Implementing Splunk

Cover
Copyright
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Table of Contents
Preface
Chapter 1: The Splunk Interface
	Logging into Splunk
	The home app
	The top bar
	The search & reporting app
		Data generator
		The summary view
		Search
		Actions
		Timeline
		The field picker
			Fields
		Search results
			Options
			The events viewer
	Using the time picker
	Using the field picker
	The settings section
	Summary
Chapter 2: Understanding Search
	Using search terms effectively
	Boolean and grouping operators
	Clicking to modify your search
		Event segmentation
		Field widgets
		Time
	Using fields to search
		Using the field picker
	Using wildcards efficiently
		Supplementing wildcards in fields
	All about time
		How Splunk parses time
		How Splunk stores time
		How Splunk displays time
		How time zones are determined and why it matters
		Different ways to search against time
			Presets
			Relative
			Real-time
			Date range
			Date and time range
			Advanced
		Specifying time in-line in your search
			_indextime versus _time
	Making searches faster
	Sharing results with others
		The URL
		Save as report
		Save as dashboard panel
		Save as alert
		Save as event type
	Search job settings
	Saving searches for reuse
	Creating alerts from searches
		Enable actions
		Action options
		Sharing
	Summary
Chapter 3: Tables, Charts, and Fields
	About the pipe symbol
	Using top to show common field values
		Controlling the output of top
	Using stats to aggregate values
	Using chart to turn data
	Using timechart to show values over time
		The timechart options
	Working with fields
		A regular expression primer
		Commands that create fields
			eval
			rex
		Extracting loglevel
			Using the extract fields interface
			Using rex to prototype a field
			Using the admin interface to build a field
			Indexed fields versus extracted fields
	Summary
Chapter 4: Data Models and Pivots
	What is a data model?
	What does a data model search?
		Data model objects
			Object constraining
			Attributes
	Creating a data model
		Filling in the new data model dialog
		Editing attributes
	Lookup attributes
		Children
	What is a pivot?
		The pivot editor
		Working with pivot elements
			Filtering your pivots
		Split (row or column)
			Column values
		Pivot table formatting
	A quick example
	Sparklines
	Summary
Chapter 5: Simple XML Dashboards
	The purpose of dashboards
	Using wizards to build dashboards
		Adding another panel
			A cool trick
	Converting the panel to a report
		More options
	Back to the dashboard
		Add input
		Edit source
	Editing XML directly
	UI examples app
	Building forms
		Creating a form from a dashboard
		Driving multiple panels from one form
		Post-processing search results
		Post-processing limitations
	Features replaced
	Autorun dashboard
	Scheduling the generation of dashboards
	Summary
Chapter 6: Advanced Search Examples
	Using subsearches to find loosely related events
		Subsearch
		Subsearch caveats
		Nested subsearches
	Using transaction
		Using transaction to determine the session's length
		Calculating the aggregate of transaction statistics
		Combining subsearches with transaction
	Determining concurrency
		Using transaction with concurrency
		Using concurrency to estimate server load
		Calculating concurrency with a by clause
	Calculating events per slice of time
		Using timechart
		Calculating average requests per minute
		Calculating average events per minute, per hour
	Rebuilding top
	Acceleration
		Big data - summary strategy
		Report acceleration
		Report acceleration availability
	Summary
Chapter 7: Extending Search
	Using tags to simplify search
	Using event types to categorize results
	Using lookups to enrich data
		Defining a lookup table file
		Defining a lookup definition
		Defining an automatic lookup
		Troubleshooting lookups
	Using macros to reuse logic
		Creating a simple macro
		Creating a macro with arguments
	Creating workflow actions
		Running a new search using values from an event
		Linking to an external site
		Building a workflow action to show field context
			Building the context workflow action
			Building the context macro
	Using external commands
		Extracting values from XML
			xmlkv
			XPath
		Using Google to generate results
	Summary
Chapter 8: Working with Apps
	Defining an app
	Included apps
	Installing apps
		Installing apps from Splunkbase
			Using Geo Location Lookup Script
			Using Google Maps
		Installing apps from a file
	Building your first app
	Editing navigation
	Customizing the appearance of your app
		Customizing the launcher icon
		Using custom CSS
		Using custom HTML
			Custom HTML in a simple dashboard
			Using server-side include in a complex dashboard
	Object permissions
		How permissions affect navigation
		How permissions affect other objects
		Correcting permission problems
	The app directory structure
		Adding your app to Splunkbase
			Preparing your app
			Confirming sharing settings
			Cleaning up our directories
		Packaging your app
		Uploading your app
