O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Mastering Splunk

Book Description

Optimize your machine-generated data effectively by developing advanced analytics with Splunk

In Detail

Splunk is the definitive technology solution used to manage the ever-growing volumes of machine-generated data. This technology is indispensable for industries involved in big data analysis, online services, education, finance, healthcare, retail, and telecommunications. So, having Splunk experience will be relevant for a long time to come!

This book will first take you through the evolution of Splunk and how it fits into an organization's architectural roadmap. Master advanced search topics and explore in-depth methods to leverage Splunk tables, charts, fields, and other cases. As we advance through the chapters, you will master the best practices of values and lookups, indexes, business effective dashboards, and discover the cornerstones of how to evolve your current Splunk application and its monitoring capabilities. Finally, we round things off with the discussion of transactions from an enterprise perspective.

You'll now be able to apply and integrate advanced techniques of Splunk to optimize your data and meet your strategic organizational demands.

What You Will Learn

  • Get started in the most efficient way, become proficient, and ultimately master Splunk
  • Master the techniques to create advanced-level Splunk search strings
  • Easily leverage advanced tables, charts, and fields to organize your data
  • Understand Splunk lookups and how they relate to enterprise development
  • Build practical dashboards with your data
  • Acquire master-level understanding of Splunk indexes and indexing
  • Build your own Splunk apps and learn why they are important
  • Compare Splunk's abilities with other monitoring tools in terms of monitoring data and alerts
  • Understand what Splunk transactions are and how to use them to optimize your corporate data

Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

Table of Contents

  1. Mastering Splunk
    1. Table of Contents
    2. Mastering Splunk
    3. Credits
    4. About the Author
    5. About the Reviewers
    6. www.PacktPub.com
      1. Support files, eBooks, discount offers, and more
        1. Why subscribe?
        2. Free access for Packt account holders
        3. Instant updates on new Packt books
    7. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Reader feedback
      6. Customer support
        1. Downloading the color images of this book
        2. Errata
        3. Piracy
        4. Questions
    8. 1. The Application of Splunk
      1. The definition of Splunk
        1. Keeping it simple
      2. Universal file handling
      3. Confidentiality and security
        1. The evolution of Splunk
          1. The Splunk approach
            1. The correlation of information
      4. Conventional use cases
        1. Investigational searching
          1. Searching with pivot
          2. The event timeline
        2. Monitoring
          1. Alerting
          2. Reporting
        3. Visibility in the operational world
          1. Operational intelligence
          2. A technology-agnostic approach
        4. Decision support – analysis in real time
          1. ETL analytics and preconceptions
          2. The complements of Splunk
          3. ODBC
      5. Splunk – outside the box
        1. Customer Relationship Management
        2. Emerging technologies
        3. Knowledge discovery and data mining
        4. Disaster recovery
        5. Virus protection
        6. The enhancement of structured data
        7. Project management
        8. Firewall applications
        9. Enterprise wireless solutions
        10. Hadoop technologies
        11. Media measurement
        12. Social media
        13. Geographical Information Systems
        14. Mobile Device Management
      6. Splunk in action
      7. Summary
    9. 2. Advanced Searching
      1. Searching in Splunk
        1. The search dashboard
        2. The new search dashboard
        3. The Splunk search mechanism
        4. The Splunk quick reference guide
        5. Please assist me, let me go
        6. Basic optimization
        7. Fast, verbose, or smart?
        8. The breakdown of commands
        9. Understanding the difference between sparse and dense
        10. Searching for operators, command formats, and tags
        11. The process flow
        12. Boolean expressions
        13. You can quote me, I'm escaping
        14. Tag me Splunk!
          1. Assigning a search tag
          2. Tagging field-value pairs
          3. Wild tags!
            1. Wildcards – generally speaking
          4. Disabling and deleting tags
        15. Transactional searching
      2. Knowledge management
        1. Some working examples
      3. Subsearching
        1. Output settings for subsearches
        2. Search Job Inspector
      4. Searching with parameters
        1. The eval statement
          1. A simple example
      5. Splunk macros
        1. Creating your own macro
        2. Using your macros
        3. The limitations of Splunk
      6. Search results
        1. Some basic Splunk search examples
        2. Additional formatting
      7. Summary
    10. 3. Mastering Tables, Charts, and Fields
      1. Tables, charts, and fields
        1. Splunking into tables
          1. The table command
          2. The Splunk rename command
          3. Limits
          4. Fields
          5. An example of the fields command
        2. Returning search results as charts
          1. The chart command
          2. The split-by fields
          3. The where clause
          4. More visualization examples
          5. Some additional functions
      2. Splunk bucketing
        1. Reporting using the timechart command
        2. Arguments required by the timechart command
        3. Bucket time spans versus per_* functions
      3. Drilldowns
        1. The drilldown options
        2. The basic drilldown functionality
        3. Row drilldowns
        4. Cell drilldowns
        5. Chart drilldowns
        6. Legends
      4. Pivot
        1. The pivot editor
        2. Working with pivot elements
          1. Filtering your pivots
      5. Split
      6. Column values
      7. Pivot table formatting
      8. A quick example
      9. Sparklines
      10. Summary
    11. 4. Lookups
      1. Introduction
      2. Configuring a simple field lookup
        1. Defining lookups in Splunk Web
        2. Automatic lookups
          1. The Add new page
        3. Configuration files
        4. Implementing a lookup using configuration files – an example
        5. Populating lookup tables
        6. Handling duplicates with dedup
        7. Dynamic lookups
        8. Using Splunk Web
        9. Using configuration files instead of Splunk Web
          1. External lookups
            1. Explanation
        10. Time-based lookups
          1. An easier way to create a time-based lookup
        11. Seeing double?
      3. Command roundup
        1. The lookup command
        2. The inputlookup and outputlookup commands
        3. The inputcsv and outputcsv commands
      4. Summary
    12. 5. Progressive Dashboards
      1. Creating effective dashboards
        1. Views
        2. Panels
        3. Modules
      2. Form searching
        1. An example of a search form
          1. Dashboards versus forms
      3. Going back to dashboards
        1. The Panel Editor
        2. The Visualization Editor
          1. XML
        3. Let's walk through the Dashboard Editor
        4. Constructing a dashboard
          1. Constructing the framework
          2. Adding panels and panel content
            1. Adding a panel
          3. Specifying visualizations for the dashboard panel
            1. The time range picker
          4. Adding panels to your dashboard
          5. Controlling access to your dashboard
          6. Cloning and deleting
          7. Keeping in context
          8. Some further customization
          9. Using panels
          10. Adding and editing dashboard panels
          11. Visualize this!
            1. The visualization type
            2. The visualization format
        5. Dashboards and XML
          1. Editing the dashboard XML code
          2. Dashboards and the navigation bar
        6. Color my world
      4. More on searching
        1. Inline searches
          1. A saved search report
          2. The inline pivot
          3. The saved pivot report
      5. Dynamic drilldowns
        1. The essentials
        2. Examples
        3. No drilldowns
      6. Real-world, real-time solutions
      7. Summary
    13. 6. Indexes and Indexing
      1. The importance of indexing
      2. What is a Splunk index?
        1. Event processing
          1. Parsing
