Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search...

AlexJamesPrincipalProductManager,Splunk

SearchOptimizationKarthikSabhanatarajanSeniorSoftwareEngineer,Splunk

A B C D L EA B C D L EA B C D LA B C D LA B C D

A B C D L EA B C D L EA B C D LA B C D

Motivation:Taleoftwosearches

searchSourceType lookupL evalE searchA&L&E

Diskrawdata&index

searchSourceType&A lookupL searchL evalE searchE

• 10,000,000indexhits• 1,000,000eventscreated(i.e.extractions)• 1,000,000lookups• 1,000,000evals• 1,000,000filters• Produces100,000matchingevents

• 7,000,000fewerindexhits• 700,000 fewereventscreated• 700,000fewerlookups• 800,000fewerevals• Net500,000lessfilters• ProducesIDENTICAL100,000matchingevents

TOTALWORK

SAVINGS

OptimizationPrinciplesDoaslittleworkaspossible– Retrieveonlytherequireddata– Moveaslittledataaspossible– Parallelizeasmuchworkaspossible– Setappropriatetimewindows

ImplicationsbasedonSplunkArchitecture– Filterasmuchaspossibleintheinitialsearch– Join/Lookuponlyonrequireddata– Evalontheminimumnumberofeventspossible– Delaycommandsthatbringdatatothesearchheadasmuchaspossible.

NewinSplunk6.5

Howsearchworksin6.4.

searchsourcetype=access-*(status=401orstatus=403)|lookup usertogroupuserOUTPUTgroup|where src_category=“email_server”

search lookup

1)Spliton‘|’andcreateprocessorpipeline

2)Distributebetweenindexandsearchheads,passargumentsandexecute

search lookup whereIndexer1

search lookup whereIndexer2

combine

Searchhead

Howsearchworksin6.5.

searchsourcetype=access-*(status=401orstatus=403)|lookup usertogroupuserOUTPUTgroup|where src_category=“email_server”

search lookup

1)ParseintoAST

search lookupIndexer1

search lookupIndexer2combine

Searchhead

searchsourcetype=access-*(status=401orstatus=403)src_category=“email_server”|lookup usertogroupuserOUTPUTgroup

2)OptimizeAST

3)ConstructPipelinefromAST

JSONAST

OptimizedJSONAST

4)Distributebetweenindexandsearchheads,passargumentsandexecute

Whatoptimizationsaredone?

Pushingpredicatestotheleft(ordown)– For*any*streamingcommandsthatdon’tmodifyafield:

– |rangemap field=scoreF=0-64D=65-69C=70-79B=80-89A=90-100|wherehost=mail30– |wherehost=mail30|rangemap field=scoreF=0-64D=65-69C=70-79B=80-89A=90-100

– SpecialHandlingforsomecommands:ê Rename– |renamesrc asip |whereip=“192.1.2.13”– |wheresrc=“192.1.2.13”|renamesrc asip

ê Eval– |evalsrc=if(isnull(src)ORsrc=“”,“unknown”,src |wheresrc =“192.1.2.13”– |wheresrc =“192.1.2.13”|evalsrc=if(isnull(src)ORsrc=“”,“unknown”,src

ê Byclausefilters– |statscountbyclientip|searchclientip=“192.0.0.0/8”– |searchclientip=“192.0.0.0/8”|statscountbyclientip

Search/Wheremerging– searchERROR|search404|wheresourcetype=“windows”– searchERROR404sourcetype=“windows”

Whatoptimizationsarecominglater?

PredicateSplittingPredicateNormalizationCollapsingconsecutivecommandsConvertingEvalFunctionsintoSearchfiltersifpossibleProjectionEliminationRe-usingprevioussearchresults

Whatdoesthismeanforyou?

FasterSearchesUpgradeto6.5Scanfor‘inefficientsearches’– Especiallyinscheduledworkloads...

UsetheJobInspectortoseeoptimizationinactionOptimizefurthermanuallyifneeded

Disclaimer

Duringthecourseofthispresentation,wemaymakeforwardlookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectationsandestimatesbasedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthose

containedinourforward-lookingstatements,pleasereviewourfilingswiththeSEC.Theforward-lookingstatementsmadeinthethispresentationarebeingmadeasofthetimeanddateofitslivepresentation.Ifreviewedafteritslivepresentation,thispresentationmaynotcontaincurrentoraccurateinformation.Wedonotassumeanyobligationtoupdateanyforwardlookingstatementswemaymake.Inaddition,anyinformationaboutourroadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice.Itisforinformationalpurposesonlyandshallnot,beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesor

functionalitydescribedortoincludeanysuchfeatureorfunctionalityinafuturerelease.

