Table of Contents
1 Performing Basic Splunk Searches Overview 2
2 Introduction to Search in Splunk 3
2.3 Demo: Splunk Search Interface 3
3 Understanding the Basics of Splunk Search 4
3.3 Demo: Creating Splunk Search Roles 4
3.6 Bucket Management in Splunk 7
4 Using Field Searches for Splunk 8
4.4 Demo: Splunk Field Operators 10
4.6 Demo: Splunk Field Sidebar 10
4.8 Demo: Splunk Results Field 11
4.9 Best Practices in Splunk Search 12
5 Building SPL Queries in Splunk 14
5.3 Demo: Search Processing Language Editor 14
5.5 Demo: SPL Chaining Commands 16
5.6 SPL Filtering & Modifying Search Results 16
5.7 Demo: SPL Search & Rename 17
5.8 SPL Ordering Search Results 17
5.9 Demo: SPL Sort, Tail, & Head 19
6 Performing Transformative Searches in Splunk 20
6.2 What Are Transformative Commands? 20
6.3 Demo: SPL Top, Rare, & Contingency 21
6.5 Demo: SPL Min, Max, Average, & Count 24
6.7 Demo: SPL Chart & Timechart 25
7 Creating Splunk Lookup and More 25
8.1 More Splunk Learning Resources 26
Performing Basic Splunk Searches Overview
Don’t know where from he download the data to create index dev_web – may be earlier lesson
Introduction to Search in Splunk
Overview
Searching Machine Data
Demo: Splunk Search Interface
Default index = main
Search Bar
Events Tab
Time Line
Events
Fields – Selected Fields / Interesting Fields
Splunk Data Sets
Semi structured
Csv, Tab delimitted
Access log
Local Logs (Windows, Linux, Mac)
Machine Generated
Often Overlooked
Network firelwal, event log, web log
Data source from Servers, Cloud, Workstations, Log (Regex)
ButterCup – Splunk Generated Data
Eventgen – splunkbase
Summary
Understanding the Basics of Splunk Search
Overview
Splunk Roles in Search
Demo: Creating Splunk Search Roles
Indix = main – all information used here
Pint in click search facility is easy to use splunk
Data Storage in Splunk
Buckets
Demo: Bucket Management
Settings – Data – Indexes –
Bucket Management in Splunk
Hot Bucket – 24 Hrs
Warm Bucket – 3 Months
Cold Bucket – 3 + Months
Frozen Bucket – 1Year
Higher Performance (Hot/Warm) – Lower Performance (cold, Frozen)
Write the query to get the data from Hot Tier
Summary
Using Field Searches for Splunk
Overview
Search Bar and Timeline
Fast, Smart (defualt), Verbose modes
Search Field Operators
Field Expression
Boolean
NOT, OR,
Wildcards
Demo: Splunk Field Operators
Index=main
Index=”main”
index!="main"
Splunk Field Sidebar
Selected Fields, Interesting Fields
Demo: Splunk Field Sidebar
We can move fields from Selected to interesting vice-versa
Search – In the field sidebar choose one value – choos Top value with Time bar – the query updated with visual by using timechart
Top limit = x
Splunk Result Field
Demo: Splunk Results Field
If any field we need to available in Selected fields,
In Interesting Fields, click the filed – choose Yes OR
From the Result Pane, Expand the event, select the field it will come into selected fields
If we click the field value, we can add or excluse in the search query
The result we can change to List, Raw, Table
Best Practices in Splunk Search
Summary
Building SPL Queries in Splunk
Overview
What Is SPL?
Nomencluature, syntex
More free text for SPL
Demo: Search Processing Language Editor
Administrator – Preferences –
Choose full – Choose Line Numbers Choose – Choose Search Bar Themes as Light Themje
Building SPL Queries
Example:
Demo: SPL Chaining Commands
Choose No Event Sampling if we deal with less data
SPL Filtering & Modifying Search Results
Demo: SPL Search & Rename
Remoe clientip field
Only show two fields
SPL Ordering Search Results
Demo: SPL Sort, Tail, & Head
Last 10
Summary
Performing Transformative Searches in Splunk
Overview
What Are Transformative Commands?
| top
|rare
|highlight
| Contingency
Demo: SPL Top, Rare, & Contingency
index="main" | top limit=3 Eventcode – not working – case sensitive
index="main" | top limit=3 EventCode – working .
index="main" | top limit=3 Type > information, warning, error
| top
| top
|rare
| Contingency
|highlight
Splunk Stats Commands
Demo: SPL Min, Max, Average, & Count
index="main" | stats min(EventType)
index="main" | stats max(EventType)
index="main" | stats max(EventType) by EventCode
index="main" | stats avg(EventType)
index="main" | stats avg(EventType) by EventCode
index="main" | stats count by EventCode
Splunk Chart Commands
Demo: SPL Chart & Timechart
index="main" | chart count as EventType by EventCode
index="main" | chart count as EventCode by EventType
index="main" | timechart count as messages by EventType
_time field added and display every day
Summary
Creating Splunk Lookup and More
Overview
What Is a Lookup?
Demo: Splunk Lookup
More Splunk Learning Resources
Summary
No comments:
Post a Comment