SlideShare ist ein Scribd-Unternehmen logo

Getting Started User Training Workshop Agenda

Als PPTX, PDF herunterladen
Dimitri McKay - CISSP
Dimitri McKay - CISSP

This is the slide deck used in the beginner workshop at Splunk Live NYC on May 2nd, 2013.

Technologie
1 von 53
Copyright © 2013 Splunk Inc. May 2nd, 2013 Technical Workshops Getting Started User Training Getting Started User Training Workshop Dimitri McKay Jedi Master
Agenda • Getting Started with Splunk • Search • Alert • Dashboard • Deployment and Integration • Community • Help & Questions 2
Getting Started With Splunk
One Splunk. Many Uses.
Install Splunk Start Splunk WIN: Program FilesSplunkbinsplunk.exe start (services start) *NIX: /opt/splunk/bin/splunk start www.splunk.com/download • 32 or 64 bit? • Indexer or Universal Forwarder? Splunk Home WIN: Program FilesSplunk Other: /opt/splunk (Applications/splunk)
Splunk Licenses Free Download Limits Indexing to 500MB/day Enterprise Trial License expires after 60 days Reverts to Free License Features Disabled in Free License Multiple user accounts and role-based access controls Distributed search Forwarding to non-Splunk Instances Deployment management Scheduled saved searches and alerting Summary indexing Other License Types Enterprise, Forwarder, Trial
7 Splunk Web Basics Browser Support Firefox 3.6, 10.x and latest Internet Explorer 6, 7, 8 and 9 Safari (latest) Chrome (latest) Default on install is http://localhost:8000 Index some data Add data Getting Started App Install an App (Splunk for Windows, *NIX)
8 Splunk Web Basics cont. Splunk Apps Splunk Home -> Find more apps Apps create different contexts for your data out of sets of views, dashboards, and configurations You can create your own! Search is an App Summary will show everything you have indexed Updated in real-time Click on any source, sourcetype, or host to look at events
Optional: add some test data Download the sample file, follow this link and save the file to your desktop, then unzip: http://bit.ly/UBPFWP (Using Splunk Book) Or, to follow along locally, you can download the slides, lookups and data samples at: http://bit.ly/UjkNt6 (Dropbox) To add the file to Splunk: – From the Welcome screen, click Add Data. – Click From files and directories on the bottom half of the screen. – Select Skip preview. – Click the radio button next to Upload and index a file. – Click Save. Install *nix or Windows app to test drive your local OS data! 9
10 *nix app in action:
* best practice note: Create an individual index based on sourcetype. – Easier to re-index data if you make a mistake. – Easier to remove data. – Easier to define permissions and data retention. 11
Search Basics
Search app – Summary viewcurrent view global stats app navigation time range picker data sources start search search box
Searching 14 Search > * Select Time Range • Historical, custom, or real-time Using the timeline • Click events and zoom in and out • Click and drag over events for a specific range • New for 5.0: Search modes!
15 Everything is searchable Everything is searchable • * wildcard supported • Search terms are case insensitive • Booleans AND, OR, NOT – Booleans must be uppercase – Implied AND between terms – Use () for complex searches • Quote phrases fail* fail* nfs error OR 404 error OR failed OR (sourcetype=access_*(500 OR 503)) "login failure"
Example search: 16
Search Assistant 17 Contextual Help - advanced type-ahead History - search - commands Search Reference - short/long description - examples suggests search terms and displays count updates as you type shows examples and help toggle off / on
Searches can be managed as asynchronous processes Jobs can be • Scheduled • Moved to background tasks • Paused, stopped, resumed, finalized • Managed • Archived • Cancelled Job Management send to background pause finalize cancel 18
Search Commands 19 Search > error | head 1 Search results are “piped” to the command Commands for: • Manipulating fields • Formatting • Handling results • Reporting
Over 100 Commands! 20 http://www.splunk.com/base/Documentation/latest/SearchReference/SearchCheatsheet
Field Extraction Fun
Fields 22 Default fields • host, source, sourcetype, linecount, etc. • View on left panel in search results or all in field picker Where do fields come from? • Pre-defined by sourcetypes • Automatically extracted key-value pairs • User defined
Sources, sourcetypes, hosts • Source - the name of the file, stream, or other input • Sourcetype - a specific data type or data format • Host - hostname, IP address, or name of the network host from which the events originated 2 3
24 Tagging and Event Typing Eventtypes for more human-readable reports to categorize and make sense of mountains of data punctuation helps find events with similar patterns Search > eventtype=failed_login instead of Search > “failed login” OR “FAILED LOGIN” OR “Authentication failure” OR “Failed to authenticate user” Tags are labels apply adhoc knowledge create logical divisions or groups tag hosts, sources, fields, even eventtypes Search > tag=web_servers instead of Search > host=“apache1.splunk.com” OR host=“apache2.splunk.com” OR host=“apache3.splunk.com”
Extract Fields 25 Interactive Field Extractor generate PCRE editable regex preview/save props.conf [mysourcetype] REPORT-myclass = myFields transforms.conf [myFields] REGEX = ^(w+)s FORMAT = myFieldLabel::$1 Configuration File manual field extraction delim-based extractions Rex Search Command ... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"
Saved Search & Alert Basics
Saved Searches and Alerting 27 Find Something Interesting? OR
Alerting Cont. 28 Searches run on a schedule and fire an alert • Example: Run a search for “Failed password” every 15 min over the last 15 min and alert if the number of events is greater than 10 Searches are running in real-time and fire an alert • Example: Run a search for “Failed password user=john.doe” in a 1 minute window and alert if an event is found
Alerting Actions 29 • Send email • RSS • Execute a script • Track in Alert Manager
Report & Dashboard Wackiness
Reporting 31 Build reports from the results of any search Select type of report (Values over time, Top Values, Rare Values) and on which fields to report or perform statistics Choose the type of chart (line, area, column, etc) and other formatting options
Reporting 32 Build reports from the results of any search Select type of report (Values over time, Top Values, Rare Values) and on which fields to report or perform statistics Choose the type of chart (line, area, column, etc) and other formatting options
Reporting Examples 33 • Use wizard or reporting commands (timechart, top, etc) • Build real-time reports with real-time searches • Save reports for use on dashboards
Dashboards 34 Create dashboards from search results
Dashboard Examples 35
Splunk Manager 36 Now Manage All of that Cool Stuff You Just Created (and more!) • Permissions • Saved Searches/Reports • Custom Views • Distributed Splunk • Deployment Server • License Usage….
Deployment and Integration
Splunk Has Four Primary Functions 38 • Searching and Reporting (Search Head) • Indexing and Search Services (Indexer) • Local and Distributed Management (Deployment Server) • Data Collection and Forwarding (Forwarder) A Splunk install can be one or all roles…
Getting Data Into Splunk 39 Agent and Agent-less Approach for Flexibility perf shell code Mounted File Systems hostnamemount syslog TCP/UDP WMI Event Logs Performance Active Directory syslog compatible hosts and network devices Unix, Linux and Windows hosts Windows hosts Custom apps and scripted API connections Local File Monitoring log files, config files dumps and trace files Windows Inputs Event Logs performance counters registry monitoring Active Directory monitoring virtual host Windows hosts Scripted Inputs shell scripts custom parsers batch loading Agent-less Data Input Splunk Forwarder
Understanding the Universal Forwarder 40 Forward data without negatively impacting production performance. Scripts Universal Forwarder Deployment Logs ConfigurationsMessages Metrics Central Deployment Management Monitor files, changes and the system registry; capture metrics and status. Universal Forwarder Regular (Heavy) Forwarder Monitor All Supported Inputs ✔ ✔ Routing, Filtering, Cloning ✔ ✔ Splunk Web ✔ Python Libraries ✔ Event Based Routing ✔ Scripted Inputs ✔
Horizontal Scaling 41 Load balanced search and indexing for massive, linear scale out. Forwarder Auto Load Balancing Distributed Search
Multiple Datacenters 42 Headquarters London Hong Kong Tokyo New York Distributed Search Index and store locally. Distribute searches to datacenters, networks & geographies.
High Availability, On Commodity Servers and Storage 43 As Splunk collects data, it keeps multiple identical copies If indexer fails, incoming data continues to get indexed Indexed data continues to be searchable Easy setup and administration Data integrity and resilience without a SAN Index Replication Splunk Universal Forwarder Pool Constant Uptime
High Availability 44 Combine auto load balancing and cloning for HA at every Splunk tier. Clone Group 1 : Complete Dataset Data Cloning & Auto Load Balancing Distributed Search Distributed Search Clone Group 2 : Complete Dataset Shared Storage
Service Desk Event Console SIEM Send Data to Other Systems 45 Route raw data in real time or send alerts based on searches.
Integrate External Data 46 LDAP, AD Watch Lists CRM/ER P CMDB Correlate IP addresses with locations, accounts with regions Extend search with lookups to external data sources.
Integrate Users and Roles 47 Problem Investigation Problem Investigation Problem Investigation Save Searches Share Searches LDAP, AD Users and Groups Splunk Flexible Roles Manage Users Manage Indexes Capabilities& Filters NOT tag=PCI App=ERP … Map LDAP & AD groups to flexible Splunk roles. Define any search as a filter. Integrate authentication with LDAP and Active Directory.
Centralized Licensing Management 48 Problem Investigation Groups, Stacks, and Pools for Enterprise Deployments
Deployment Monitoring 49 Keep Tabs On Your Splunk Enterprise Deployment ForwardersIndexersSourcetypesLicenses
Support and Community
Support Through the Splunk Community 51 Splunkbase
Where to Go for Help 52 • Documentation – http://www.splunk.com/base/Documentation • Technical Support – http://www.splunk.com/support • Videos – http://www.splunk.com/videos • Education – http://www.splunk.com/goto/education • Community – http://answers.splunk.com • Splunk Book – http://splunkbook.com
Thank you November 12st, 2012 Technical Workshops Getting Started User Training