MigratingSlidesforMac1. Forbestresults,simplypasteyourslidesintothis

template.

2. ApplyslidelayoutsusingtheLayout buttonundertheFormattab.

3. IfLayoutstilldoesnotreflectthedesiredMasterLayout,chooseResetLayouttoDefaultsettings.

4. Deleteunwantedtemplateslides(anyslidesafterLastSlide).

5. ChooseSaveAstosavethefilewithoutoverwritingthetemplate.

MigratingSlidesforPC1. Forbestresults,simplypasteyourslidesintothistemplate.

– Pastingafterabulletslideisrecommended

2. Reviewallslidesandmakeformattingadjustmentsasneeded– OntheHome ribbon,clickLayout andselectthecorrectslidelayout– ClickReset toresetallslideelementstothedefaultsizeandposition– Checkforhiddentext,suchaswhitetextonawhitebackground

3. Deleteunnecessarytemplateslides4. SaveAstosavethefilewithoutoverwritingthetemplate

SlideMasters• Whenimportingslidesfromanotherpresentation,the

SlideMastersassociatedwiththoseslidesmayalsoimporttothistemplate.Thisisa‘feature’ofPPTandcannotbeturnedoff.

• TodeleteunwantedSlideMasters:– makesureallslidesinthepresentationhavethenew

templateSlideMasterLayoutsassigned(first16SlideMastersshownunderLayout)

– GotoView/MastertodeleteanyunwantedSlideMasters

• ThelastSlideMasterinthistemplateiscalledLastSlide.AnySlideMastersafterthisslidewerelikelyimportedfromanotherpresentationandcanbedeleted(ifnolongerusedbyanyslides.)

ImportantTips• Thistemplateusesareducedslidesize.Youmayhavetomanuallydecreasethesizeofsomeitemssuchasstrokes andfonts.

• Iffontsappearbiggerthandesired,remembertoassignaLayout toyourslideandResettoDefaultSettings.

• Ifpagenumbersdonotappearorarethewrongformatting,remembertoassignaLayout toyourslideandResettoDefaultSettings.

• Thecolorsinyourgraphicswillautomaticallybeshiftedtothenewpalette.Pleaseadjustasneeded.

Agenda

AgendaItemAgendaItemAgendaItem

2012GoalsandObjectivesExample

GoalItemGoalItemGoalItem

SampleTitle,66pt.Calibri

Subhead

TitleOnlySlide,60pt.Calibri

TitleOnlySlide,54pt.Calibri

Samplewithscreenshot

Screenshothere

SampleTwo-columnFormatSubhead

Sampletwo-columnformat

• Sampletwo-columnformat,sentence– Secondbullet

Sampletwo-columnformat

SplunkObjectStyleandColor

Hardware ProductBusiness/Corporate

HighlightOnlyGenericVirtualization

Generic

Thesearesuggestedusesforcolorsonly.

AssignDefaultObjectStyle

ApplyingSplunkObjectStyle

ToapplytheSplunk objectstyletoanyshape:1. Selecttheshapewiththedesiredstyle2. ClickonFormatPainter(paintbrush)toolintoolbar3. Applystyletoanynewshape

