Abstract image of a woman sitting on books and studying on a laptop

SplunkLive! Zurich 2017 - Getting Started with Splunk Enterprise

Download as PPTX, PDF
Splunk, profile picture
Splunk

The document is a comprehensive guide for getting started with Splunk, covering installation, data setup, and basic search operations. It outlines steps to download the necessary software and tutorial data, and provides examples of search queries and how to create dashboards. Additionally, it includes information on Splunk education resources available for further learning.

Technology
1 of 60
Downloaded 33 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
© 2017 SPLUNK INC.© 2017 SPLUNK INC. MAY 9, 2017 | ZURICH
© 2017 SPLUNK INC. Getting Started with Splunk Tomas Baublys | Senior Sales Engineer MAY 9, 2017 | ZURICH
© 2017 SPLUNK INC. 1. Download and install 2. Get tutorial data 3. Build dashboards Just start!
© 2017 SPLUNK INC. 4 Set up Before You Can Play Get the following at splunk.com Download Splunk Enterprise https://www.splunk.com/download Dowload the Tutorial Data http://splk.it/2ey34P8 Dowload the lookup file http://splk.it/2fCgpXw Download the Search Tutorial http://splk.it/2ePSYKB
© 2017 SPLUNK INC. LET’S GET OUR HANDS DIRTY
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. Rebus puzzle:
© 2017 SPLUNK INC. FrozenWARM COLDHOT Index How the Data is Stored and Aged in Splunk Hot – Newest buckets of data that are still open for write Warm – Recent data but closed for writing (read only) Cold – Oldest data, commonly on cheaper, slower storage Frozen – No longer searchable, commonly archived or deleted data Optional TSIDX Reduction
© 2017 SPLUNK INC. 9 Searches used buttercupgames 4* buttercupgames status=4* buttercupgames status!=200 | top limit=20 status buttercupgames status !=200 | timechart count buttercupgames status!=200 | stats count by status | where count > 700 buttercupgames status=403 OR status=404 | stats count sparkline by uri_path buttercupgames status=404 | timechart count | trendline sma3(count) buttercupgames status!=200 | timechart count | predict count as predictedCount buttercupgames status!=200 | iplocation clientip | geostats count buttercupgames status!=200 | iplocation clientip | eval featureId=Country | stats count by featureId | geom geo_countries
© 2017 SPLUNK INC. 10 Dashboard
© 2017 SPLUNK INC. Splunk Demo Appendix: Detailed Walkthrough
© 2017 SPLUNK INC. 12 Download Splunk Enterprise for your OS and Architecture.
© 2017 SPLUNK INC. 13 Unpack and start tar zxvf splunk-6.5.2- 67571ef4b87d-darwin-64.tgz splunk/bin/splunk start -- accept-license
© 2017 SPLUNK INC. 14 Download turotialdata.zip http://docs.splunk.com/images/Tutorial/tutorialdata.zip http://www.splunk.com/goto/book
© 2017 SPLUNK INC. 15 Text With Firefox, Chrome, or Safari – head to http://127.0.0.1:8000 . User=admin password=c
© 2017 SPLUNK INC. 16 You’ve successfully installed Splunk, and logged in! Let’s add the tutorialdata.zip via “
© 2017 SPLUNK INC. 17 You can also “Add Data” from Settings at the top.
© 2017 SPLUNK INC. 18 Click on upload.
© 2017 SPLUNK INC. 19 Let’s drag tutorialdata.zip into “Drop your data file here”.
© 2017 SPLUNK INC. 20 Click Next
© 2017 SPLUNK INC. 21 Splunk can auto detect the sourcetype. Lets change host field to buttercup-web01, and th
© 2017 SPLUNK INC. 22 Looks good, click Submit.
© 2017 SPLUNK INC. 23 Let’s Start Searching our data.
© 2017 SPLUNK INC. 24 We’re brought into a search with filters applied to search the data we just upload
© 2017 SPLUNK INC. 25 Let’s type “buttercupgames” in the search bar, and double click into a bar on the histogram.
© 2017 SPLUNK INC. 26 Notice the time picker changed with our drill into the histogram bar.
© 2017 SPLUNK INC. 27 Given that this data is web access, lets do a string search for 400, which is a “Bad Requ Notice that there’s 188 events returned. (number will vary for you).
© 2017 SPLUNK INC. 28 Lets also add 300 into the mix, and notice that my event count is higher now.
© 2017 SPLUNK INC. 29 We can see the 400 status codes, but not 300’s. That’s because the string search of 300 d search for status code of 300 – it’ll string match any event that contains “300”.
© 2017 SPLUNK INC. 30 Lets explicitly search for status codes equaling values we want to see return
© 2017 SPLUNK INC. 31 Great, we’re now returned all the events containing the two status codes we search Click on “Top values by time”, which will build out a timechart for us.
© 2017 SPLUNK INC. 32 Notice how our search query changed, there’s a | (pipe), and a timechart comman The pipe followed by a command allows further operation on your filtered data set
© 2017 SPLUNK INC. 33 Let’s change our search to: buttercupgames status=* And – drill into one bar on the histogram.
© 2017 SPLUNK INC. 34 Click on “top values by time” under the status field on the left, which will produce the timechart above.
© 2017 SPLUNK INC. 35 Let’s exclude 200 status codes by adding AND status!=200, and change Line to Column.
© 2017 SPLUNK INC. 36 After changing from Line to Column, lets Stack the results (middle stack under Stack Mo
© 2017 SPLUNK INC. 37 Lets now save this to a dashboard, a place we can go to view this search without having t remember what we had just searched for. Click Save AS -> Dashboard Panel. Fill in, and click Save.