Empfohlen

Splunk overview
Splunk overviewSplunk overview
Splunk overviewDaniel Hernandez
 
SplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunk
 
SplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunk
 
Splunk
SplunkSplunk
SplunkIntellipaat
 
SplunkLive! London 2016 Splunk Overview
SplunkLive! London 2016 Splunk OverviewSplunkLive! London 2016 Splunk Overview
SplunkLive! London 2016 Splunk OverviewSplunk
 
SplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 
SplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with SplunkSplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with SplunkSplunk
 

Empfohlen

Splunk overview
Splunk overviewSplunk overview
Splunk overviewDaniel Hernandez
 
SplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunk
 
SplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunk
 
Splunk
SplunkSplunk
SplunkIntellipaat
 
SplunkLive! London 2016 Splunk Overview
SplunkLive! London 2016 Splunk OverviewSplunkLive! London 2016 Splunk Overview
SplunkLive! London 2016 Splunk OverviewSplunk
 
SplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 
SplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with SplunkSplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with SplunkSplunk
 
What's New in 6.3 + Data On-Boarding
What's New in 6.3 + Data On-BoardingWhat's New in 6.3 + Data On-Boarding
What's New in 6.3 + Data On-BoardingSplunk
 
Taking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureTaking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureSplunk
 
Splunk as a_big_data_platform_for_developers_spring_one2gx
Splunk as a_big_data_platform_for_developers_spring_one2gxSplunk as a_big_data_platform_for_developers_spring_one2gx
Splunk as a_big_data_platform_for_developers_spring_one2gxDamien Dallimore
 
Splunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | EdurekaSplunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | EdurekaEdureka!
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunk
 
SplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunk
 
Getting started with Splunk - Break out Session
Getting started with Splunk - Break out SessionGetting started with Splunk - Break out Session
Getting started with Splunk - Break out SessionGeorg Knon
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout SessionSplunk
 
Splunk for Developers
Splunk for DevelopersSplunk for Developers
Splunk for DevelopersSplunk
 
SplunkLive! Data Models 101
SplunkLive! Data Models 101SplunkLive! Data Models 101
SplunkLive! Data Models 101Splunk
 
Workshop splunk 6.5-saint-louis-mo
Workshop splunk 6.5-saint-louis-moWorkshop splunk 6.5-saint-louis-mo
Workshop splunk 6.5-saint-louis-moMohamad Hassan
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding Splunk
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout SessionSplunk
 
SplunkLive! Hamburg / München Advanced Session
SplunkLive! Hamburg / München Advanced SessionSplunkLive! Hamburg / München Advanced Session
SplunkLive! Hamburg / München Advanced SessionGeorg Knon
 
Data Models Breakout Session
Data Models Breakout SessionData Models Breakout Session
Data Models Breakout SessionSplunk
 
Taking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureTaking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureSplunk
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101Splunk
 
SplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojoSplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojoSplunk
 
Splunk for ITOps
Splunk for ITOpsSplunk for ITOps
Splunk for ITOpsSplunk
 
Scale Splunk
Scale SplunkScale Splunk
Scale SplunkSplunk
 
Machine Learning + Analytics in Splunk
Machine Learning + Analytics in SplunkMachine Learning + Analytics in Splunk
Machine Learning + Analytics in SplunkSplunk
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 

Weitere ähnliche Inhalte

Was ist angesagt?

