Scribd Logo
Upload

Welcome to Scribd!

  • Search Language Beginner Guinn Session 1

    Uploaded by

    eric10316
    25 views24 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    25 views24 pages

    Search Language Beginner Guinn Session 1

    Uploaded by

    eric10316

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    Search

    Language Beginner

    Splunk Worldwide Users Conference


    The Palace Hotel, San Francisco, CA August 9-11, 2010

    Lisa Guinn

    Agenda
    ! Ge3ng Started ! Searching ! Saving Searches ! Repor9ng and Dashboards

    Splunk Worldwide Users Conference

    Copyright Splunk 2010

    One Splunk. Many uses.


    Applica9on Management Opera9ons Management Security & Compliance The Long Tail . . .

    Splunk Worldwide Users Conference

    Copyright Splunk 2010

    Works with data from any Applica9on, server or network device.


    Continuous real-time indexing Handles any data format, no custom adapters Automatically identifies and indexes multiline events and timestamps Index full event content Highly-efficient file system datastore Schema-less, no RDBMS Data signed for authenticity High performance and scale

    Universal Indexing

    Data Inputs
    Files
    Monitor active files Batch upload files Web, Application, server and device logs

    Network Ports
    Listen to any port TCP/UDP syslog, SNMP, IMAP, POP3, JMS

    Custom Scripts & APIs


    Scheduled polling WMI, perfmon, AD, LDAP, SQL/DBI, OPSEC, LEA, JMX, VMware, Powershell

    File Systems
    Monitor changes Configurations Password files Critical scripts and code

    Splunk Worldwide Users Conference

    Copyright Splunk 2010

    APer Splunk login

    Click here to start searching

    If youve just installed Splunk, add some data rst!

    Splunk Worldwide Users Conference

    Copyright Splunk 2010

    Summary view

    Search box

    Time selector

    Whats available to search?

    Splunk Worldwide Users Conference

    Copyright Splunk 2010

    Basic Search
    ! Everything is searchable ! * wildcard is supported ! Search terms are case insensi9ve

    fail*

    ! Implied AND between search terms ! Use () for complex searches ! Quote phrases

    Booleans AND, OR, NOT Booleans must be uppercase

    fail* nfs

    error OR 404

    error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )

    "login failure"

    Splunk Worldwide Users Conference

    Copyright Splunk 2010

    Selec9ng search 9me range


    Search over any past 9me range or search real-9me

    Splunk Worldwide Users Conference

    Copyright Splunk 2010

    Time line

    Field picker Event data Timestamp Search terms highlighted

    Splunk Worldwide Users Conference

    Copyright Splunk 2010

    Naviga9ng search results


    ! Use the mouse to drill-down in the results

    Click a term to add it to the search ALT-click a term to eliminate it from the results Click on a bar to view a subset of the results, Select All to return to all results Zoom in or zoom out to change the 9me range of the search

    ! Timeline

    Splunk Worldwide Users Conference

    10

    Copyright Splunk 2010

    1 0

    View Events in a webserver log


    Simply searching on the webserver log sourcetype access_combined displays a list of all the events within the 9me range

    Splunk Worldwide Users Conference

    11

    Copyright Splunk 2010

    Iden9fy the Fields


    ! Splunk iden9es the elds in events, including the ac.on eld ! In our results, ac.on has two values update and purchase

    Splunk Worldwide Users Conference

    12

    Copyright Splunk 2010

    Filter the Search


    To narrow down our results, we can search on the sourcetype AND the value of the ac.on eld. Well concentrate on the value purchase in this case.

    Splunk Worldwide Users Conference

    13

    Copyright Splunk 2010

    1 3

    Two Ways to Save

    Leave start and end 9me blank to use current 9me se3ng

    Splunk Worldwide Users Conference

    14

    Copyright Splunk 2010

    The Report Builder

    Splunk Worldwide Users Conference

    15

    Copyright Splunk 2010

    Select the 9me range

    Choose the elds and sta9s9cs

    On to forma3ng
    Splunk Worldwide Users Conference
    16

    Copyright Splunk 2010

    Save report and results op9ons

    Change chart type and 9tle

    Format X and Y axis

    Click Apply to see changes

    Click a bar to drill down to results

    Table view
    Splunk Worldwide Users Conference
    17

    Copyright Splunk 2010

    Quick and Easy Repor9ng


    Available from eld picker

    Splunk Worldwide Users Conference

    18

    Copyright Splunk 2010

    Adding a Dashboard

    Splunk Worldwide Users Conference

    19

    Copyright Splunk 2010

    Choose Panels

    Splunk Worldwide Users Conference

    20

    Copyright Splunk 2010

    Add Panels and Arrange Layout

    Splunk Worldwide Users Conference

    21

    Copyright Splunk 2010

    The New Dashboard

    Splunk Worldwide Users Conference

    22

    Copyright Splunk 2010

    Beyond Beginning Search


    ! In the Search Language Intermediate session ! Categorize and label data using evenmypes and tags ! Create alerts based on search results ! Use advanced commands to lter and analyze search results

    Splunk Worldwide Users Conference

    23

    Copyright Splunk 2010

    2 3

    Thank you!

    Splunk Worldwide Users Conference

    24

    Copyright Splunk 2010

    You might also like