SplunkLive Oslo/Stockholm Beginner Workshop
-
Upload
jennysplunk -
Category
Technology
-
view
514 -
download
1
description
Transcript of SplunkLive Oslo/Stockholm Beginner Workshop
![Page 1: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/1.jpg)
Copyright © 2013 Splunk Inc.
October 29, 2013
Technical WorkshopsGetting Started User Training
Getting Started User Training Workshop
Patrik Lavén
Sales Engineer
![Page 2: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/2.jpg)
Agenda
Getting Started with Splunk
Search
Alert
Dashboard
Deployment and Integration
Community
Help & Questions
2
![Page 3: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/3.jpg)
Getting Started With Splunk
![Page 4: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/4.jpg)
ITOperations
Security and Compliance
Digital Intelligence
App Dev and
App Mgmt.
Developer Platform (REST API, SDKs)
Business Analytics
Industrial Data and Internet of
Things
Small Data. Big Data. Huge Data.
Splunk Delivers Value Across IT and the Business
![Page 5: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/5.jpg)
Install Splunk
Splunk Home• WIN: \Program Files\Splunk• Other: /opt/splunk (Applications/splunk)
Start Splunk• WIN: \Program Files\Splunk\bin\splunk.exe start (services start)• *NIX: /opt/splunk/bin/splunk start
www.splunk.com/download• 32 or 64 Bit?• Indexer or Universal Forwarder?
![Page 6: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/6.jpg)
Splunk LicensesFree Download Limits Indexing to 500MB/day
• Enterprise Trial License expires after 60 days• Reverts to Free License
Features Disabled in Free License• Multiple user accounts and role-based access controls• Distributed search• Forwarding to non-Splunk Instances• Deployment management• Scheduled saved searches and alerting• Summary indexing
Other License Types• Enterprise, Forwarder, Trial
![Page 7: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/7.jpg)
7
Default installation on: http://localhost:8000
Splunk Web Basics
Browser Support• Firefox 10.x and latest• Internet Explorer 7, 8, 9 and 10• Safari (latest)• Chrome (latest)
Index data• Add data• Getting Started App• Install an App (Splunk for Windows, *NIX)
![Page 8: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/8.jpg)
8
Splunk Web Basics continued…Splunk Home
• Provides Interactive portal to the Apps & data.
• Includes a search bar and three panels: 1 – Apps 2 – Data 3 - Help
Splunk Apps
• Splunk Home Find more apps
• Provide different contexts for your data out of sets of views, dashboards, and configurations
• Default Search App
• You can create your own!
![Page 9: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/9.jpg)
10
*nix app in action:
![Page 10: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/10.jpg)
11
Best Practice Suggestion:Create an individual Index based on sourcetype.
• Easier to re-index data if you make a mistake.
• Easier to remove data.
• Easier to define permissions and data retention.
![Page 11: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/11.jpg)
Search Basics
![Page 12: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/12.jpg)
Search app – Summary viewcurrent view
global stats
app navigation time range picker
Selecting Data Summary:
• Host• Source• Sourcetype
start search
search box
13
![Page 13: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/13.jpg)
14
SearchingSearch > *Select Time Range
• Historical, custom, or real-time
Select Mode
• Smart, Fast, Verbose
Using the timeline
• Click events and zoom in and out
• Click and drag over events for a specific range
![Page 14: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/14.jpg)
15
Everything is searchableEverything is searchable
• * wildcards supported
• Search terms are case insensitive
• Booleans AND, OR, NOT – Booleans must be uppercase– Implied AND between terms– Use () for complex searches
• Quote phrases
fail*
fail* nfs
error OR 404
error OR failed OR (sourcetype=access_*(500 OR 503))
"login failure"
![Page 15: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/15.jpg)
16
Example Search:
![Page 16: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/16.jpg)
17
Search AssistantContextual Help
- advanced type-ahead
History- search- commands
Search Reference- short/long description- examples
suggests search terms
updates as you type
shows examples and help
toggle off / on
![Page 17: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/17.jpg)
Searches can be managed as asynchronous processes
Jobs can be • Scheduled• Moved to background tasks• Paused, stopped, resumed, finalized• Managed• Archived• Cancelled
Job ManagementModify Job Settings
pause
finalize
delete
18
![Page 18: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/18.jpg)
19
Search CommandsSearch > error | head 1
Search results are “piped” to the command
Commands for:
• Manipulating fields
• Formatting
• Handling results
• Reporting
![Page 19: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/19.jpg)
20
Over 130 Commands!