What's New in 6.3 + Data On-Boarding
What's New in 6.3 + Data On-BoardingWhat's New in 6.3 + Data On-Boarding
What's New in 6.3 + Data On-BoardingSplunk
 
Taking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureTaking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureSplunk
 
Splunk as a_big_data_platform_for_developers_spring_one2gx
Splunk as a_big_data_platform_for_developers_spring_one2gxSplunk as a_big_data_platform_for_developers_spring_one2gx
Splunk as a_big_data_platform_for_developers_spring_one2gxDamien Dallimore
 
Splunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | EdurekaSplunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | EdurekaEdureka!
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunk
 
SplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunk
 
Getting started with Splunk - Break out Session
Getting started with Splunk - Break out SessionGetting started with Splunk - Break out Session
Getting started with Splunk - Break out SessionGeorg Knon
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout SessionSplunk
 
Splunk for Developers
Splunk for DevelopersSplunk for Developers
Splunk for DevelopersSplunk
 
SplunkLive! Data Models 101
SplunkLive! Data Models 101SplunkLive! Data Models 101
SplunkLive! Data Models 101Splunk
 
Workshop splunk 6.5-saint-louis-mo
Workshop splunk 6.5-saint-louis-moWorkshop splunk 6.5-saint-louis-mo
Workshop splunk 6.5-saint-louis-moMohamad Hassan
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding Splunk
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout SessionSplunk
 
SplunkLive! Hamburg / München Advanced Session
SplunkLive! Hamburg / München Advanced SessionSplunkLive! Hamburg / München Advanced Session
SplunkLive! Hamburg / München Advanced SessionGeorg Knon
 
Data Models Breakout Session
Data Models Breakout SessionData Models Breakout Session
Data Models Breakout SessionSplunk
 
Taking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureTaking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureSplunk
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101Splunk
 
SplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojoSplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojoSplunk
 

Was ist angesagt? (18)

What's New in 6.3 + Data On-Boarding
What's New in 6.3 + Data On-BoardingWhat's New in 6.3 + Data On-Boarding
What's New in 6.3 + Data On-Boarding
 
Taking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureTaking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - Architecture
 
Splunk as a_big_data_platform_for_developers_spring_one2gx
Splunk as a_big_data_platform_for_developers_spring_one2gxSplunk as a_big_data_platform_for_developers_spring_one2gx
Splunk as a_big_data_platform_for_developers_spring_one2gx
 
Splunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | EdurekaSplunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | Edureka
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk Enterprise
 
SplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search Optimization
 
Getting started with Splunk - Break out Session
Getting started with Splunk - Break out SessionGetting started with Splunk - Break out Session
Getting started with Splunk - Break out Session
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout Session
 
Splunk for Developers
Splunk for DevelopersSplunk for Developers
Splunk for Developers
 
SplunkLive! Data Models 101
SplunkLive! Data Models 101SplunkLive! Data Models 101
SplunkLive! Data Models 101
 
Workshop splunk 6.5-saint-louis-mo
Workshop splunk 6.5-saint-louis-moWorkshop splunk 6.5-saint-louis-mo
Workshop splunk 6.5-saint-louis-mo
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout Session
 
SplunkLive! Hamburg / München Advanced Session
SplunkLive! Hamburg / München Advanced SessionSplunkLive! Hamburg / München Advanced Session
SplunkLive! Hamburg / München Advanced Session
 
Data Models Breakout Session
Data Models Breakout SessionData Models Breakout Session
Data Models Breakout Session
 
Taking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureTaking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - Architecture
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101
 
SplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojoSplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojo
 

Andere mochten auch

Splunk for ITOps
Splunk for ITOpsSplunk for ITOps
Splunk for ITOpsSplunk
 
Scale Splunk
Scale SplunkScale Splunk
Scale SplunkSplunk
 
Machine Learning + Analytics in Splunk
Machine Learning + Analytics in SplunkMachine Learning + Analytics in Splunk
Machine Learning + Analytics in SplunkSplunk
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Splunk Power User Certification
Splunk Power User CertificationSplunk Power User Certification
Splunk Power User CertificationBela Widi
 
Splunk 6.5.0-pivot tutorial (7)
Splunk 6.5.0-pivot tutorial (7)Splunk 6.5.0-pivot tutorial (7)
Splunk 6.5.0-pivot tutorial (7)Zoumana Diomande
 
Experiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data AccessExperiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data AccessPrecisely
 
Mainframe Customer Education Webcast: Syncsort Gets Zen
Mainframe Customer Education Webcast: Syncsort Gets ZenMainframe Customer Education Webcast: Syncsort Gets Zen
Mainframe Customer Education Webcast: Syncsort Gets ZenPrecisely
 
SplunkLive! Hamburg / München Beginner Session
SplunkLive! Hamburg / München Beginner SessionSplunkLive! Hamburg / München Beginner Session
SplunkLive! Hamburg / München Beginner SessionGeorg Knon
 
Instrumentation with Splunk
Instrumentation with SplunkInstrumentation with Splunk
Instrumentation with SplunkDatavail
 
Supporting Enterprise System Rollouts with Splunk
Supporting Enterprise System Rollouts with SplunkSupporting Enterprise System Rollouts with Splunk
Supporting Enterprise System Rollouts with SplunkErin Sweeney
 
Advanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout SessionAdvanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout SessionSplunk
 
SplunkLive! Advanced Session
SplunkLive! Advanced SessionSplunkLive! Advanced Session
SplunkLive! Advanced SessionSplunk
 
SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2Splunk
 
What's New in Splunk 6.3
What's New in Splunk 6.3What's New in Splunk 6.3
What's New in Splunk 6.3Splunk
 
SplunkSummit 2015 - Splunking the Endpoint
SplunkSummit 2015 - Splunking the EndpointSplunkSummit 2015 - Splunking the Endpoint
SplunkSummit 2015 - Splunking the EndpointSplunk
 