© 2017 SPLUNK INC. 38 Click on Search to get us back to our search bar, and lets key in: buttercupgames. Development wants to know what web browsers are being used to access the site, but no fields currently exist. No problem – lets extract the browser field. Find an event that contains a value that you’re looking for, and click the “>” arrow just to the left of “Time”. The event will expand with a down arrow, and Extract Fields will be under Event Actions. Click Extract Fields.
© 2017 SPLUNK INC. 39 Click Regular Expression (Splunk will build a regular expression to extract our fields), and click next. Highlight the value of the field you’d like to create, and lets name the field: browser_type Click Add Extraction.
© 2017 SPLUNK INC. 40 Let’s verify that the extracted field contains values that are indeed types of browsers. Good, click next to proceed. Now, open the permissions to “App” which will allow users of the App the ability to leverage this extraction.
© 2017 SPLUNK INC. 41 Success, Let’s explore the fields just created in search, by clicking the link.
© 2017 SPLUNK INC. 42 You’ll now be taken to search, with the filter set to the sourcetype that the field extraction has been applied to. Note – field extractions are coupled to a sourcetype. Click on “Top values”.
© 2017 SPLUNK INC. 43 Notice how the search changed. And, instead of a bar graph, we want a pie chart, so drop down the “bar” option and change it to Pie.
© 2017 SPLUNK INC. 44 Lets add this search to our dashboard, and then view the dashboard. Click Edit -> Edit Panels to drag the different panels to
© 2017 SPLUNK INC. 45 Let’s go back to search, and search for buttercupgames AND status!=200 (we want to see events that aren’t successful. Add the stats and where clause above, to return when there’s more than 100 unsuccessful status codes.
© 2017 SPLUNK INC. 46 Let’s create an alert. Save As -> Alert. Fill out the Title, Scheduled, Earliest + Latest, and Cron Expression (Instead of 48, change to minutes a few ahead of your current time. Ie. If it’s 9:00am, change to 05.
© 2017 SPLUNK INC. 47 Add to Triggered Alerts, and Save.
© 2017 SPLUNK INC. 48 You should see an alert trigger once your scheduled search runs at the cron expression you defined. *Note – it was mentioned that alerts wouldn’t work on a trial license. *Correction – alerts
© 2017 SPLUNK INC. 49 Let’s go back to search and: buttercupgames status=* | iplocation clientip We want to lookup the clientip values against the MaxMind database to pull in City, Country, State, Lat, Lon of the IPs.
© 2017 SPLUNK INC. 50 Now, business is interested in seeing plots on a map of web users and what they’re doing with the website. Lets append a geostats command that counts the events by the values of the action
© 2017 SPLUNK INC. 51 Awesome! Now we have a single pane of glass that Operations, Development, and Business all care about – from one data source! Talk about value!
© 2017 SPLUNK INC. 52 MY TIME
© 2017 SPLUNK INC. Take the Survey on Pony Poll ponypoll.com/zurich2017
© 2017 SPLUNK INC. Get Started Fast! splunk.com/education
© 2017 SPLUNK INC. Splunk Fundamentals 1. Coming in Summer 2017. Also available at Splunk University, .conf2017 Course Topics Introduction to Splunk's interface Basic searching Using fields in searches Search fundamentals Transforming commands Creating reports and dashboards Datasets The Common Information Model (CIM) Creating and using lookups Scheduled Reports Alerts Using Pivot https://www.splunk.com/view/SP-CAAAPX9
© 2017 SPLUNK INC. Become a Splunk Expert Knowledge is Power Using Splunk Searching and Reporting with Splunk Creating Splunk Knowledge Objects Splunk Administration Architecting and Deploying Splunk Developing Apps with Splunk Splunk Architect Certification Lab
© 2017 SPLUNK INC. Splunk Education for Security Knowledge is Power Using Splunk Searching and Reporting with Splunk Creating Splunk Knowledge Objects Using the Splunk App for Enterprise Security Splunk Administration Architecting and Deploying Splunk Administering the Splunk App for Enterprise Security
© 2017 SPLUNK INC. Splunk Education for IT Service Intelligence Knowledge is Power Using Splunk Searching and Reporting with Splunk Creating Splunk Knowledge Objects Splunk Administration Implementing IT Service Intelligence
© 2017 SPLUNK INC. Course Topics • Overview of ITSI features • ITSI architecture and deployment • Installing ITSI • Designing and implementing services and entities • Configuring correlation searches and notable events • Creating deep dive pages • Creating glass tables • ITSI troubleshooting Splunk Education for IT Service Intelligence Knowledge is Power
© 2017 SPLUNK INC. Splunk Education for IT Service Intelligence Knowledge is Power Course Topics • Overview of ITSI features • ITSI architecture and deployment • Installing ITSI • Designing and implementing services and entities • Configuring correlation searches and notable events • Creating deep dive pages • Creating glass tables • ITSI troubleshooting PREREQUISITES | 13.5 hour course Using Splunk, Searching and Reporting with Splunk, Creating Splunk Knowledge Objects, Splunk Administration

