You are previewing Splunk Essentials - Second Edition.
O'Reilly logo
Splunk Essentials - Second Edition

Book Description

A fast-paced and practical guide to demystifying big data and transforming it into operational intelligence

About This Book

  • Want to get started with Splunk to analyze and visualize machine data? Open this book and step into the world of Splunk.

  • Leverage the exceptional analysis and visualization capabilities to make informed decisions for your business

  • This easy-to-follow, practical book can be used by anyone, even if you have never managed any data before

  • Who This Book Is For

    This book will be perfect for you if you are a Software engineer or developer or System administrators or Business analyst who seek to correlate machine data with business metrics and provide intuitive real-time and statistical visualizations. Some knowledge or experience of previous versions of Splunk will be helpful but not essential.

    What You Will Learn

  • Install and configure Splunk

  • Gather data from different sources, isolate them by indexes, classify them into source types, and tag them with the essential fields

  • Be comfortable with the Search Processing Language and get to know the best practices in writing search queries

  • Create stunning and powerful dashboards

  • Be proactive by implementing alerts and scheduled reports

  • Use the Splunk SDK and integrate Splunk data into other applications

  • Implement the best practices in using Splunk.

  • In Detail

    Splunk is a search, analysis, and reporting platform for machine data, which has a high adoption on the market. More and more organizations want to adopt Splunk to use their data to make informed decisions.

    This book is for anyone who wants to manage data with Splunk. You’ll start with very basics of Splunk— installing Splunk—and then move on to searching machine data with Splunk. You will gather data from different sources, isolate them by indexes, classify them into source types, and tag them with the essential fields. After this, you will learn to create various reports, XML forms, and alerts. You will then continue using the Pivot Model to transform the data models into visualization. You will also explore visualization with D3 in Splunk. Finally you’ll be provided with some real-world best practices in using Splunk.

    Style and approach

    This fast-paced, example-rich guide will help you analyze and visualize machine data with Splunk through simple, practical instructions.

    Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at If you purchased this book elsewhere, you can visit and register to have the code file.

    Table of Contents

    1. Splunk Essentials Second Edition
      1. Splunk Essentials Second Edition
      2. Credits
      3. About the Authors
      4. About the Reviewer
        1. Why subscribe?
      6. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Downloading the color images of this book
          3. Errata
          4. Piracy
          5. Questions
      7. 1. Splunk in Action
        1. Your account
          1. Obtaining a account
        2. Installing Splunk on Windows
          1. Logging in the first time
          2. Run a simple search
        3. Creating a Splunk app
        4. Populating data with Eventgen
          1. Installing an add-on
        5. Controlling Splunk
        6. Configuring Eventgen
        7. Viewing the Destinations app
        8. Creating your first dashboard
        9. Summary
      8. 2. Bringing in Data
        1. Splunk and big data
          1. Streaming data
          2. Latency of data
          3. Sparseness of data
        2. Splunk data sources
          1. Machine data
          2. Web logs
          3. Data files
          4. Social media data
          5. Other data types
        3. Creating indexes
        4. Buckets
        5. Data inputs
        6. Splunk events and fields
        7. Extracting new fields
        8. Summary
      9. 3. Search Processing Language
        1. Anatomy of a search
          1. Search pipeline
        2. Time modifiers
        3. Filtering search results
        4. Search command - stats
        5. Search command - top/rare
        6. Search commands - chart and timechart
        7. Search command - eval
        8. Search command - rex
        9. Summary
      10. 4. Data Models and Pivot
        1. Creating a data model
          1. Adding attributes to objects
          2. Creating child objects
          3. Creating an attribute based on a regular expression
        2. Data model acceleration
          1. The Pivot Editor
          2. Creating a chart from a Pivot
          3. Creating an area chart
          4. Creating a pie chart showing destination details by airport code
          5. Single value with trending sparkline
        3. Rearranging your dashboard
        4. Summary
      11. 5. Data Optimization, Reports, Alerts, and Accelerating Searches
        1. Data classification with event types
        2. Data normalization with tags
        3. Data enrichment with lookups
        4. Creating reports
        5. Creating alerts
        6. Search and report acceleration
        7. Scheduling best practices
        8. Summary indexing
        9. Summary
      12. 6. Panes of Glass
        1. Creating effective dashboards
        2. Types of dashboard
          1. Gathering information and business requirements
          2. Dynamic form-based dashboard
            1. Creating a Status Distribution panel
            2. Creating the Status Types Over Time panel
            3. Creating the Hits vs Response Time panel
            4. Arranging the dashboard
          3. Panel options
            1. Pie chart - status distribution
            2. Stacked area chart - Status Types Over Time
          4. Column with line overlay combo chart - Hits vs Response Time
        3. Form inputs
        4. Creating a time range input
        5. Creating a radio input
        6. Creating a dropdown input
        7. Static Real-Time dashboard
          1. Single Value Panels with color ranges
          2. Creating panels by cloning
          3. Single Value Panels with trends
          4. Real-time column charts with line overlays
        8. Creating a map called a choropleth
        9. Summary
      13. 7. Splunk SDK for JavaScript and D3.js
        1. Introduction to Splunk SDKs
        2. Practical applications of Splunk's SDK
          1. Prerequisites
          2. Creating a CRON Job
          3. Creating a saved search
        3. Creating the final dashboard\jobs.js
          1. HTTP server
          2. Rendering the chart
        4. Summary
      14. 8. HTTP Event Collector
        1. What is the HEC?
        2. How does the HEC work?
        3. How data flows to the HEC?
          1. Logging in data
          2. Using a token with data
          3. Sending out the data request
          4. Verifying the token
          5. Indexing the data
            1. Enabling the HEC
            2. Generating an HEC authentication token
            3. How to test the HEC with cURL and PowerShell
              1. Using the HEC with dynamic UI events
            4. JavaScript logging with the HEC
        4. Summary
      15. 9. Best Practices and Advanced Queries
        1. Temporary indexes and oneshot indexing
        2. Searching within an index
        3. Search within a limited time frame
        4. Quick searches via fast mode
        5. Using event sampling
        6. Splunk Universal Forwarders
        7. Advanced queries
          1. Subsearch
          2. Using append
          3. Using join
          4. Using eval and if
          5. Using eval and match with a case function
        8. How to improve logs
          1. Including clear key-value pairs
          2. Creating events that are understandable to human readers
          3. Remember to use timestamps for all events
          4. Be sure your identifiers are unique
          5. Log using text format, not binary
          6. Use formats that developers can use easily
          7. Log what you think might be useful at some point
          8. Create use categories with meaning
          9. Include the source of the log event
          10. Minimize the number of multi-line events
        9. Summary