SplunkLive! Customer Presentation – Availity
SplunkLive! Customer Presentation – AvailitySplunkLive! Customer Presentation – Availity
SplunkLive! Customer Presentation – AvailitySplunk
 
Getting Started With Splunk It Service Intelligence
Getting Started With Splunk It Service IntelligenceGetting Started With Splunk It Service Intelligence
Getting Started With Splunk It Service IntelligenceSplunk
 
SplunkLive! Paris 2016 - Plenary session
SplunkLive! Paris 2016 - Plenary sessionSplunkLive! Paris 2016 - Plenary session
SplunkLive! Paris 2016 - Plenary sessionSplunk
 
SplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security NinjitsuSplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security NinjitsuSplunk
 

Andere mochten auch (20)

Splunk for ITOps
Splunk for ITOpsSplunk for ITOps
Splunk for ITOps
 
Scale Splunk
Scale SplunkScale Splunk
Scale Splunk
 
Machine Learning + Analytics in Splunk
Machine Learning + Analytics in SplunkMachine Learning + Analytics in Splunk
Machine Learning + Analytics in Splunk
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Splunk Power User Certification
Splunk Power User CertificationSplunk Power User Certification
Splunk Power User Certification
 
Splunk 6.5.0-pivot tutorial (7)
Splunk 6.5.0-pivot tutorial (7)Splunk 6.5.0-pivot tutorial (7)
Splunk 6.5.0-pivot tutorial (7)
 
Experiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data AccessExperiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data Access
 
Mainframe Customer Education Webcast: Syncsort Gets Zen
Mainframe Customer Education Webcast: Syncsort Gets ZenMainframe Customer Education Webcast: Syncsort Gets Zen
Mainframe Customer Education Webcast: Syncsort Gets Zen
 
SplunkLive! Hamburg / München Beginner Session
SplunkLive! Hamburg / München Beginner SessionSplunkLive! Hamburg / München Beginner Session
SplunkLive! Hamburg / München Beginner Session
 
Instrumentation with Splunk
Instrumentation with SplunkInstrumentation with Splunk
Instrumentation with Splunk
 
Supporting Enterprise System Rollouts with Splunk
Supporting Enterprise System Rollouts with SplunkSupporting Enterprise System Rollouts with Splunk
Supporting Enterprise System Rollouts with Splunk
 
Advanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout SessionAdvanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout Session
 
SplunkLive! Advanced Session
SplunkLive! Advanced SessionSplunkLive! Advanced Session
SplunkLive! Advanced Session
 
SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2
 
What's New in Splunk 6.3
What's New in Splunk 6.3What's New in Splunk 6.3
What's New in Splunk 6.3
 
SplunkSummit 2015 - Splunking the Endpoint
SplunkSummit 2015 - Splunking the EndpointSplunkSummit 2015 - Splunking the Endpoint
SplunkSummit 2015 - Splunking the Endpoint
 
SplunkLive! Customer Presentation – Availity
SplunkLive! Customer Presentation – AvailitySplunkLive! Customer Presentation – Availity
SplunkLive! Customer Presentation – Availity
 
Getting Started With Splunk It Service Intelligence
Getting Started With Splunk It Service IntelligenceGetting Started With Splunk It Service Intelligence
Getting Started With Splunk It Service Intelligence
 
SplunkLive! Paris 2016 - Plenary session
SplunkLive! Paris 2016 - Plenary sessionSplunkLive! Paris 2016 - Plenary session
SplunkLive! Paris 2016 - Plenary session
 
SplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security NinjitsuSplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security Ninjitsu
 

Ähnlich wie Getting Started User Training Workshop Agenda

SplunkLive! Beginner Session
SplunkLive! Beginner SessionSplunkLive! Beginner Session
SplunkLive! Beginner SessionSplunk
 
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with SplunkSplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with SplunkGeorg Knon
 
Getting Started with Splunk Break out Session
Getting Started with Splunk Break out SessionGetting Started with Splunk Break out Session
Getting Started with Splunk Break out SessionGeorg Knon
 
SplunkLive Oslo/Stockholm Beginner Workshop
SplunkLive Oslo/Stockholm Beginner WorkshopSplunkLive Oslo/Stockholm Beginner Workshop
SplunkLive Oslo/Stockholm Beginner Workshopjenny_splunk
 
Getting started with Splunk
Getting started with SplunkGetting started with Splunk
Getting started with SplunkSplunk
 
Getting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionGetting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionSplunk
 
Getting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionGetting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionSplunk
 
Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016Sumo Logic
 
Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionSplunk
 
Taking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionTaking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionSplunk
 
Splunk Discovery: Warsaw 2018 - Getting Data In
Splunk Discovery: Warsaw 2018 - Getting Data InSplunk Discovery: Warsaw 2018 - Getting Data In
Splunk Discovery: Warsaw 2018 - Getting Data InSplunk
 
Taking Splunk to the Next Level – Architecture
Taking Splunk to the Next Level – ArchitectureTaking Splunk to the Next Level – Architecture
Taking Splunk to the Next Level – ArchitectureSplunk
 
Getting Started with Splunk
Getting Started with SplunkGetting Started with Splunk
Getting Started with SplunkSplunk
 
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout SessionGetting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout SessionSplunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 
Sumo Logic QuickStart
Sumo Logic QuickStartSumo Logic QuickStart
Sumo Logic QuickStartSumo Logic
 
Share point 2013 enterprise search (public)
Share point 2013 enterprise search (public)Share point 2013 enterprise search (public)
Share point 2013 enterprise search (public)Petter Skodvin-Hvammen
 
Sumo Logic QuickStart - May 2016
Sumo Logic QuickStart - May 2016Sumo Logic QuickStart - May 2016
Sumo Logic QuickStart - May 2016Sumo Logic
 

Ähnlich wie Getting Started User Training Workshop Agenda (20)

SplunkLive! Beginner Session
SplunkLive! Beginner SessionSplunkLive! Beginner Session
SplunkLive! Beginner Session
 
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with SplunkSplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
 
Getting Started with Splunk Break out Session
Getting Started with Splunk Break out SessionGetting Started with Splunk Break out Session
Getting Started with Splunk Break out Session
 
SplunkLive Oslo/Stockholm Beginner Workshop
SplunkLive Oslo/Stockholm Beginner WorkshopSplunkLive Oslo/Stockholm Beginner Workshop
SplunkLive Oslo/Stockholm Beginner Workshop
 
