBMS SQL Search Schema at Write Schema at Read Traditional Splunk ETL Universal Indexing Volume Velocity Variety Unstructured
- 12. 12 Splunk & The Enterprise Data Fabric Forwarder Windows/*NIX HTTP/s 0101010 0010101 1010010 Wire DataSyslog TCP/UDP ……. ……. ……. Indexing Tier Search Head Cluster NoSQL RDBMS Splunk Archiving Modular
- 13. Copyright © 2016 Splunk Inc. Historical Data Real-time Data Statistical Models DB, Hadoop/S3/NoSQL, Splunk Machine Learning T – a few days T + a few days Why is this so challenging using traditional methods? • DATA IS STILL IN MOTION, still in a BUSINESS PROCESS. • Enrich real-time MACHINE DATA with structured HISTORICAL DATA • Make decisions IN REAL TIME using ALL THE DATA • Combine LEADING and LAGGING INDICATORS (KPIs) Splunk Security Operations Center Network Operations Center Business Operations Center
- 14. 15 Platform for Operational Intelligence Rich Ecosystem of Apps & Add-Ons Splunk Premium Solutions Mainframe Data Relational Databases MobileForwarders Syslog/TCP IoT Devices Network Wire Data Hadoop The Splunk Portfolio
- 15. 16 Analysts Business Users Analytics Ecosystem IT Users ODBC SDK API DB Connect Look-Ups Ad Hoc Search Monitor and Alert Reports / Analyze Custom Dashboards GPS / Cellular Devices Networks Hadoop Servers Applications Online Shopping Carts Analysts Business Users Structured Data Sources CRM ERP HR Billing Product Finance Data Warehouse Clickstreams
- 16. 17 Splunk Value Proposition Developer Faster Development No Upfront ETL No schema required Automatic field extraction Extensible and open platform for integration FAST TIME TO VALUE SELF-SERVICE ANALYTICS Data Scientist Faster data preparation time Built-in Machine Learning End-User Self-service analytics No programming expertise required Built-in querying and visualization Fast Time to Value Business Lower TCO Any Data Source, Anywhere No data duplication
- 17. dev.splunk.com 40,000+ Q & A – answers.splunk.com 1,200+ apps www.splunkbase.com 18 Thriving Splunk Community usergroups.splunk.com
- 18. Copyright © 2016 Splunk Inc. Let’s Play!
- 19. 20 Set up: Before We Can Play Please Download the Following Download Splunk Enterprise https://www.splunk.com/download Dowload the Tutorial Data http://splk.it/2ey34P8 Dowload the lookup file http://splk.it/2fCgpXw Download the Search Tutorial http://splk.it/2ePSYKB
- 20. 21 Reference Splunk Education • http://www.splunk.com/education Books • Exploring Splunk • Splunk Operational Intelligence Cookbook • Implementing Splunk • Big Data Analytics Using Splunk
- 21. 22
- 22. Copyright © 2016 Splunk Inc. Power of Splunk Search Processing Language (SPL™) Brian Greppe Senior SE, Splunk
- 23. Copyright © 2016 Splunk Inc. Keep Calm and Splunk the World
Hinweis der Redaktion
- Set expectations: not a lecture We have slides, but they’re to help keep us on target, a general roadmap. Here for you, to hold a dialogue, not rote dictation. I will ask questions. I invite you to do the same. It’s a lot more fun and interesting if we are all active participants. I often find my customers have as many solutions as they have questions. I invite, encourage, and thrive on questions. I am going to ask you questions. you to stop me and ask questions. Chances are, you won’t be the only one with that question. Agreed? NEXT: DISCLAIMER
- NEXT: AGENDA
- Q: Prior experience with Splunk Q: What is Splunk? NEXT: SPLUNK CORE MESSAGE
- Splunk’s mission is to make YOUR machine data accessible, usable and valuable to everyone. It’s this overarching mission that drives our company and products that we deliver. Q What is Machine Data
- Machine data is generated from many places…. We may have questions we wish to ask of that data This is what Splunk enables and empowers NEXT: EXAMPLE
- The purpose of this slide: Teaching slide; teach or reinforce that there is value in machine data Open their eyes that it is more than just system logs Highlight the fact that this is a record of behavior; not just system behavior, but user behavior too EITHER, open the customer’s eyes to the value beyond logs OR reiterate what they told you they already know about the value in their data Introduce the value in correlating data across data sources Relate back to something they said about their business Possible lead-in: To frame our discussion, let’s use this example of purchasing a product from your tablet or smartphone: the purchase transaction fails, you call the call center and then tweet about your experience. All these events are captured - as they occur - in the machine data. Each of the underlying systems has the potential to generate millions of machine data events daily. Here we see small excerpts from just some of them. When we look more closely at the data we see that it contains valuable information – right down to what was tweeted. What’s important, is first of all, the ability to actually see across all these data sources, but then also to correlate related events and provide meaningful insight. If you can correlate and visualize the data, you can build a picture of activity, behavior and experience. And what if you can do all of this in real-time? You can respond more quickly to events that matter. This example ties into your scenario but you can also extrapolate this example to a wide range of use cases – security and fraud, transaction monitoring and analysis, web analytics, IT operations and so on. NEXT: How to use the Qs
