2. Agenda
GeEng
Started
Basic
Searching
NavigaHng
through
Results
Using
Fields
Saving
Searches
Next
Steps
2
3. About
Your
Presenter
! Senior
Instructor
! Splunker
since
November
2010
! Experience
in
database,
security,
web
apps
and
compliance
standards
! Constantly
amazed
by
the
cool
stuff
Splunk
can
do
3
8. 8
Basic
Search
Everything
is
searchable
! *
wildcard
supported
! Search
terms
are
case
insensiHve
! Booleans
AND,
OR,
NOT
– Booleans
must
be
uppercase
– Implied
AND
between
search
terms
– Use
()
for
complex
searches
! Quote
phrases
fail*
fail*
nfs
error
OR
404
error
OR
failed
OR
(sourcetype=access_*(500
OR
503))
"login
failure"
9. 9
Search
Results
timeline
field sidebar
timestamp
event data
Highlighted
search terms
10. 10
Events
! Searches
return
events
! An
event
is
single
piece
of
data
in
Splunk,
like
a
record
in
a
log
file
or
other
data
input
! Splunk
breaks
up
data
into
individual
events
and
gives
each
a
*mestamp,
host,
source
and
source
type
10
11. 11
SelecHng
the
Time
Range
! By
default,
Splunk
searches
over
all
Hme
! Use
the
Hme
range
picker
to
narrow
your
search,
or
search
in
real
Hme
12. 12
Real-‐Hme
Searching
! Real-‐Hme
searching
allows
you
to
view
events
as
they
stream
into
Splunk
! Useful
in
troubleshooHng
an
acHve
issue
or
creaHng
criHcal
alerts
14. 14
NavigaHng
Search
Results
–
Click
Click a term in the events
to add it to the search
15. 15
NavigaHng
Results
–
Alt+Click
alt+click a term in the
events to remove events
with that term from the
results
16. 16
NavigaHng
Results
–
Timeline
Click a bar in the
timeline to drill-down to
events that occurred in
that time period
17. 17
NavigaHng
Results
–
Timeline
(cont.)
These are not functional
unless part of the
timeline is selected
You can also zoom out
to broaden the time
range
18. 18
IndicaHng
a
Custom
Time
Range
! Select
custom
Hme
from
the
Hme
range
picker
to
indicate
specific
date
or
relaHve
Hme
ranges
20. 20
What
are
Fields?
! Gives
more
focus
to
your
searches
! There
are
2
types
of
fields:
– Default
fields
–
host,
source,
sourcetype.
These
fields
exist
for
every
event
in
Splunk.
– Data-‐defined
fields
–
fields
specific
to
a
given
type
of
data
21. 21
Discovering
Fields
! Splunk
extracts
fields
from
events,
for
example,
the
acHon
field
! In
this
set
of
events,
the
acHon
field
has
five
values
22. 22
remove events from
results that don’t
have the field
create reports
click on a value to
add to the search
ALT + click on a value
to remove from a
search
Use
the
Field
Sidebar
23. 23
Searching
with
Fields
! This
search
example
returns
events
where:
– The
sourcetype
–
or
type
of
data
–
is
apache
weblogs
– The
ac*on
field
has
a
value
of
purchase
– The
HTTP
status
returned
was
NOT
200
sourcetype=access_* action=purchase status!=200
72 events where an e-commerce purchase failed because of
an HTTP error!!
26. 26
Saving
a
Search
1.
Click
the
Save
menu
2.
Select
Save
Search…
3.
Name
the
search
– You
can
also
edit
the
search
string
and
Hme
– OpHonally,
share
the
search
with
other
users
tag="webfarm"
27. 27
Running
a
Saved
Search
! Run
saved
searches
from
the
Searches
and
Reports
menu
! Lists
all
searches
you
have
created
or
have
permission
to
run
29. Beyond
the
Basics
29
! Splunk
has
many
powerful
features
and
search
commands
that
allow
you
to
– Create
Alerts
– Capture
and
share
knowledge
– Calculate
staHsHcs
– Format
and
organize
values
within
search
results
– Create
compelling
data
visualizaHons
and
reports
– And
more!
! Learn
about
these
features
in
Splunk
Educa*onal
offerings
(shameless
plug)