Getting started with Splunk
Getting started with SplunkGetting started with Splunk
Getting started with Splunk
 
Getting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionGetting Started with Splunk Breakout Session
Getting Started with Splunk Breakout Session
 
Getting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionGetting Started with Splunk Breakout Session
Getting Started with Splunk Breakout Session
 
Splunk Insights
Splunk InsightsSplunk Insights
Splunk Insights
 
Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016
 
Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout Session
 
Taking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionTaking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout Session
 
Splunk Discovery: Warsaw 2018 - Getting Data In
Splunk Discovery: Warsaw 2018 - Getting Data InSplunk Discovery: Warsaw 2018 - Getting Data In
Splunk Discovery: Warsaw 2018 - Getting Data In
 
Splunk
SplunkSplunk
Splunk
 
Taking Splunk to the Next Level – Architecture
Taking Splunk to the Next Level – ArchitectureTaking Splunk to the Next Level – Architecture
Taking Splunk to the Next Level – Architecture
 
Getting Started with Splunk
Getting Started with SplunkGetting Started with Splunk
Getting Started with Splunk
 
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout SessionGetting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout Session
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Sumo Logic QuickStart
Sumo Logic QuickStartSumo Logic QuickStart
Sumo Logic QuickStart
 
Share point 2013 enterprise search (public)
Share point 2013 enterprise search (public)Share point 2013 enterprise search (public)
Share point 2013 enterprise search (public)
 
Sumo Logic QuickStart - May 2016
Sumo Logic QuickStart - May 2016Sumo Logic QuickStart - May 2016
Sumo Logic QuickStart - May 2016
 

Kürzlich hochgeladen

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Getting Started User Training Workshop Agenda