More Related Content

PPTX
SOQL in salesforce || Salesforce Object Query Language || Salesforce
Amit Singh
 
PDF
nter-pod Revolutions: Connected Enterprise Solution in Oracle EPM Cloud
Alithya
 
PPTX
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Splunk
 
PDF
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Splunk
 
PDF
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Splunk
 
PDF
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Splunk
 
PPTX
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 Update
Splunk
 
PPTX
Getting Started Getting Started With Splunk Enterprise
Splunk
 
SOQL in salesforce || Salesforce Object Query Language || Salesforce
Amit Singh
 
nter-pod Revolutions: Connected Enterprise Solution in Oracle EPM Cloud
Alithya
 
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Splunk
 
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Splunk
 
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Splunk
 
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Splunk
 
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 Update
Splunk
 
Getting Started Getting Started With Splunk Enterprise
Splunk
 

Similar to SplunkLive! Zurich 2017 - Getting Started with Splunk Enterprise (20)

PDF
Machine Data 101
Splunk
 
PPTX
Getting Started with Splunk Enterprise Hands-On
Shannon Cuthbertson
 
PPTX
Getting Started with Splunk Enterprise Hands-On
Splunk
 
PPTX
Getting Started with Splunk Enterprise
Splunk
 
PPTX
SplunkLive! London 2016 Getting started with Splunk
Splunk
 
PDF
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk
 
PDF
Splunk Discovery Day Milwaukee 9-14-17
Splunk
 
PDF
Splunk Discovery Indianapolis - October 10, 2017
Splunk
 
PDF
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Splunk
 
PPTX
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk
 
PDF
FNC2751.pdf
CristhianEspinosa6
 
PPTX
Machine Data 101: Turning Data Into Insight
Splunk
 
PDF
Splunk workshop-2017-Power-of-SPL
Splunk
 
PDF
Power of SPL
Splunk
 
PPTX
Security investigation hands on workshop 2018-05
YoungCho50
 
PPTX
Security investigation hands-on workshop 2018
YoungCho50
 
PPTX
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
Splunk
 
PPTX
Power of SPL
Splunk
 
PDF
Power of SPL Workshop
Splunk
 
PDF
Portland Splunk User Group May 2020
Amanda Richardson
 
Machine Data 101
Splunk
 
Getting Started with Splunk Enterprise Hands-On
Shannon Cuthbertson
 
Getting Started with Splunk Enterprise Hands-On
Splunk
 
Getting Started with Splunk Enterprise
Splunk
 
SplunkLive! London 2016 Getting started with Splunk
Splunk
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk
 