CorporateLogo ProductLogo

Splunk Icons

search barchart lock cloud opencloud checkmark envelope

storage- 3storageiPhoneiPadandroid

server indexer forwarder searchhead desktop laptop

datacenter

Splunk server

firewall

Splunk IconsCont’d

application virtualmachine virtualserver network wwworglobal tools

logfile RFID router loadbalancer script shoppingcart

user users gears/settings gear messaging tag/ticket

document

gps tower

Splunk Icons

Checkmark InfoAlert StopiPhoneiPadAndroid

Twitter Facebook LinkedIn RSS YouTube ShoppingcartGPSTower

Healthcare Hospital Officebuilding VoIPPhone Support POSCardReader RFID

Splunk Icons

SecurityIcons

FirewallAttacker,Generic

Attacker,Insider

Attacker,Nation/State

Botnet Key

Malware MalwareDocument

MalwarePackaged

SecurityBadge

SecurityServer

Shield VirusFootsteps

TheInternetofThingsIcons

POSCardReader

RFIDElectricCar

EMVReaderInternetofThings Meter Factory

SignatureCapture

Arrows

TableExample

ColumnTitle ColumnTitle ColumnTitle ColumnTitle

Text Text Text Text

TableExample

ColumnTitle ColumnTitle ColumnTitle ColumnTitle

Text Text Text Text

SampleCustomerSuccess

Customerlogohere

CustomernameCustomercompany

“SplunkmakesitcheaperandeasierforHughestoanalyzenetworktrafficforenterprisecustomersaswellasmanagebandwidthforconsumerandsmallbusinesscustomers.”

BulletplaceholderBulletplaceholderBulletplaceholder

Screenshotorgraphichere

TimelineChart

Q1 Q2 Q3 Q4

Milestone Event

ChartExample

PlannedActual

Number

FY09 FY10FY08PreviousYear

N%growthoverFYxx

QuoteBox

“Apessimistseesthedifficultyineveryopportunity;anoptimistseestheopportunityineverydifficulty.”

-WinstonChurchill

QuoteBox

WhatNow?

Relatedbreakoutsessionsandactivities…

THANKYOU

Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search...

Documents

Transcript of Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search...

The status of the search for a nEDM and the new UCN sources

Online ServiceS · your claim activity Claim search Set up your search preferences by dependent(s), claim type, time period and status Claim search results Shows the member name(s),

Indirect DM Search: Current Status and Report

Properly*Managing* Conﬁguraon*Files:*€¦ · Splunk*Web*or*the*CLI* • Bucketreplicaon*status*and*search* factor*status*available*in*Splunk*Web* viaSengs*|*Indexer*clustering*

European Direct Lending Perspectives - Creditflux€¦ · Tailor your journey • Customise search options for quick output and easy analysis • Search by fund name, manager, status,

LIGO: The Search for the Gravitational Wave Sky - status, physics, results, prospects

Search, Matching, and the Role of Digital Marketplace ...ide.mit.edu/.../SearchMatchingEfficiency.pdf · outcomes where the search engine is worse than Airbnb circa 2013 - 2014 (‘status

SEARCH FOR OSCILLATIONS: STATUS OF THE OPERA EXPERIMENT

Lopol: Logical Policy Analysis in SELinuxselinuxsymposium.org/2006/slides/07-lopol.pdf · accurate information flow model. Specific Rules •SourceType –types that may yield vulnerabilities

HOW TO VIEW PROJECT DETAILS, STATUS & KEY DATES › ... › HowtoviewProjectDetailsStatusDates.pdf · HOW TO VIEW PROJECT DETAILS, STATUS & KEY DATES 1. Select Report 2. Search Criteria

Kaixuan Ni- Current Status and Prospects for the XENON Dark Matter Search Experiment

MCD: How To - Overview · 2020. 9. 3. · Overview. MCD Notice Board, Search by Document ID, How to use this site, MCD Update Status, Public Comments Tool; Advanced Search-OR-Search.

Bill Status Search by Bill - New York State Bar Association

Direct search for Dark Matter with the EDELWEISS-II experiment: status and results

Higgs Search at LHC (and LHC/CMS status)

IMPLE SEARCH DVANCED SEARCH ROUBLESHOOTING - Online services · 2009-07-24 · Patent Services (patent family information and INPADOC legal status). ... Citations This screen contains

DOI Access User Training September, 2018 · 2020. 5. 13. · Search will find records in any status; hover cursor over green/red check/x-mark to see status Employment status value

Status of coalescing binaries search activities in Virgo GWDAW 11 18-21 Dec 2006

Regexes% Regular%expression% s Reg(ularexpressions?|ex( p|es)?) · 2017-10-08 · Splunk%> rex% • DEMO%REX2:%use% Splunk'ssuggesons! – index=main sourcetype=bluecoat|table_time_raw

Current Status and Prospects of Approved Proton Decay Search Experiments

ProperlyManaging ConﬁguraonFiles:€¦ · SplunkWebortheCLI* • Bucketreplicaonstatusandsearch factorstatusavailableinSplunkWeb viaSengs|Indexerclustering