          2. Indexing
        2. Index composition
        3. Default indexes
      3. Indexes, indexers, and clusters
      4. Managing Splunk indexes
        1. Getting started
      5. Dealing with multiple indexes
        1. Reasons for multiple indexes
        2. Creating and editing Splunk indexes
          1. Important details about indexes
        3. Other indexing methods
          1. Editing the indexes.conf file
        4. Using your new indexes
        5. Sending all events to be indexed
        6. Sending specific events
          1. A transformation example
          2. Searching for a specified index
      6. Deleting your indexes and indexed data
        1. Deleting Splunk events
          1. Not all events!
        2. Deleting data
          1. Administrative CLI commands
          2. The clean command
          3. Deleting an index
          4. Disabling an index
          5. Retirements
      7. Configuring indexes
      8. Moving your index database
      9. Spreading out your Splunk index
      10. Size matters
        1. Index-by-index attributes
          1. Bucket types
          2. Volumes
            1. Creating and using volumes
      11. Hitting the limits
        1. Setting your own minimum free disk space
      12. Summary
    14. 7. Evolving your Apps
      1. Basic applications
        1. The app list
          1. More about apps
          2. Out of the box apps
          3. Add-ons
          4. Splunk Web
        2. Installing an app
        3. Disabling and removing a Splunk app
      2. BYO or build your own apps
      3. App FAQs
      4. The end-to-end customization of Splunk
      5. Preparation for app development
        1. Beginning Splunk app development
          1. Creating the app's workspace
          2. Adding configurations
          3. The app.conf file
          4. Giving your app an icon
          5. Other configurations
          6. Creating the app objects
            1. Setting the ownership
            2. Setting the app's permissions
            3. Another approach to permissions
            4. A default.meta example
          7. Building navigations
          8. Let's adjust the navigation
            1. Using the default.xml file rather than Splunk Web
            2. Creating an app setup and deployment
            3. Creating a setup screen
            4. The XML syntax used
        2. Packaging apps for deployment
      6. Summary
    15. 8. Monitoring and Alerting
      1. What to monitor
        1. Recipes
        2. Pointing Splunk to data
          1. Splunk Web
          2. Splunk CLI
          3. Splunk configuration files
          4. Apps
        3. Monitoring categories
      2. Advanced monitoring
      3. Location, location, location
      4. Leveraging your forwarders
      5. Can I use apps?
      6. Windows inputs in Splunk
      7. Getting started with monitoring
        1. Custom data
        2. Input typing
      8. What does Splunk do with the data it monitors?
        1. The Splunk data pipeline
      9. Splunk
        1. Where is this app?
        2. Let's Install!
      10. Viewing the Splunk Deployment Monitor app
      11. All about alerts
        1. Alerting a quick startup
          1. You can't do that
          2. Setting enabling actions
            1. Listing triggered alerts
            2. Sending e-mails
            3. Running a script
            4. Action options – when triggered, execute actions
            5. Throttling
      12. Editing alerts
        1. Editing the description
        2. Editing permissions
        3. Editing the alert type and trigger
        4. Editing actions
        5. Disabling alerts
        6. Cloning alerts
        7. Deleting alerts
      13. Scheduled or real time
      14. Extended functionalities
        1. Splunk acceleration
        2. Expiration
        3. Summary indexing
      15. Summary
    16. 9. Transactional Splunk
      1. Transactions and transaction types
        1. Let's get back to transactions
      2. Transaction search
        1. An example of a Splunk transaction
        2. The Transaction command
        3. Transactions and macro searches
        4. A refresher on search macros
          1. Defining your arguments
          2. Applying a macro
      3. Advanced use of transactions
        1. Configuring transaction types
          1. The transactiontypes.conf file
          2. An example of transaction types
        2. Grouping – event grouping and correlation
        3. Concurrent events
          1. Examples of concurrency command use
        4. What to avoid – stats instead of transaction
      4. Summary
    17. 10. Splunk – Meet the Enterprise
      1. General concepts
      2. Best practices
      3. Definition of Splunk knowledge
        1. Data interpretation
        2. Classification of data
        3. Data enrichment
        4. Normalization
        5. Modeling
      4. Strategic knowledge management
      5. Splunk object management with knowledge management
      6. Naming conventions for documentation
        1. Developing naming conventions for knowledge objects
          1. Organized naming conventions
          2. Object naming conventions
          3. Hints
          4. An example of naming conventions
          5. Splunk's Common Information Model
      7. Testing
        1. Testing before sharing
        2. Levels of testing
          1. Unit testing
          2. Integration testing
          3. Component interface testing
          4. System testing
          5. Acceptance testing
          6. Performance testing
          7. Splunk's performance test kit
          8. Regression testing
      8. Retrofitting
      9. The enterprise vision
        1. Evaluation and implementation
        2. Build, use, and repeat
        3. Management and optimization
        4. More on the vision
        5. A structured approach
          1. Splunk – all you need for a search engine
      10. Summary
    18. A. Quick Start
      1. Topics
      2. Where and how to learn Splunk
      3. Certifications
        1. Knowledge manager
        2. Administrator
        3. Architect
        4. Supplemental certifications
          1. Splunk partners
          2. Proper training
      4. The Splunk documentation
      5. www.splunk.com
      6. Splunk answers
      7. Splunkbase
      8. The support portal
      9. The Splexicon
      10. The "How-to" tutorials
      11. User conferences, blogs, and news groups
      12. Professional services
      13. Obtaining the Splunk software
        1. Disclaimer
        2. Disk space requirements
          1. To go physical or logical?
          2. The Splunk architecture
          3. Creating your Splunk account
        3. Installation and configuration
          1. Installation
            1. Splunk home
      14. An environment to learn in
      15. Summary
    19. Index