Splunk Discovery Day Milwaukee 9-14-17
Splunk
 
Splunk Discovery Indianapolis - October 10, 2017
Splunk
 
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Splunk
 
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk
 
FNC2751.pdf
CristhianEspinosa6
 
Machine Data 101: Turning Data Into Insight
Splunk
 
Splunk workshop-2017-Power-of-SPL
Splunk
 
Power of SPL
Splunk
 
Security investigation hands on workshop 2018-05
YoungCho50
 
Security investigation hands-on workshop 2018
YoungCho50
 
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
Splunk
 
Power of SPL
Splunk
 
Power of SPL Workshop
Splunk
 
Portland Splunk User Group May 2020
Amanda Richardson
 
Ad

More from Splunk (20)

PDF
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
PDF
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
PDF
Building Resilience with Energy Management for the Public Sector
Splunk
 
PDF
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
PDF
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
PDF
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
PDF
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
PDF
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
PDF
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
PDF
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
PDF
.conf Go 2023 - Data analysis as a routine
Splunk
 
PDF
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
PDF
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
PDF
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
PDF
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
PDF
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
PDF
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
PDF
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
PDF
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
PDF
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Building Resilience with Energy Management for the Public Sector
Splunk
 
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Ad

Recently uploaded (20)

PDF
Planning-an-Audit-A-How-To-Guide-Checklist-WP.pdf
DROK2
 
PDF
A hybrid framework for wild animal classification using fine-tuned DenseNet12...
IAESIJAI
 
PDF
Auditboard EB SOX Playbook 2023 edition.
DROK2
 
PDF
Build Real-Time ML Apps with Python, Feast & NoSQL
ScyllaDB
 
PDF
Advancing precision in air quality forecasting through machine learning integ...
IAESIJAI
 
PDF
Connector Corner: Transform Unstructured Documents with Agentic Automation
DianaGray10
 
PDF
Aug23rd - Mulesoft Community Workshop - Hyd, India.pdf
Ravi Tamada
 
PDF
Decision Optimization - From Theory to Practice
Eray Cakici
 
PDF
Ensemble model-based arrhythmia classification with local interpretable model...
IAESIJAI
 
PDF
Transform-Your-Factory-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
Electrocardiogram sequences data analytics and classification using unsupervi...
IAESIJAI
 
PDF
AI.gov: A Trojan Horse in the Age of Artificial Intelligence
Michael Weaver
 
PDF
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
PDF
ment.tech-Siri Delay Opens AI Startup Opportunity in 2025.pdf
thomasnova26
 
PDF
5-Ways-AI-is-Revolutionizing-Telecom-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
A symptom-driven medical diagnosis support model based on machine learning te...
IAESIJAI
 
PDF
EIS-Webinar-Regulated-Industries-2025-08.pdf
Earley Information Science
 
PDF
Lung cancer patients survival prediction using outlier detection and optimize...
IAESIJAI
 
PDF
Rapid Prototyping: A lecture on prototyping techniques for interface design
Mark Billinghurst
 
PDF
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
Planning-an-Audit-A-How-To-Guide-Checklist-WP.pdf
DROK2
 
A hybrid framework for wild animal classification using fine-tuned DenseNet12...
IAESIJAI
 
Auditboard EB SOX Playbook 2023 edition.
DROK2
 
Build Real-Time ML Apps with Python, Feast & NoSQL
ScyllaDB
 
Advancing precision in air quality forecasting through machine learning integ...
IAESIJAI
 
Connector Corner: Transform Unstructured Documents with Agentic Automation
DianaGray10
 
Aug23rd - Mulesoft Community Workshop - Hyd, India.pdf
Ravi Tamada
 
Decision Optimization - From Theory to Practice
Eray Cakici
 
Ensemble model-based arrhythmia classification with local interpretable model...
IAESIJAI
 
Transform-Your-Factory-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
Electrocardiogram sequences data analytics and classification using unsupervi...
IAESIJAI
 
AI.gov: A Trojan Horse in the Age of Artificial Intelligence
Michael Weaver
 
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
ment.tech-Siri Delay Opens AI Startup Opportunity in 2025.pdf
thomasnova26
 