splunk.com > Documentation > Search
Referenceabstract accum addcoltotals addinfo addtotals af analyzefields anomalies
anomalousvalue append appendcols ar associate audit autoregress bin bucket chart cluster collect common contingency convert correlate counttable crawl ctable
dbinspect dedup delete delta diff discretize erex eval eventcount eventstats excerpt extract file fillnull folderize format gentimes head highlight iconify input inputcsv inputlookup iplocation join kmeans kv kvform loadjob localize localop
lookup macro makecontinuous makemv maketable map metadata multikv mvcombine mvexpand nomv outlier outlierfilter outputcsv outputlookup outputtext overlap rangemap rare regex relevancy rename replace reverse run savedsearch
savedsplunk script scrub selfjoin sendemail set sichart sirare sistats sitimechart sitop slc stash strcat streamstats sumindex summaryindex tail test
timechart top transaction transam trendline typeahead typelearner typer uniq untable xmlkv xmlunescape xpath xyserieshttp://www.splunk.com/base/Documentation/latest/SearchReference/SearchCheatsheet
![Page 20: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/20.jpg)
Field Extraction Fun
![Page 21: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/21.jpg)
22
FieldsDefault fields• host, source, sourcetype, linecount, etc.
• View on left panel in search results or all in field picker
Where do fields come from?• Pre-defined by sourcetypes
• Automatically extracted key-value pairs
• User defined
![Page 22: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/22.jpg)
Sources, Sourcetypes, Hosts• Host
- hostname, IP address, or name of the network host from which the events originated
• Source- the name of the file, stream, or other input
• Sourcetype- a specific data type or data format
23
![Page 23: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/23.jpg)
24
Tagging and Event TypingEventtypes for more human-readable reports
• to categorize and make sense of mountains of data• punctuation helps find events with similar patterns
Search > eventtype=failed_login instead ofSearch > “failed login” OR “FAILED LOGIN” OR “Authentication failure” OR “Failed to ………………authenticate user”
Tags are labels• apply ad-hoc knowledge• create logical divisions or groups• tag hosts, sources, fields, even eventtypes
Search > tag=web_servers instead ofSearch > host=“apache1.splunk.com” OR host=“apache2.splunk.com” OR …………….host=“apache3.splunk.com”
![Page 24: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/24.jpg)
25
Extract FieldsInteractive Field Extractor
• generate PCRE• editable regex• preview/save
![Page 25: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/25.jpg)
26
Extract FieldsInteractive Field Extractor
• generate PCRE• editable regex• preview/save
props.conf
[mysourcetype]REPORT-myclass = myFields
transforms.conf
[myFields]REGEX = ^(\w+)\sFORMAT = myFieldLabel::$1
Configuration File• manual field extraction
• delim-based extractions
Rex Search Command... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"
![Page 26: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/26.jpg)
Saved Search & Alert Basics
![Page 27: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/27.jpg)
28
Saved SearchesLeverage Searches for future Insights!
• Reports• Dashboards• Alerts• Eventtypes
Add a Time Range Picker• Preset• Relative• Real-time• Date-Range• Date & Time Range• Advanced
![Page 28: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/28.jpg)
29
Create Alerts
Scheduled or Real-Time• Define Time Ranges• Conditions• Thresholds
![Page 29: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/29.jpg)
30
Alerting Continued…
Searches run on a schedule and fire an alert • Example: Run a search for “Failed password” every 15 min
over the last 15 min and alert if the number of events is greater than 10
Searches are running in real-time and fire an alert• Example: Run a search for “Failed password user=john.doe” in
a 1 minute window and alert if an event is found
![Page 30: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/30.jpg)
31
Alerting Actions• Send email
• RSS
• Execute a script
• Track Alert Details
![Page 31: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/31.jpg)
Report & Dashboard Wackiness
![Page 32: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/32.jpg)
33
Reporting
results of any search
Define your Search and set your time range, accelerate you search and more Choose the type of chart (line, area, column, etc) and
other formatting options
Build reports from
![Page 33: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/33.jpg)
34
Reporting Examples
• Use wizard or reporting commands (timechart, top, etc)• Build real-time reports with real-time searches• Save reports for use on dashboards
![Page 34: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/34.jpg)
35
DashboardsCreate dashboards from search results
![Page 35: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/35.jpg)
36
Dashboard Examples
![Page 36: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/36.jpg)
37
Manager SettingsFor All of that Cool Stuff You Just Created (and more!)
• Permissions• Saved Searches/Reports• Custom Views• Distributed Splunk• Deployment Server• License Usage….