- The purpose of this slide: Summary slide: Highlight Splunk as the platform for machine data; solving the problem of accessibility to data Highlight Splunk as multi-use case, enterprise solution; solving the problem of making data available to everyone Highlight the ability to customize the view of the data for the different users; one set of data, multiple lenses Highlight the volumes of data Splunk can load Discovery slide: (potential questions; don’t ask all, consider your discussion so far, where you want to go with the discussion and the time you have left) Ask if there are any types of data here that surprise them; look for additional use cases they may not realize Splunk can help with Ask if there are any types of data here that you are struggling with today? What are the challenges? Ask if there are any types of data here today that they are analyzing and gaining value from well? How are you doing that? What about it makes it work? Highlight differentiator: Universal machine data platform Highlight differentiator: Real-time architecture Possible lead-in: Here we see some of the kinds of data Splunk can load; Point to some they said they were looking at/having trouble looking at today; i.e create familiarity Ask if they see something here they wouldn’t expect to see as a data source for Splunk; looking to expand their thinking about Splunk Ask if they see something here they would like to have in Splunk now that they see it here Possible follow up script: Splunk products are being used for data volumes ranging from gigabytes to hundreds of terabytes per day. All in real-time. The Splunk platform is designed to make it easy to explore, analyze and visualize your data. This is described as Operational Intelligence. That is, once your data is loaded in Splunk, you can ask any question. The insights gained from machine data support a number of use cases and can drive value across your organization. NEXT: ANY ANY ANY
- The purpose of this slide: State value points of Splunk Highlight that Splunk can handle any amount of data, from any source and any location; enforcing the universal machine data platform Highlight that there is no need for a back-end RDBMS Introduce schema-on-the-fly as a comparison to rigid, fragile data models in RDBMSs or other existing systems Emphasize any of these points that you uncovered as challenges they experience today. Highlight differentiator: schema-on-the-fly. Be sure to describe what this means and why they care. Just stating that we have schema-on-the-fly is not meaningful. Pivot point: IF accessing data is not a challenge for them today, you should cover the Splunk highlights concisely and move on. IF they described getting access to machine data as one of their big challenges you might spend more time on this slide. Possible lead-in: You mentioned that getting access to the data is a challenge. Well, Splunk can solve this problem with these key features. Splunk has the ability to load any data, regardless of volume, type or location. Splunk is able to do this because there’s no requirement to “understand” the data upfront – this what we call “schema-on-the-fly”. What this means for you is you don’t need to know about your data, or what questions you want to ask of the data before you load. You simply point Splunk at the data or the data to Splunk. Splunk immediately starts collecting and indexing, so users can start searching and analyzing. No more armies of consultants, backend database or DBA to make it work. Once you’ve Splunked your data, it is time-stamped and easily searchable. Because we don’t have to do all the up front work to be able to look at the data we can load it all and make it all relevant. There’s no need to limit what you load and what you don’t. NEXT: Splunk vs RDBMS
- Traditionally, machine data was generated and part of the data would be stored in a specific, pre-defined way. This creates limits in the questions that can be asked of the data. Splunk takes a disruptive approach by storing the data in it’s raw, original format, and creates a schema at the last possible moment; when the question is asked. Because of this, there are no limits to the questions that can be asked of the data. Speaking of no limits… No limits on where you can collect it from No limits on the formats of data And no limits on scale customers are indexing 100’s of TB per day, searching across thousands of types of data all in different formats. NEXT: Flow
- Splunk Architecture 0 Getting data in Splunk 1 Indexer role 2 Search Head role 3 While our vision may be to house our data in a centralized location, the reality is that it continues to exist in multiple silos and need to be accessed and leveraged for immediate business decisions. Duplication and complication are almost always inevitable. 4 Users often need access to data from two or more silos. Splunk can provide a complete view into your data farm. So, what happens when Splunk needs to query one or more sources. 5 Users connect to the Search Head to query these sources 6 The Search Head manages the process and dispatches the job to the respective stores: 7 Splunk 8 NoSQL 9 Hadoop and its ecosystem components 10 Your existing RDBMS 11 In seconds, you can generate reports and dashboards, alert and take action. 12 (Optional: where DBConnect lives and its functions. 13 Splunk will also automatically move data over to your Enterprise Hadoop data Hub for long-term archiving. ??? GREAT! SO WHAT? What makes Splunk different? NEXT: Splunk as a time machine.