5-Ways-AI-is-Revolutionizing-Telecom-Quality-Engineering.pdf
Kalilur Rahman
 
A symptom-driven medical diagnosis support model based on machine learning te...
IAESIJAI
 
EIS-Webinar-Regulated-Industries-2025-08.pdf
Earley Information Science
 
Lung cancer patients survival prediction using outlier detection and optimize...
IAESIJAI
 
Rapid Prototyping: A lecture on prototyping techniques for interface design
Mark Billinghurst
 
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 

SplunkLive! Zurich 2017 - Getting Started with Splunk Enterprise

  • 1. © 2017 SPLUNK INC.© 2017 SPLUNK INC. MAY 9, 2017 | ZURICH
  • 2. © 2017 SPLUNK INC. Getting Started with Splunk Tomas Baublys | Senior Sales Engineer MAY 9, 2017 | ZURICH
  • 3. © 2017 SPLUNK INC. 1. Download and install 2. Get tutorial data 3. Build dashboards Just start!
  • 4. © 2017 SPLUNK INC. 4 Set up Before You Can Play Get the following at splunk.com Download Splunk Enterprise https://www.splunk.com/download Dowload the Tutorial Data http://splk.it/2ey34P8 Dowload the lookup file http://splk.it/2fCgpXw Download the Search Tutorial http://splk.it/2ePSYKB
  • 5. © 2017 SPLUNK INC. LET’S GET OUR HANDS DIRTY
  • 7. © 2017 SPLUNK INC. Rebus puzzle:
  • 8. © 2017 SPLUNK INC. FrozenWARM COLDHOT Index How the Data is Stored and Aged in Splunk Hot – Newest buckets of data that are still open for write Warm – Recent data but closed for writing (read only) Cold – Oldest data, commonly on cheaper, slower storage Frozen – No longer searchable, commonly archived or deleted data Optional TSIDX Reduction
  • 9. © 2017 SPLUNK INC. 9 Searches used buttercupgames 4* buttercupgames status=4* buttercupgames status!=200 | top limit=20 status buttercupgames status !=200 | timechart count buttercupgames status!=200 | stats count by status | where count > 700 buttercupgames status=403 OR status=404 | stats count sparkline by uri_path buttercupgames status=404 | timechart count | trendline sma3(count) buttercupgames status!=200 | timechart count | predict count as predictedCount buttercupgames status!=200 | iplocation clientip | geostats count buttercupgames status!=200 | iplocation clientip | eval featureId=Country | stats count by featureId | geom geo_countries
  • 10. © 2017 SPLUNK INC. 10 Dashboard
  • 11. © 2017 SPLUNK INC. Splunk Demo Appendix: Detailed Walkthrough
  • 12. © 2017 SPLUNK INC. 12 Download Splunk Enterprise for your OS and Architecture.
  • 13. © 2017 SPLUNK INC. 13 Unpack and start tar zxvf splunk-6.5.2- 67571ef4b87d-darwin-64.tgz splunk/bin/splunk start -- accept-license
  • 14. © 2017 SPLUNK INC. 14 Download turotialdata.zip http://docs.splunk.com/images/Tutorial/tutorialdata.zip http://www.splunk.com/goto/book
  • 15. © 2017 SPLUNK INC. 15 Text With Firefox, Chrome, or Safari – head to http://127.0.0.1:8000 . User=admin password=c
  • 16. © 2017 SPLUNK INC. 16 You’ve successfully installed Splunk, and logged in! Let’s add the tutorialdata.zip via “
  • 17. © 2017 SPLUNK INC. 17 You can also “Add Data” from Settings at the top.
  • 18. © 2017 SPLUNK INC. 18 Click on upload.
  • 19. © 2017 SPLUNK INC. 19 Let’s drag tutorialdata.zip into “Drop your data file here”.
  • 20. © 2017 SPLUNK INC. 20 Click Next
  • 21. © 2017 SPLUNK INC. 21 Splunk can auto detect the sourcetype. Lets change host field to buttercup-web01, and th
  • 22. © 2017 SPLUNK INC. 22 Looks good, click Submit.
  • 23. © 2017 SPLUNK INC. 23 Let’s Start Searching our data.
  • 24. © 2017 SPLUNK INC. 24 We’re brought into a search with filters applied to search the data we just upload
  • 25. © 2017 SPLUNK INC. 25 Let’s type “buttercupgames” in the search bar, and double click into a bar on the histogram.
  • 26. © 2017 SPLUNK INC. 26 Notice the time picker changed with our drill into the histogram bar.
  • 27. © 2017 SPLUNK INC. 27 Given that this data is web access, lets do a string search for 400, which is a “Bad Requ Notice that there’s 188 events returned. (number will vary for you).
  • 28. © 2017 SPLUNK INC. 28 Lets also add 300 into the mix, and notice that my event count is higher now.
  • 29. © 2017 SPLUNK INC. 29 We can see the 400 status codes, but not 300’s. That’s because the string search of 300 d search for status code of 300 – it’ll string match any event that contains “300”.
  • 30. © 2017 SPLUNK INC. 30 Lets explicitly search for status codes equaling values we want to see return
  • 31. © 2017 SPLUNK INC. 31 Great, we’re now returned all the events containing the two status codes we search Click on “Top values by time”, which will build out a timechart for us.
  • 32. © 2017 SPLUNK INC. 32 Notice how our search query changed, there’s a | (pipe), and a timechart comman The pipe followed by a command allows further operation on your filtered data set
  • 33. © 2017 SPLUNK INC. 33 Let’s change our search to: buttercupgames status=* And – drill into one bar on the histogram.
  • 34. © 2017 SPLUNK INC. 34 Click on “top values by time” under the status field on the left, which will produce the timechart above.
  • 35. © 2017 SPLUNK INC. 35 Let’s exclude 200 status codes by adding AND status!=200, and change Line to Column.
  • 36. © 2017 SPLUNK INC. 36 After changing from Line to Column, lets Stack the results (middle stack under Stack Mo
  • 37. © 2017 SPLUNK INC. 37 Lets now save this to a dashboard, a place we can go to view this search without having t remember what we had just searched for. Click Save AS -> Dashboard Panel. Fill in, and click Save.
