Ngày đăng: 30/03/2014, 05:20 Splunk: Big Data Reporting and Development for Operational IntelligenceLearn to transform your machine data into valuable IT and business insights with this comprehensive and practical tutorialVincent BumgarnerBIRMINGHAM - Splunk: Big Data Reporting and Development for Operational IntelligenceCopyright © 2013 Packt PublishingAll rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.First published: January 2013Production Reference: 1140113Published by Packt Publishing Ltd.Livery Place35 Livery StreetBirmingham B3 2PB, UK.ISBN 978-1-84969-328-8www.packtpub.comCover Image by Vincent Bumgarner ( BumgarnerReviewersMathieu DessusCindy McCririeNick MealyAcquisition EditorKartikey PandeyLead Technical EditorAzharuddin SheikhTechnical EditorsCharmaine PereiraVarun Pius RodriguesCopy EditorsBrandt D'MelloAditya NairAlda PaivaLaxmi SubramanianRuta WaghmareProject CoordinatorAnish RamchandaniProofreaderMartin DiverIndexerTejal SoniGraphicsAditi GajjarProduction CoordinatorNitesh ThakurCover WorkNitesh the AuthorVincent Bumgarner has been designing software for nearly 20 years, working in many languages on nearly as many platforms. He started using Splunk in 2007 and has enjoyed watching the product evolve over the years.While working for Splunk, he helped many companies, training dozens of users to drive, extend, and administer this extremely exible product. At least one person at every company he worked with asked for a book on Splunk, and he hopes his effort helps ll their shelves.I would like to thank my wife and kids as this book could not have happened without their support. A big thank you to all of the reviewers for contributing their time and expertise, and special thanks to SplunkNinja for the the ReviewersMathieu Dessus is a security consultant for Verizon in France and acts as the SIEM leader for EMEA. With more than 12 years of experience in the security area, he has acquired a deep technical background in the management, design, assessment, and systems integration of information security technologies. He specializes in web security, Unix, SIEM, and security architecture design.Cindy McCririe is a client architect at Splunk. In this role, she has worked with several of Splunk's enterprise customers, ensuring successful deployment of the technology. Many of these customers are using Splunk in unique ways. Sample use cases include PCI compliance, security, operations management, business intelligence, Dev/Ops, and transaction proling.Nick Mealy was an early employee at Splunk and worked as the Mad Scientist / Principal User Interface Developer at Splunk from March 2005 to September 2010. He led the technical design and development of the systems that power Splunk's search and reporting interfaces as well as on the general systems that power Splunk's congurable views and dashboards. In 2010, he left Splunk to found his current company, Sideview, which is creating new Splunk apps and new products on top of the Splunk platform. Simply use your login credentials for immediate of ContentsPreface 1Chapter 1: The Splunk Interface 7Logging in to Splunk 7The Home app 8The top bar 11Search app 13Data generator 13The Summary view 14Search 16Actions 17Timeline 18The eld picker 19Fields 19Search results 21Options 22Events viewer 23Using the time picker 25Using the eld picker 26Using Manager 27Summary 29Chapter 2: Understanding Search 31Using search terms effectively 31Boolean and grouping operators 32Clicking to modify your search 34Event segmentation 34Field widgets 34Time of Contents[ ii ]Using elds to search 35Using the eld picker 35Using wildcards efciently 36Only trailing wildcards are efcient 36Wildcards are tested last 36Supplementing wildcards in elds 37All about time 37How Splunk parses time 37How Splunk stores time 37How Splunk displays time 38How time zones are determined and why it matters 38Different ways to search against time 39Specifying time in-line in your search 41_indextime versus _time 42Making searches faster 42Sharing results with others 43Saving searches for reuse 46Creating alerts from searches 48Schedule 49Actions 51Summary 52Chapter 3: Tables, Charts, and Fields 53About the pipe symbol 53Using top to show common eld values 54Controlling the output of top 56Using stats to aggregate values 57Using chart to turn data 61Using timechart to show values over time 63timechart options 65Working with elds 66A regular expression primer 66Commands that create elds 68eval 68rex 69Extracting loglevel 70Using the Extract Fields interface 70Using rex to prototype a eld 73Using the admin interface to build a eld 75Indexed elds versus extracted elds 77Summary of Contents[ iii ]Chapter 4: Simple XML Dashboards 81The purpose of dashboards 81Using wizards to build dashboards 82Scheduling the generation of dashboards 91Editing the XML directly 91UI Examples app 92Building forms 92Creating a form from a dashboard 92Driving multiple panels from one form 97Post-processing search results 104Post-processing limitations 106Panel 1 106Panel 2 107Panel 3 108Final XML 108Summary 110Chapter 5: Advanced Search Examples 111Using subsearches to nd loosely related events 111Subsearch 111Subsearch caveats 112Nested subsearches 113Using transaction 114Using transaction to determine the session length 115Calculating the aggregate of transaction statistics 117Combining subsearches with transaction 118Determining concurrency 122Using transaction with concurrency 122Using concurrency to estimate server load 123Calculating concurrency with a by clause 124Calculating events per slice of time 129Using timechart 129Calculating average requests per minute 131Calculating average events per minute, per hour 132Rebuilding top 134Summary 141Chapter 6: Extending Search 143Using tags to simplify search 143Using event types to categorize results 146Using lookups to enrich data 150Dening a lookup table le[...]