- Splunk is a time machine It empowers real-time analytics and proactive alerting to help keep you grounded in the now It handles historical data analysis – natively and/or in concert with 3rd party solutions to help you understand how you reached this point It helps predict the future, based on what it’s learned of the past and present. But it’s not in a vacuum. NEXT: ECOSYSTEM
- Purpose of this slide: Highlight the Splunk platform Opportunity to talk about forwarders if the topic of HOW to get data to Splunk has come up Opportunity to revisit data sources if that topic has come up again or if you’ve learned something new Highlight the deployment options of Splunk; Splunk Enterprise on premises, Splunk cloud, hybrid model, Splunk light if they are saying all they need is a log aggregator (otherwise don’t highlight) Opportunity to discover if Hunk might be useful for them; open their eyes to the possibilities Hunk offers. Highlight the community via apps and add-ons Highlight differentiator: passionate and vibrant community (re: apps and add-ons) Highlight developer opportunities if that has been a topic of discussion Highlight the Splunk Premium solutions Highlight that they are built on the platform They are pre-built solutions for common business problems amongst Splunk community Things you should know and be prepared to discuss: How the Splunk offerings are licensed (See Splunk Offerings module) Possible follow up script: The Splunk platform consists of multiple products and deployment models to fit your needs. Splunk Enterprise – for on-premises deployment Splunk Cloud – Fully managed service with 100% SLA and all the capabilities of Splunk Enterprise…in the Cloud Splunk Light – allows smaller IT organizations to get started with Splunk – on premise or in the cloud Hunk – for analytics on data in Hadoop Apps and add-ons from Splunk and our community extend and simplify deployments by providing pre-packaged content designed for specific use cases and data types. And premium solutions from Splunk apply real-time intelligence and rich, domain-specific functions to manage your security posture, IT operations and more. NEXT: ANALYTICS ECOSYSTEM
- Maintaining good data citizenship Splunk augments existing solutions and fills existing gaps. Platform integration is a key ingredient of that vision. NEXT: WHAT DOES IT DO FOR YOU
- Where our customers see value
- Splunk has an active community: There is also an emerging ecosystem of new companies building apps on top of the Splunk Enterprise platform. These companies are taking advantage of open APIs and new platform capabilities to create an entirely new generation of applications. How many of you have used Splunk Answers? Our technical support is consistently rated as industry leading and Splunk Answers has answers to thousands of questions. It’s the go to place for your questions – and answers. You can participate in meet-ups and User Groups or you can contribute to our forums. You can also attend local SplunkLive events to hear how your peers are using machine data.
- .
- Up next….
- This presentation has some animations and content to help tell stories as you go. Feel free to change ANY of this to your own liking! I would definitely practice your flow once or twice before a presentation. There is A LOT of content to get through in 1 hour. The slides with search examples can be unhidden if needed. Here is what you need for this presentation: You should have the following installed: PowerOfSPL App - https://splunkbase.splunk.com/app/3353/ Custom Cluster Map Visualization - https://splunkbase.splunk.com/app/3122/ Clustered Single Value Map Visualization - https://splunkbase.splunk.com/app/3124/ Geo Heatmap Custom Visualization - https://splunkbase.splunk.com/app/3217/ Timewrap Custom Command (NOTE this command is now included in CORE) - https://splunkbase.splunk.com/app/1645/ Haversine Custom Command - https://splunkbase.splunk.com/app/936/ Levenshtein Custom Command - https://splunkbase.splunk.com/app/1898/ Optional: Splunk Search Reference Guide handouts Mini buttercups or other prizes to give out for answering questions during the presentation Shake! Demo can be used for interactivity on some of these search examples if you want… definitely adds some flare to the presentation