  • 38. © 2017 SPLUNK INC. 38 Click on Search to get us back to our search bar, and lets key in: buttercupgames. Development wants to know what web browsers are being used to access the site, but no fields currently exist. No problem – lets extract the browser field. Find an event that contains a value that you’re looking for, and click the “>” arrow just to the left of “Time”. The event will expand with a down arrow, and Extract Fields will be under Event Actions. Click Extract Fields.
  • 39. © 2017 SPLUNK INC. 39 Click Regular Expression (Splunk will build a regular expression to extract our fields), and click next. Highlight the value of the field you’d like to create, and lets name the field: browser_type Click Add Extraction.
  • 40. © 2017 SPLUNK INC. 40 Let’s verify that the extracted field contains values that are indeed types of browsers. Good, click next to proceed. Now, open the permissions to “App” which will allow users of the App the ability to leverage this extraction.
  • 41. © 2017 SPLUNK INC. 41 Success, Let’s explore the fields just created in search, by clicking the link.
  • 42. © 2017 SPLUNK INC. 42 You’ll now be taken to search, with the filter set to the sourcetype that the field extraction has been applied to. Note – field extractions are coupled to a sourcetype. Click on “Top values”.
  • 43. © 2017 SPLUNK INC. 43 Notice how the search changed. And, instead of a bar graph, we want a pie chart, so drop down the “bar” option and change it to Pie.
  • 44. © 2017 SPLUNK INC. 44 Lets add this search to our dashboard, and then view the dashboard. Click Edit -> Edit Panels to drag the different panels to
  • 45. © 2017 SPLUNK INC. 45 Let’s go back to search, and search for buttercupgames AND status!=200 (we want to see events that aren’t successful. Add the stats and where clause above, to return when there’s more than 100 unsuccessful status codes.
  • 46. © 2017 SPLUNK INC. 46 Let’s create an alert. Save As -> Alert. Fill out the Title, Scheduled, Earliest + Latest, and Cron Expression (Instead of 48, change to minutes a few ahead of your current time. Ie. If it’s 9:00am, change to 05.
  • 47. © 2017 SPLUNK INC. 47 Add to Triggered Alerts, and Save.
  • 48. © 2017 SPLUNK INC. 48 You should see an alert trigger once your scheduled search runs at the cron expression you defined. *Note – it was mentioned that alerts wouldn’t work on a trial license. *Correction – alerts
  • 49. © 2017 SPLUNK INC. 49 Let’s go back to search and: buttercupgames status=* | iplocation clientip We want to lookup the clientip values against the MaxMind database to pull in City, Country, State, Lat, Lon of the IPs.
  • 50. © 2017 SPLUNK INC. 50 Now, business is interested in seeing plots on a map of web users and what they’re doing with the website. Lets append a geostats command that counts the events by the values of the action
  • 51. © 2017 SPLUNK INC. 51 Awesome! Now we have a single pane of glass that Operations, Development, and Business all care about – from one data source! Talk about value!
  • 52. © 2017 SPLUNK INC. 52 MY TIME
  • 53. © 2017 SPLUNK INC. Take the Survey on Pony Poll ponypoll.com/zurich2017
  • 54. © 2017 SPLUNK INC. Get Started Fast! splunk.com/education
  • 55. © 2017 SPLUNK INC. Splunk Fundamentals 1. Coming in Summer 2017. Also available at Splunk University, .conf2017 Course Topics Introduction to Splunk's interface Basic searching Using fields in searches Search fundamentals Transforming commands Creating reports and dashboards Datasets The Common Information Model (CIM) Creating and using lookups Scheduled Reports Alerts Using Pivot https://www.splunk.com/view/SP-CAAAPX9
  • 56. © 2017 SPLUNK INC. Become a Splunk Expert Knowledge is Power Using Splunk Searching and Reporting with Splunk Creating Splunk Knowledge Objects Splunk Administration Architecting and Deploying Splunk Developing Apps with Splunk Splunk Architect Certification Lab
  • 57. © 2017 SPLUNK INC. Splunk Education for Security Knowledge is Power Using Splunk Searching and Reporting with Splunk Creating Splunk Knowledge Objects Using the Splunk App for Enterprise Security Splunk Administration Architecting and Deploying Splunk Administering the Splunk App for Enterprise Security
  • 58. © 2017 SPLUNK INC. Splunk Education for IT Service Intelligence Knowledge is Power Using Splunk Searching and Reporting with Splunk Creating Splunk Knowledge Objects Splunk Administration Implementing IT Service Intelligence
  • 59. © 2017 SPLUNK INC. Course Topics • Overview of ITSI features • ITSI architecture and deployment • Installing ITSI • Designing and implementing services and entities • Configuring correlation searches and notable events • Creating deep dive pages • Creating glass tables • ITSI troubleshooting Splunk Education for IT Service Intelligence Knowledge is Power
  • 60. © 2017 SPLUNK INC. Splunk Education for IT Service Intelligence Knowledge is Power Course Topics • Overview of ITSI features • ITSI architecture and deployment • Installing ITSI • Designing and implementing services and entities • Configuring correlation searches and notable events • Creating deep dive pages • Creating glass tables • ITSI troubleshooting PREREQUISITES | 13.5 hour course Using Splunk, Searching and Reporting with Splunk, Creating Splunk Knowledge Objects, Splunk Administration