  • 1. Copyright © 2013 Splunk Inc. May 2nd, 2013 Technical Workshops Getting Started User Training Getting Started User Training Workshop Dimitri McKay Jedi Master
  • 2. Agenda • Getting Started with Splunk • Search • Alert • Dashboard • Deployment and Integration • Community • Help & Questions 2
  • 5. Install Splunk Start Splunk WIN: Program FilesSplunkbinsplunk.exe start (services start) *NIX: /opt/splunk/bin/splunk start www.splunk.com/download • 32 or 64 bit? • Indexer or Universal Forwarder? Splunk Home WIN: Program FilesSplunk Other: /opt/splunk (Applications/splunk)
  • 6. Splunk Licenses Free Download Limits Indexing to 500MB/day Enterprise Trial License expires after 60 days Reverts to Free License Features Disabled in Free License Multiple user accounts and role-based access controls Distributed search Forwarding to non-Splunk Instances Deployment management Scheduled saved searches and alerting Summary indexing Other License Types Enterprise, Forwarder, Trial
  • 7. 7 Splunk Web Basics Browser Support Firefox 3.6, 10.x and latest Internet Explorer 6, 7, 8 and 9 Safari (latest) Chrome (latest) Default on install is http://localhost:8000 Index some data Add data Getting Started App Install an App (Splunk for Windows, *NIX)
  • 8. 8 Splunk Web Basics cont. Splunk Apps Splunk Home -> Find more apps Apps create different contexts for your data out of sets of views, dashboards, and configurations You can create your own! Search is an App Summary will show everything you have indexed Updated in real-time Click on any source, sourcetype, or host to look at events
  • 9. Optional: add some test data Download the sample file, follow this link and save the file to your desktop, then unzip: http://bit.ly/UBPFWP (Using Splunk Book) Or, to follow along locally, you can download the slides, lookups and data samples at: http://bit.ly/UjkNt6 (Dropbox) To add the file to Splunk: – From the Welcome screen, click Add Data. – Click From files and directories on the bottom half of the screen. – Select Skip preview. – Click the radio button next to Upload and index a file. – Click Save. Install *nix or Windows app to test drive your local OS data! 9
  • 10. 10 *nix app in action:
  • 11. * best practice note: Create an individual index based on sourcetype. – Easier to re-index data if you make a mistake. – Easier to remove data. – Easier to define permissions and data retention. 11
  • 13. Search app – Summary viewcurrent view global stats app navigation time range picker data sources start search search box
  • 14. Searching 14 Search > * Select Time Range • Historical, custom, or real-time Using the timeline • Click events and zoom in and out • Click and drag over events for a specific range • New for 5.0: Search modes!
  • 15. 15 Everything is searchable Everything is searchable • * wildcard supported • Search terms are case insensitive • Booleans AND, OR, NOT – Booleans must be uppercase – Implied AND between terms – Use () for complex searches • Quote phrases fail* fail* nfs error OR 404 error OR failed OR (sourcetype=access_*(500 OR 503)) "login failure"
  • 17. Search Assistant 17 Contextual Help - advanced type-ahead History - search - commands Search Reference - short/long description - examples suggests search terms and displays count updates as you type shows examples and help toggle off / on
  • 18. Searches can be managed as asynchronous processes Jobs can be • Scheduled • Moved to background tasks • Paused, stopped, resumed, finalized • Managed • Archived • Cancelled Job Management send to background pause finalize cancel 18
  • 19. Search Commands 19 Search > error | head 1 Search results are “piped” to the command Commands for: • Manipulating fields • Formatting • Handling results • Reporting
  • 22. Fields 22 Default fields • host, source, sourcetype, linecount, etc. • View on left panel in search results or all in field picker Where do fields come from? • Pre-defined by sourcetypes • Automatically extracted key-value pairs • User defined
  • 23. Sources, sourcetypes, hosts • Source - the name of the file, stream, or other input • Sourcetype - a specific data type or data format • Host - hostname, IP address, or name of the network host from which the events originated 2 3
  • 24. 24 Tagging and Event Typing Eventtypes for more human-readable reports to categorize and make sense of mountains of data punctuation helps find events with similar patterns Search > eventtype=failed_login instead of Search > “failed login” OR “FAILED LOGIN” OR “Authentication failure” OR “Failed to authenticate user” Tags are labels apply adhoc knowledge create logical divisions or groups tag hosts, sources, fields, even eventtypes Search > tag=web_servers instead of Search > host=“apache1.splunk.com” OR host=“apache2.splunk.com” OR host=“apache3.splunk.com”
  • 25. Extract Fields 25 Interactive Field Extractor generate PCRE editable regex preview/save props.conf [mysourcetype] REPORT-myclass = myFields transforms.conf [myFields] REGEX = ^(w+)s FORMAT = myFieldLabel::$1 Configuration File manual field extraction delim-based extractions Rex Search Command ... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"
  • 26. Saved Search & Alert Basics
  • 27. Saved Searches and Alerting 27 Find Something Interesting? OR
  • 28. Alerting Cont. 28 Searches run on a schedule and fire an alert • Example: Run a search for “Failed password” every 15 min over the last 15 min and alert if the number of events is greater than 10 Searches are running in real-time and fire an alert • Example: Run a search for “Failed password user=john.doe” in a 1 minute window and alert if an event is found
  • 29. Alerting Actions 29 • Send email • RSS • Execute a script • Track in Alert Manager
  • 30. Report & Dashboard Wackiness
  • 31. Reporting 31 Build reports from the results of any search Select type of report (Values over time, Top Values, Rare Values) and on which fields to report or perform statistics Choose the type of chart (line, area, column, etc) and other formatting options
  • 32. Reporting 32 Build reports from the results of any search Select type of report (Values over time, Top Values, Rare Values) and on which fields to report or perform statistics Choose the type of chart (line, area, column, etc) and other formatting options
  • 33. Reporting Examples 33 • Use wizard or reporting commands (timechart, top, etc) • Build real-time reports with real-time searches • Save reports for use on dashboards
  • 36. Splunk Manager 36 Now Manage All of that Cool Stuff You Just Created (and more!) • Permissions • Saved Searches/Reports • Custom Views • Distributed Splunk • Deployment Server • License Usage….
  • 38. Splunk Has Four Primary Functions 38 • Searching and Reporting (Search Head) • Indexing and Search Services (Indexer) • Local and Distributed Management (Deployment Server) • Data Collection and Forwarding (Forwarder) A Splunk install can be one or all roles…
  • 39. Getting Data Into Splunk 39 Agent and Agent-less Approach for Flexibility perf shell code Mounted File Systems hostnamemount syslog TCP/UDP WMI Event Logs Performance Active Directory syslog compatible hosts and network devices Unix, Linux and Windows hosts Windows hosts Custom apps and scripted API connections Local File Monitoring log files, config files dumps and trace files Windows Inputs Event Logs performance counters registry monitoring Active Directory monitoring virtual host Windows hosts Scripted Inputs shell scripts custom parsers batch loading Agent-less Data Input Splunk Forwarder
  • 40. Understanding the Universal Forwarder 40 Forward data without negatively impacting production performance. Scripts Universal Forwarder Deployment Logs ConfigurationsMessages Metrics Central Deployment Management Monitor files, changes and the system registry; capture metrics and status. Universal Forwarder Regular (Heavy) Forwarder Monitor All Supported Inputs ✔ ✔ Routing, Filtering, Cloning ✔ ✔ Splunk Web ✔ Python Libraries ✔ Event Based Routing ✔ Scripted Inputs ✔
  • 41. Horizontal Scaling 41 Load balanced search and indexing for massive, linear scale out. Forwarder Auto Load Balancing Distributed Search
  • 42. Multiple Datacenters 42 Headquarters London Hong Kong Tokyo New York Distributed Search Index and store locally. Distribute searches to datacenters, networks & geographies.
  • 43. High Availability, On Commodity Servers and Storage 43 As Splunk collects data, it keeps multiple identical copies If indexer fails, incoming data continues to get indexed Indexed data continues to be searchable Easy setup and administration Data integrity and resilience without a SAN Index Replication Splunk Universal Forwarder Pool Constant Uptime
  • 44. High Availability 44 Combine auto load balancing and cloning for HA at every Splunk tier. Clone Group 1 : Complete Dataset Data Cloning & Auto Load Balancing Distributed Search Distributed Search Clone Group 2 : Complete Dataset Shared Storage
  • 45. Service Desk Event Console SIEM Send Data to Other Systems 45 Route raw data in real time or send alerts based on searches.
  • 46. Integrate External Data 46 LDAP, AD Watch Lists CRM/ER P CMDB Correlate IP addresses with locations, accounts with regions Extend search with lookups to external data sources.
  • 47. Integrate Users and Roles 47 Problem Investigation Problem Investigation Problem Investigation Save Searches Share Searches LDAP, AD Users and Groups Splunk Flexible Roles Manage Users Manage Indexes Capabilities& Filters NOT tag=PCI App=ERP … Map LDAP & AD groups to flexible Splunk roles. Define any search as a filter. Integrate authentication with LDAP and Active Directory.
  • 48. Centralized Licensing Management 48 Problem Investigation Groups, Stacks, and Pools for Enterprise Deployments
  • 49. Deployment Monitoring 49 Keep Tabs On Your Splunk Enterprise Deployment ForwardersIndexersSourcetypesLicenses
  • 51. Support Through the Splunk Community 51 Splunkbase
  • 52. Where to Go for Help 52 • Documentation – http://www.splunk.com/base/Documentation • Technical Support – http://www.splunk.com/support • Videos – http://www.splunk.com/videos • Education – http://www.splunk.com/goto/education • Community – http://answers.splunk.com • Splunk Book – http://splunkbook.com

