Implementing Splunk 7

Cover
Title Page
Copyright and Credits
Packt Upsell
Contributors
Table of Contents
Preface
Chapter 1: The Splunk Interface
	Logging in to Splunk
	The home app
	The top bar
	The Search & Reporting app
		Data generator
		The Summary view
		Search
		Actions
		Timeline
		The field picker
			Fields
		Search results
			Options
			Events viewer
	Using the time picker
	Using the field picker
	The settings section
	Splunk Cloud
	Try before you buy
	A quick cloud tour
	The top bar in Splunk Cloud
	Splunk reference app – PAS
	Universal forwarder
	eventgen
	Next steps
	Summary
Chapter 2: Understanding Search
	Using search terms effectively
	Boolean and grouping operators
	Clicking to modify your search
		Event segmentation
		Field widgets
		Time
	Using fields to search
		Using the field picker
	Using wildcards efficiently
		Supplementing wildcards in fields
	All about time
		How Splunk parses time
		How Splunk stores time
		How Splunk displays time
		How time zones are determined and why it matters
		Different ways to search against time
			Presets
			Relative
			Real-time
				Windowed real-time versus all-time real-time searches
			Date range
			Date and time range
			Advanced
		Specifying time in-line in your search
			_indextime versus _time
	Making searches faster
	Sharing results with others
		The URL
		Save As Report
		Save As Dashboard Panel
		Save As Alert
		Save As Event Type
	Searching job settings
	Saving searches for reuse
	Creating alerts from searches
		Enable Actions
		Action Options
		Sharing
	Event annotations
		An illustration
	Summary
Chapter 3: Tables, Charts, and Fields
	About the pipe symbol
	Using top to show common field values
		Controlling the output of top
	Using stats to aggregate values
	Using chart to turn data
	Using timechart to show values over time
		The timechart options
	Working with fields
		A regular expression primer
		Commands that create fields
			eval
			rex
		Extracting loglevel
			Using the extract fields interface
			Using rex to prototype a field
			Using the admin interface to build a field
			Indexed fields versus extracted fields
				Indexed field case 1 - rare instances of a common term
				Indexed field case 2 - splitting words
				Indexed field case 3 - application from source
				Indexed field case 4 - slow requests
				Indexed field case 5 - unneeded work
	Chart enhancements in version 7.0
		charting.lineWidth
		charting.data.fieldHideList
		charting.legend.mode
		charting.fieldDashStyles
		charting.axis Y.abbreviation
	Summary
Chapter 4: Data Models and Pivots
	What is a data model?
	What does a data model search?
		Data model objects
			Object constraining
			Attributes
	Acceleration in version 7.0
	Creating a data model
		Filling in the new data model dialog
		Editing fields (attributes)
	Lookup attributes
		Children
	What is a pivot?
		The Pivot Editor
		Working with pivot elements
			Filtering pivots
		Split (row or column)
			Column values
		Pivot table formatting
	A quick example
	Sparklines
	Summary
Chapter 5: Simple XML Dashboards
	The purpose of dashboards
	Using wizards to build dashboards
		Adding another panel
			A cool trick
	Converting the panel to a report
		More options
	Back to the dashboard
		Add input
		Editing source
		Edit UI
	Editing XML directly
	UI examples app
	Building forms
		Creating a form from a dashboard
		Driving multiple panels from one form
		Post-processing search results
		Post-processing limitations
	Features replaced
	Autorun dashboard
	Scheduling the generation of dashboards
	Summary
Chapter 6: Advanced Search Examples
	Using subsearches to find loosely related events
		Subsearch
		Subsearch caveats
		Nested subsearches
	Using transaction
		Using transaction to determine session length
		Calculating the aggregate of transaction statistics
		Combining subsearches with transaction
	Determining concurrency
		Using transaction with concurrency
		Using concurrency to estimate server load
		Calculating concurrency with a by clause
	Calculating events per slice of time
		Using timechart
		Calculating average requests per minute
		Calculating average events per minute, per hour
	Rebuilding top
	Acceleration
		Big data – summary strategy
		Report acceleration
		Report acceleration availability
	Version 7.0 advancements in metrics
		Definition of a Splunk metric
		Using Splunk metrics
			Creating a metrics index
			Creating a UDP or TCP data input
	Summary
Chapter 7: Extending Search
	Using tags to simplify search
	Using event types to categorize results
	Using lookups to enrich data
		Defining a lookup table file
		Defining a lookup definition
		Defining an automatic lookup
		Troubleshooting lookups
	Using macros to reuse logic
		Creating a simple macro
		Creating a macro with arguments
	Creating workflow actions
		Running a new search using values from an event
		Linking to an external site
		Building a workflow action to show field context
			Building the context workflow action
			Building the context macro
	Using external commands
		Extracting values from XML
			xmlkv
			XPath
		Using Google to generate results
	Summary
Chapter 8: Working with Apps
	Defining an app
	Included apps
	Installing apps
		Installing apps from Splunkbase
			Using Geo Location Lookup Script
			Using Google Maps
		Installing apps from a file
	Building your first app
	Editing navigation
	Customizing the appearance of your app
		Customizing the launcher icon
		Using custom CSS
		Using custom HTML
			Custom HTML in a simple dashboard
			Using server-side include in a complex dashboard
	Object permissions
		How permissions affect navigation
		How permissions affect other objects
		Correcting permission problems
	App directory structure
		Adding your app to Splunkbase
			Preparing your app
			Confirming sharing settings
			Cleaning up our directories
		Packaging your app
		Uploading your app
	Self-service app management
	Summary
Chapter 9: Building Advanced Dashboards
	Reasons for working with advanced XML
	Reasons for not working with advanced XML
	Development process
	Advanced XML structure
	Converting simple XML to advanced XML