Editor's Notes

  • #9: As the data ages it will transition between hot, warm, and cold buckets. Each index can be configured to move the data based on amount of disk used or the age of the data. For example, there may be a mandate to keep security data for 7 years, but only the last year is ever really searched. The data older than a year can be sent to cheaper disks (or even archived on tape). TSIDX Reduction (Optional) – For more information see Slide 42 in the Appendix. In 6.4 Users have the ability to reduce Splunk performance optimization data (TSIDX) files – yielding a smaller footprint. 40-80% reduction in data footprint No functionality loss Limited performance tradeoff
  • #55: Are you looking to learn, share, and participate with other Splunk users? Visit usergroups.splunk.com, search for <<City Name>>, and join the local user group to receive updates on upcoming meetings! We will also provide you with a link to the group in the SplunkLive! Follow-up email.
  • #56: https://www.splunk.com/view/SP-CAAAPX9
  • #57: Certification 8 Certification Tracks - Title list chart with checks Image / website
  • #58: Certification 8 Certification Tracks - Title list chart with checks Image / website
  • #59: Certification 8 Certification Tracks - Title list chart with checks Image / website
  • #60: Course Topics Overview of ITSI features ITSI architecture and deployment Installing ITSI Designing and implementing services and entities Configuring correlation searches and notable events Creating deep dive pages Creating glass tables ITSI troubleshooting
  • #61: Course Topics Overview of ITSI features ITSI architecture and deployment Installing ITSI Designing and implementing services and entities Configuring correlation searches and notable events Creating deep dive pages Creating glass tables ITSI troubleshooting