![Page 37: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/37.jpg)
Deployment and Integration
![Page 38: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/38.jpg)
Splunk Has Four Primary Functions
39
Searching and Reporting (Search Head)
Indexing and Search Services (Indexer)
Local and Distributed Management (Deployment Server)
Data Collection and Forwarding (Forwarder)
A Splunk install can be one or all roles…
![Page 39: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/39.jpg)
Getting Data Into Splunk
40
Agent and Agent-less Approach for Flexibility
perf
shellcode
Mounted File Systems\\hostname\mount
syslogTCP/UDP
WMIEvent Logs Performance
Active Directory
syslog compatible hostsand network devices
Unix, Linux and Windows hosts
Windows hosts Custom apps and scripted API connections
Local File Monitoringlog files, config files
dumps and trace files
Windows InputsEvent Logs
performance countersregistry monitoring
Active Directory monitoring
virtualhost
Windows hosts
Scripted Inputsshell scripts custom
parsers batch loading
Agent-less Data Input Splunk Forwarder
![Page 40: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/40.jpg)
41
Understanding the Universal ForwarderForward data without negatively impacting production performance.
Scripts
Universal Forwarder Deployment
Logs ConfigurationsMessages Metrics
Central Deployment Management
Monitor files, changes and the system registry; capture metrics and status.
Universal Forwarder Regular (Heavy) Forwarder
Monitor All Supported Inputs
✔ ✔
Routing, Filtering, Cloning
✔ ✔
Splunk Web ✔
Python Libraries
✔
Event Based Routing
✔
Scripted Inputs
✔
![Page 41: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/41.jpg)
42
Horizontal ScalingLoad balanced search and indexing for massive, linear scale out.
Forwarder Auto Load Balancing
Distributed Search
![Page 42: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/42.jpg)
43
Multiple Datacenters
Headquarters
London Hong Kong Tokyo New York
Distributed Search
Index and store locally. Distribute searches to datacenters, networks & geographies.
![Page 43: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/43.jpg)
44
High Availability, On Commodity Servers and Storage
As Splunk collects data, it keeps multiple identical copies
If indexer fails, incoming data continues to get indexed
Indexed data continues to be searchable
Easy setup and administration
Data integrity and resilience without a SAN
Index Replication
Splunk Universal Forwarder Pool
Constant Uptime
![Page 44: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/44.jpg)
High Availability
45
Combine auto load balancing and cloning for HA at every Splunk tier.
Clone Group 1 : Complete Dataset
Data Cloning & Auto Load Balancing
Distributed Search Distributed Search
Clone Group 2 : Complete Dataset
Shared Storage
![Page 45: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/45.jpg)
46
Service Desk
Event Console
SIEM
Send Data to Other SystemsRoute raw data in real time or send alerts based on searches.
![Page 46: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/46.jpg)
47
Integrate External Data
LDAP, AD Watch Lists
CRM/ERP
CMDB
Correlate IP addresses with locations, accounts with regions
Extend search with lookups to external data sources.
![Page 47: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/47.jpg)
48
Integrate Users and Roles
Problem Investigation Problem Investigation Problem Investigation
Save Searches
Share Searches
LDAP, AD Users and Groups
Splunk Flexible Roles
Manage Users
Manage Indexes
Capabilities & Filters
NOT tag=PCI
App=ERP…
Map LDAP & AD groups to flexible Splunk roles. Define any search as a filter.
Integrate authentication with LDAP and Active Directory.
![Page 48: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/48.jpg)
49
Centralized Licensing Management
Problem Investigation
Groups, Stacks, and Pools for Enterprise Deployments
![Page 49: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/49.jpg)
Deployment Monitoring
50
Keep Tabs On Your Splunk Enterprise Deployment
ForwardersIndexersSourcetypesLicenses
![Page 50: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/50.jpg)
Support and Community
![Page 51: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/51.jpg)
Support Through the Splunk Community
52
Browse and share Apps from Splunk, Partners and the Community
splunkbase.splunk.com
Splunkbase
Community-driven knowledge
exchange and Q&A
answers.splunk.com
5 tracks, more than 40 sessions, the smartest Splunk users together
conf.splunk.com
.conf2014
![Page 52: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/52.jpg)
Where to Go for Help
53
Documentation– http://www.splunk.com/base/Documentation
Technical Support – http://www.splunk.com/support
Videos– http://www.splunk.com/videos
Education– http://www.splunk.com/goto/education
Community– http://answers.splunk.com
• Splunk Book– http://splunkbook.com
![Page 53: SplunkLive Oslo/Stockholm Beginner Workshop](https://reader035.fdocuments.net/reader035/viewer/2022070303/549a697fb4795971668b46ce/html5/thumbnails/53.jpg)
Thank youNovember 12st, 2012
Technical WorkshopsGetting Started User Training