	Module logic flow
	Understanding layoutPanel
		Panel placement
	Reusing a query
	Using intentions
		stringreplace
		addterm
	Creating a custom drilldown
		Building a drilldown to a custom query
		Building a drilldown to another panel
		Building a drilldown to multiple panels using HiddenPostProcess
	Third-party add-ons
		Google Maps
		Sideview Utils
		The Sideview search module
			Linking views with Sideview
			Sideview URLLoader
			Sideview forms
	Summary
Chapter 10: Summary Indexes and CSV Files
	Understanding summary indexes
		Creating a summary index
	When to use a summary index
	When to not use a summary index
	Populating summary indexes with saved searches
	Using summary index events in a query
	Using sistats, sitop, and sitimechart
	How latency affects summary queries
	How and when to backfill summary data
		Using fill_summary_index.py to backfill
		Using collect to produce custom summary indexes
	Reducing summary index size
		Using eval and rex to define grouping fields
		Using a lookup with wildcards
		Using event types to group results
	Calculating top for a large time frame
		Summary index searches
	Using CSV files to store transient data
		Pre-populating a dropdown
		Creating a running calculation for a day
	Summary
Chapter 11: Configuring Splunk
	Locating Splunk configuration files
	The structure of a Splunk configuration file
	The configuration merging logic
		The merging order
			The merging order outside of search
			The merging order when searching
		The configuration merging logic
			Configuration merging – example 1
			Configuration merging – example 2
			Configuration merging – example 3
			Configuration merging – example 4, search
		Using btool
	An overview of Splunk.conf files
		props.conf
			Common attributes
				Search-time attributes
				Index-time attributes
				Parse-time attributes
				Input-time attributes
			Stanza types
			Priorities inside a type
			Attributes with class
		inputs.conf
			Common input attributes
			Files as inputs
				Using patterns to select rolled logs
				Using blacklist and whitelist
				Selecting files recursively
				Following symbolic links
				Setting the value of the host from the source
				Ignoring old data at installation
				When to use crcSalt
				Destructively indexing files
			Network inputs
			Native Windows inputs
			Scripts as inputs
		transforms.conf
			Creating indexed fields
				Creating a loglevel field
				Creating a session field from the source
				Creating a tag field
				Creating host categorization fields
			Modifying metadata fields
				Overriding the host
				Overriding the source
				Overriding sourcetype
				Routing events to a different index
			Lookup definitions
				Wildcard lookups
				CIDR wildcard lookups
				Using time in lookups
			Using REPORT
				Creating multivalue fields
				Creating dynamic fields
			Chaining transforms
			Dropping events
		fields.conf
		outputs.conf
		indexes.conf
		authorize.conf
		savedsearches.conf
		times.conf
		commands.conf
		web.conf
	User interface resources
		Views and navigation
		Appserver resources
		Metadata
	Summary
Chapter 12: Advanced Deployments
	Planning your installation
	Splunk instance types
		Splunk forwarders
		Splunk indexer
		Splunk search
	Common data sources
		Monitoring logs on servers
		Monitoring logs on a shared drive
		Consuming logs in batch
		Receiving syslog events
			Receiving events directly on the Splunk indexer
			Using a native syslog receiver
			Receiving syslog with a Splunk forwarder
		Consuming logs from a database
		Using scripts to gather data
	Sizing indexers
	Planning redundancy
		The replication factor
			Configuring your replication factors
				Syntax
		Indexer load balancing
		Understanding typical outages
	Working with multiple indexes
		Directory structure of an index
		When to create more indexes
			Testing data
			Differing longevity
			Differing permissions
			Using more indexes to increase performance
		The life cycle of a bucket
		Sizing an index
		Using volumes to manage multiple indexes
	Deploying the Splunk binary
		Deploying from a tar file
		Deploying using msiexec
		Adding a base configuration
		Configuring Splunk to launch at boot
	Using apps to organize configuration
		Separate configurations by purpose
	Configuration distribution
		Using your own deployment system
		Using the Splunk deployment server
			Step 1 – deciding where your deployment server will run
			Step 2 - defining your deploymentclient.conf configuration
			Step 3 - defining our machine types and locations
			Step 4 - normalizing our configurations into apps appropriately
			Step 5 - mapping these apps to deployment clients in serverclass.conf
			Step 6 - restarting the deployment server
			Step 7 - installing deploymentclient.conf
	Using LDAP for authentication
	Using single sign-on
	Load balancers and Splunk
		web
		splunktcp
		deployment server
	Multiple search heads
	Summary
Chapter 13: Extending Splunk
	Writing a scripted input to gather data
		Capturing script output with no date
		Capturing script output as a single event
		Making a long-running scripted input
	Using Splunk from the command line
	Querying Splunk via REST
	Writing commands
		When not to write a command
		When to write a command
		Configuring commands
		Adding fields
		Manipulating data
		Transforming data
		Generating data
	Writing a scripted lookup to enrich data
	Writing an event renderer
		Using specific fields
		A table of fields based on field value
		Pretty printing XML
	Writing a scripted alert action to process results
	Hunk
	Summary
Chapter 14: Machine Learning Toolkit
	What is machine learning?
		Content recommendation engines
		Natural language processing
		Operational intelligence
	Defining the toolkit
		Time well spent
		Obtaining the Kit
			Prerequisites and requirements
			Installation
	The toolkit workbench
	Assistants
	Extended SPL (search processing language)
		ML-SPL performance app
	Building a model
		Time series forecasting
		Using Splunk
		Launching the toolkit
	Validation
		Deployment
		Saving a report
		Exporting data
	Summary
Index