Hinweis der Redaktion

  1. Hopefully you are starting to see the power of Splunk. On the left here is a typical way organizations use Splunk--index your IT data, use Splunk to search and investigate, users add knowledge such as saving valuable searches, monitor and alert, report and analyze the data, review trends and other findings to become more proactive in a cycle of improved IT Operations.Our customers typically start by using Splunk to solve a specific problem area. Often it’s Application management and troubleshooting, or security monitoring and incident investigation, or compliance. After quickly making their initial use case an internal success, Splunk is typically deployed into other areas of IT—these ten areas are the ones where Splunk is most often deployed. Customers who get maximum value from Splunk understand the value of having a single IT data engine that can provide the complete view needed by anyone to accomplish their job—in a far more productive and effective way. We work with customers to leverage these capabilities across every functional or organizational silo in your IT organization.Splunk delivers value to dev teams, server administrators, network managers, security analysts, auditors, and others.
  2. Follow along if you like!See full list of supported platforms in Installation Manual.Can choose different directory during installation.
  3. Good analogy for Apps is iPhone/iPad. Same data, many uses. Apps change the presentation layer.
  4. Illustrate add data, illustrate creating a new index, illustrate the *nix app to show performance metrics.
  5. This is the unix app in action. In this example, we’re pulling a number of scripted inputs such as top, iostat, network, etc.
  6. 1. Wildcards are supported - *2. Search terms are case insensitive.3. Boolean searches are supported with AND, OR, NOT. Just remember that Booleans must be uppercase.4. There is an implied AND between the search terms, and for complex searches, use parenthesis. (error OR failed)5. You can also quote phrases such as “Login Failure”6. Search Modes!
  7. 1. Wildcards are supported - *2. Search terms are case insensitive.3. Boolean searches are supported with AND, OR, NOT. Just remember that Booleans must be uppercase.4. There is an implied AND between the search terms, and for complex searches, use parenthesis. (error OR failed)5. You can also quote phrases such as “Login Failure”6. Search Modes!
  8. This is an example of a search for error OR failed but includes some Boolean exclusions using NOT.
  9. The search assistant offers quick reference for the Splunk search language that updates as you type. That includes links to online documentation, and shows matching searches along with their count, matching terms and examples. It also shows you your history of searches.
  10. A search becomes a job for Splunk to process. While a search is processing, this job can be Canceled, Paused, sent to the background and Finalized. The ability to cancel is handy if you made a mistake or chose the wrong time range.Finalized = stop processing events but build the &quot;number of events&quot; count. Jobs can be accessed while running or after through the jobs menu. There, Paused Jobs can be resumed and those sent to the background can be accessed. Jobs results are kept for a configurable time of 10 minutes by default.
  11. Splunk search language is very unix-like—use the pipe symbol to pass search results to search commands. Search commands can be chained. You can even create your own custom search commands.These are common commands we find most useful to analyze and filter data. &lt;review each command&gt;Search reference is available online in addition to the search assistance and covers all search commands.
  12. Much like *nix* operating systems, chances are you’re not going to memorize all of the commands. You’ll memorize a handful, and rely on the “man pages” to get additional context to commands. We SEs here at Splunk use maybe twenty terms in our day to day.
  13. Fields give you much more precision in searches. Fields are key value pairs associated with your data by Splunk. So, an example would be host=www1, status=503. Now there are two specific types of fields. There are default fields, (source, sourcetype and host) which are added to every event by Splunk during indexing.And there are data-specific fields. These would be action=“purchase” or status=“503”.
  14. What’s the difference between Sources, sourcetypes, and hosts?A host would be the hostname, IP address or name of the network host from which events originate. An example might be a single windows server would be a host or specific firewall.A Source is the name of a file, a stream or some other input, such as a config file, process, application or event log, on a server. So per our Windows server example, sources on that server, might include Windows event logs, exchange logs, DNS/DHCP logs, performance metrics as well as the windows event logs from the windows event viewer. Each of these is a different source.A Sourcetype is a specific data format. Sourcetype would beALLexchange logs or ALL Cisco ASA. It’s a high level group. Running your searches against a sourcetypeof Windows Event Log Security across multiple servers.
  15. Event types can help you automatically identify events based on a search. An event type is a field based on a search, it’s a way of classifying data for searching and reporting and it’s useful for user knowledge capture and sharing.Tags are different, in that they allow you to search for events with related field values. You can assign any field/value combination. So as an example, server names aren’t always helpful. Sometimes they contain ambiguous information. Using tags you can use a more meaningful term.The Splunk Manager allows you to enable/disable, copy, delete and edit tags that you’ve created.
  16. Extracting fields that aren’t already pulled out at search time is a necessary step to doing more with your data like reporting.Show example of field extraction with IFX and an example using rex.Show other field extractor.
  17. Show alert in realtime: sourcetype=linux_secure fail* root Real-time alerts always trigger immediately for every returned resultReal-time monitored alerts monitor a real-time window and can trigger immediately, or you can define conditionsScheduled alerts run a search on a regular interval that you define and triggers based on conditions that you define
  18. Run alert in Splunk.Splunk alerts are based on searches and can run either on a regular scheduled interval or in real-time.Alerts are triggered when the results of the search meet a specific condition that you define.Based on your needs, alerts can send emails, trigger scripts and write to RSS feeds.
  19. Consider how you might use a scripted alert.
  20. Demo building a report
  21. Demo building a traditional report. Reports can also be dashboards mailed out.
  22. Demo building a report and dashboard.
  23. Demo new dashboard workflow
  24. Show dashboard examples:
  25. Splunk can be divided into four logical functions. First, from the bottom up, collection. Splunk forwarders come in two packages; the full Splunk distribution or a dedicated “Universal Forwarder”. The full Splunk distribution can be configured to filter data before transmitting, execute scripts locally, or run SplunkWeb. This gives you several options depending on the footprint size your endpoints can tolerate. The universal forwarder is an ultra-lightweight agent designed to collect data in the smallest possible footprint. Both flavors of forwarder come with automatic load balancing, SSL encryption and data compression, and the ability to route data to multiple Splunk instances or third party systems. To manage your distributed Splunk environment, there is the Deployment Server. Deployment server helps you synchronize the configuration of your search heads during distributed searching, as well as your forwarders to centrally manage your distributed data collection. Of course, Splunk has a simple flat-file configuration system, so feel free to use your own config management tools if your more comfortable with what you already have. The core of the Splunk infrastructure is indexing. An indexer does two things – it accepts and processes new data, adding it to the index and compressing it on disk. The indexer also services search requests, looking through the data it has via it’s indices and returning the appropriate results to the searcher over a compressed communication channel. Indexers scale out almost limitlessly and with almost no degradation in overall performance, allowing Splunk to scale from single-instance small deployments to truly massive Big Data challenges. Finally, the Splunk most users see is the search head. This is the webserver and app interpreting engine that provides the primary, web-based user interface. Since most of the data interpretation happens as-needed at search time, the role of the search head is to translate user and app requests into actionable searches for it’s indexer(s) and display the results. The Splunk web UI is highly customizable, either through our own view and app system, or by embedding Splunk searches in your own web apps via includes or our API.