... quick notes about the Splunk documentation: To get to documentation for search and reporting commands, quick help is provided while searching, and a link to the documentation for that command is provided through the interface When working directly with configuration files, the fastest route to the documentation for that file is to search for splunk name.conf using your favorite search engine The documentation... Preface Who this book is for This book should be useful for new users, seasoned users, dashboard designers, and system administrators alike This book does not try to act as a replacement for the official Splunk documentation, but should serve as a shortcut for many concepts For some sections, a good understanding of regular expressions would be helpful For some sections, the ability to read... reporting, and studying machine data This machine data usually comes from server logs, but it could also be collected from other sources Splunk is by far the most flexible and scalable solution available to tackle the huge problem of making machine data useful The goal of this book is to serve as an organized and curated guide to Splunk 4.3 As the documentation and community resources available for Splunk... Extending Splunk Writing a scripted input to gather data Capturing script output with no date Capturing script output as a single event Making a long-running scripted input Using Splunk from the command line Querying Splunk via REST Writing commands When not to write a command When to write a command Configuring commands Adding fields Manipulating data [ viii ] 379 379 380 382 384... custom commands, and custom actions What you need for this book To work through the examples in this book, you will need an installation of Splunk, preferably a non-production instance If you are already working with Splunk, then the concepts introduced by the examples should be applicable to your own data Splunk can be downloaded for free from, for most popular platforms... Transforming data Generating data Writing a scripted lookup to enrich data Writing an event renderer Using specific fields Table of fields based on field value Pretty print XML Writing a scripted alert action to process results Summary 396 401 403 406 406 408 411 413 416 Index417 [ ix ] Preface Splunk is a powerful tool for collecting, storing, alerting, reporting, ... Modifying metadata fields Lookup definitions Using REPORT 310 312 315 318 transforms.conf310 [ vi ] Table of Contents Chaining transforms Dropping events 320 321 fields.conf 322 outputs.conf323 indexes.conf323 authorize.conf325 savedsearches.conf326 times.conf326 commands.conf326 web.conf326 User interface resources 326 Views and navigation 326 Appserver resources 327 Metadata328... more detailed manner in Chapter 7, Working with Apps Under Do more with Splunk, we find: • Add data: This links to the Add Data to Splunk page This interface is a great start for getting local data flowing into Splunk The new Preview data interface takes an enormous amount of complexity out of configuring dates and line breaking We won't go through those interfaces here, but we will go through the configuration... needed for an effective implementation of Splunk in as concise and useful a manner as possible What this book covers Chapter 1, The Splunk Interface, walks the reader through the user interface elements Chapter 2, Understanding Search, covers the basics of the search language, paying particular attention to writing efficient queries Chapter 3, Tables, Charts, and Fields, shows how to use fields for reporting, ... on objects and settings on roles • Full name and Email address are stored for the administrator's convenience • Time zone can be changed for each user This is a new feature in Splunk 4.3 Setting the time zone only affects the time zone used to display the data It is very important that the date is parsed properly when events are indexed We will discuss this in detail in Chapter 2, Understanding Search . Implementing Splunk: Big Data Reporting and Development for Operational Intelligence Learn to transform your machine data into valuable IT and business insights with this comprehensive and. tutorial Vincent Bumgarner BIRMINGHAM - MUMBAI Implementing Splunk: Big Data Reporting and Development for Operational Intelligence Copyright © 2013 Packt Publishing All rights reserved commands 390 When not to write a command 390 When to write a command 392 Conguring commands 392 Adding elds 393 Manipulating data 394 Table of Contents [ ix ] Transforming data