	Summary
Chapter 9: Building Advanced Dashboards
	Reasons for working with advanced XML
	Reasons for not working with advanced XML
	Development process
	The advanced XML structure
	Converting simple XML to advanced XML
	Module logic flow
	Understanding layoutPanel
		Panel placement
	Reusing a query
	Using intentions
		stringreplace
		addterm
	Creating a custom drilldown
		Building a drilldown to a custom query
		Building a drilldown to another panel
		Building a drilldown to multiple panels using HiddenPostProcess
	Third-party add-ons
		Google Maps
		Sideview Utils
		The Sideview search module
			Linking views with Sideview
			Sideview URLLoader
			Sideview forms
		Summary
Chapter 10: Summary Indexes and CSV Files
	Understanding summary indexes
		Creating a summary index
	When to use a summary index
	When not to use a summary index
	Populating summary indexes with saved searches
	Using summary index events in a query
	Using sistats, sitop, and sitimechart
	How latency affects summary queries
	How and when to backfill summary data
		Using fill_summary_index.py to backfill
		Using collect to produce custom summary indexes
	Reducing summary index size
		Using eval and rex to define grouping fields
		Using a lookup with wildcards
		Using event types to group results
	Calculating top for a large time frame
		Summary index searches
	Using CSV files to store transient data
		Pre-populating a dropdown
		Creating a running calculation for a day
	Summary
Chapter 11: Configuring Splunk
	Locating Splunk configuration files
	The structure of a Splunk configuration file
	The configuration merging logic
		The merging order
			The merging order outside of search
			The merging order when searching
		The configuration merging logic
			Configuration merging – example 1
			Configuration merging – example 2
			Configuration merging – example 3
			Configuration merging – example 4 – search
		Using btool
	An overview of Splunk .conf files
		props.conf
			Common attributes
			Stanza types
			Priorities inside a type
			Attributes with class
		inputs.conf
			Common input attributes
			Files as inputs
			Network inputs
			Native Windows inputs
			Scripts as inputs
		transforms.conf
			Creating indexed fields
			Modifying metadata fields
			Lookup definitions
			Using REPORT
			Chaining transforms
			Dropping events
		fields.conf
		outputs.conf
		indexes.conf
		authorize.conf
		savedsearches.conf
		times.conf
		commands.conf
		web.conf
	User interface resources
		Views and navigation
		Appserver resources
		Metadata
	Summary
Chapter 12: Advanced Deployments
	Planning your installation
	Splunk instance types
		Splunk forwarders
		Splunk indexer
		Splunk search
	Common data sources
		Monitoring logs on servers
		Monitoring logs on a shared drive
		Consuming logs in batch
		Receiving syslog events
			Receiving events directly on the Splunk indexer
			Using a native syslog receiver
			Receiving syslog with a Splunk forwarder
		Consuming logs from a database
		Using scripts to gather data
	Sizing indexers
	Planning redundancy
		The replication factor
			Configuring your replication factors
		Indexer load balancing
		Understanding typical outages
	Working with multiple indexes
		The directory structure of an index
		When to create more indexes
			Testing data
			Differing longevity
			Differing permissions
			Using more indexes to increase performance
		The lifecycle of a bucket
		Sizing an index
		Using volumes to manage multiple indexes
	Deploying the Splunk binary
		Deploying from a tar file
		Deploying using msiexec
		Adding a base configuration
		Configuring Splunk to launch at boot
	Using apps to organize configuration
		Separate configurations by purpose
	Configuration distribution
		Using your own deployment system
		Using the Splunk deployment server
			Step 1 – deciding where your deployment server will run from
			Step 2 – defining your deploymentclient.conf configuration
			Step 3 – defining our machine types and locations
			Step 4 – normalizing our configurations into apps appropriately
			Step 5 – mapping these apps to deployment clients in serverclass.conf
			Step 6 – restarting the deployment server
			Step 7 – installing deploymentclient.conf
	Using LDAP for authentication
	Using Single Sign On
	Load balancers and Splunk
		web
		splunktcp
		The deployment server
	Multiple search heads
	Summary
Chapter 13: Extending Splunk
	Writing a scripted input to gather data
		Capturing script output with no date
		Capturing script output as a single event
		Making a long-running scripted input
	Using Splunk from the command line
	Querying Splunk via REST
	Writing commands
		When not to write a command
		When to write a command
		Configuring commands
		Adding fields
		Manipulating data
		Transforming data
		Generating data
	Writing a scripted lookup to enrich data
	Writing an event renderer
		Using specific fields
		A table of fields based on field value
		Pretty print XML
	Writing a scripted alert action to process results
	Hunk
	Summary
Index