  26. Getting data into Splunk is designed to be as flexible and easy as possible. Because the indexing engine is so flexible and doesn’t generally require configuration for most IT data, all that remains is how to collect and ship the data to your Splunk. There are many options. First, you can collect data over the network, without an agent. The most common network input is syslog; Splunk is a fully compliant and customizable syslog listener over both TCP and UDP. Further, because Splunk is just software, any remote file share you can mount or symlink to via the operating system is available for indexing as well. To facilitate remote Windows data collection, Splunk has a its own WMI query tool that can remotely collect Windows Event logs and performance counters from your Windows systems. Finally, Splunk has a AD monitoring tool that can connect to AD and get your user meta data to enhance your searching context and monitor AD for replication, policy or user security changes. When Splunk is running locally as an indexer or forwarder, you have additional options and greater control. Splunk can directly monitor hundreds or thousands of local files, index them and detect changes. Additionally, many customers use our out-of-the-box scripts and tools to generate data – common examples include performance polling scripts on *nix hosts, API calls to collect hypervisor statistics and for detailed monitoring of custom apps running in debug modes. Also, Splunk has Windows-specific collection tools, including native Event Log access, registry monitoring drivers, performance monitoring and AD monitoring that can run locally with a minimal footprint.
  27. Historically, a Splunk forwarder was a stripped down version of the full Splunk distribution. Certain features, such as Splunk Web, were turned off to decrease footprint on a remote host. Our customers asked us for something even lighter and we delivered. The Universal Forwarder is a new, dedicated package specifically designed for collecting and sending data to Splunk. It’s super light on resources, easy to install, but still includes all the current Splunk inputs, without requiring python. Most deployments should only require the use of the Universal Forwarder but we have kept all features of forwarding in the Regular (or Heavy) Forwarder for cases when you need specific capabilities.
  28. A single indexers it can index 50-100gigabytes per day depending the data sources and load from searching. If you have terabytes a day you can linearly scale a single, logical Splunk deployment by adding index servers, using Splunk’s built in forwarderload balancing to distribute the data and using distributed search to provide a single view across all of these servers. Unlike some log management products you get full consolidated reporting and alerting not simply merged query results. When in doubt, the first rule of scaling is ‘add another commodity indexer.’ Splunk indexers are designed to enable nearly limitless fan-out with linear scalability by leveraging techniques like MapReduce to fan-out work in a highly efficient manner.
  29. Leverage distributed search to give each locale access to their own data, while providing a combined view to central teams back at headquarters. Whether to optimize your network traffic or meet data segmentation requirements, feel free to build your Splunk infrastructure as it makes sense for your organization. Further, each distributed search head automatically creates the correct app and user context while searching across other datasets. No specific custom configuration management is required; Splunk handles it for you.
  30. The insights from your data are mission-critical. With Splunk Enterprise 5 we wanted to deliver a highly available system, with enterprise-grade data resiliency, even as you scale on commodity storage. And we wanted to maintain Splunk’s robust, real-time and ease of use features.Splunk indexers can now be grouped together to replicate each other’s data, maintaining multiple copies of all data – preventing data loss and delivering highly available data for Splunk search. Using index replication, if one or more indexers fail, incoming data continues to get indexed and indexed data continues to be searchable.By spreading data across multiple indexers, searches can read from many indexers in parallel, improving parallelism of operations and performance. All as you scale on commodity servers and storage. And without a SAN.
  31. For high availability and scale out, combine auto load balancing with data cloning. Each clone group has one complete set of the overall data for redundancy, while load balancing within each clone group spreads the load and the data between indexers for efficient scaling. So long as one indexer remains in a clone group, that group will remain synced with the entirety of the data. Search Head Pooling can share the same application and user configurations and coordinate the scheduling of searches. This allows for one logical pool of search heads to service large numbers of users with minimal downtime should a search head become unavailable.Additionally, by leveraging LDAP authentication, such as Active Directory, users can be directed to any search head as needed for load balancing or failover. NOTE: the second indexers needs to be licensed with an HA license 50% of regular enterprise license
  32. Splunk isn’t the only technology that can benefit from IT data collection, so let Splunk help send the data to those systems that need it. For those systems that want a direct tap into the raw data, Splunk can forward all or a subset of data in real time via TCP as raw text or RFC-compliant syslog. This can be done on the forwarder or centrally via the indexer without incrementing your daily indexing volume. Separately, Splunk can schedule sophisticated correlation searches and configure them to open tickets or insert events into SIEMs or operation event consoles. This allows you to summarize, mash-up and transform the data with the full power of the search language and import data into these other systems in a controlled fashion, even if they don’t natively support all the data types Splunk does. MSSP, Cloud Services, etc.
  33. Your logs and other IT data are important but often cryptic. You can extend Splunk’s search with lookups to external data sources as well as automate tagging of hosts, users, sources, IP addresses and other fields that appear in your IT data. This enables you to find and summarize IT data according to business impact, logical application, user role and other logical business mappings. In the example shown, Splunk is looking up the server’s IP address to determine which domain the servicing web host is located in, and the customer account number to show which local market the customer is coming from. Using these fields, a search user could create reports pivoted on this information easily. Illustrate Lookups:
  34. Splunk allows you to extend your existing AAA systems into the Splunk search system for both security and convenience. Splunk can connect to your LDAP based systems, like AD, and directly map your groups and users to Splunk users and roles. From there, define what users and groups can access Splunk, which apps and searches they have access to, and automatically (and transparently) filter their results by any search you can define. That allows you to not only exclude whole events that are inappropriate for a user to see, but also mask or hide specific fields in the data – such as customer names or credit card numbers – from those not authorized to see the entire event.
  35. Centralized License Management provides for a holistic approach in your multi-indexer distributed Splunk environment. You can aggregate compatible licenses into stacks of available license volume and define pools of indexers to use license volume from a given stack.
  36. Splunk deployments can grow to encompass thousands of Splunk instances, including forwarders, indexers, and search heads. Splunk offers a deployment monitor app that helps you to effectively manage medium- to large-scale deployments, keeping track of all your Splunk instances and providing early warning of unexpected or abnormal behavior.The deployment monitor provides chart-rich dashboards and drilldown pages that offer a wealth of information to help you monitor the health of your system. These are some of the things you can monitor:Index throughput over timeNumber of forwarders connecting to the indexer over timeIndexer and forwarder abnormalitiesDetails for individual forwarders and indexers, such as status and forwarding volume over timeSource types being indexed by the systemLicense usage
  37. With thousands of enterprise customers and an order of magnitude more actual users, we have a thriving community.We launched a dev portal a few months back and already have over 1,000 unique visitors per week.We have over 300 apps contributed by ourselves, our partners and our community.Our knowledge exchange Answers site has over 20,000+ questions answered.And in August 2012 we ran our 3rd users’ conference with over 1,000 users in attendance, over 100 sessions of content, customers presenting.Best of all, this community demands more from Splunk and gives us incredible feedback