Getting Started with Splunk Enterprise Hands-On

1. Copyright © 2015 Splunk Inc.
Getting Started with
Splunk Enterprise
Hands-On Tour
Jon Nussbaum
Sr. Splunk Sales Engineer

2. 2
Download Splunk Enterprise for your OS and Architecture.

3. 3
Download turotialdata.zip

4. 4
Text
For OSX (from terminal):
mkdir /opt/splunk_live_sd
cd /opt/splunk_live_sd
Tar-xzvf ~/Downloads/splunk-
6.3.3-f44afce176d0-darwin-64.tgz
cd splunk/bin
For WIN: Install MSI
For OSX: Start Splunk via
./splunk start
For WIN: Services -> Splunk -> Start

5. 5
Starting Splunk, Accept License.

6. 6
Text
With Firefox, Chrome, or Safari – head to http://127.0.0.1:8000 . User=admin password=changeme

7. 7
You’ve successfully installed Splunk, and logged in! Let’s add the tutorialdata.zip via “Add Data”

8. 8
You can also “Add Data” from Settings at the top.

9. 9
Click on upload.

10. 10
Let’s drag tutorialdata.zip into “Drop your data file here”.

11. 11
Click Next

12. 12
Splunk can auto detect the sourcetype. Lets change host field to buttercup-web01, and then click Review.

13. 13
Looks good, click Submit.

14. 14
Let’s Start Searching our data.

15. 15
We’re brought into a search with filters applied to search the data we just uploaded.

16. 16
Let’s type “buttercupgames” in the search bar, and double click into a bar on the histogram.

17. 17
Notice the time picker changed with our drill into the histogram bar.

18. 18
Given that this data is web access, lets do a string search for 400, which is a “Bad Request” code.
Notice that there’s 188 events returned. (number will vary for you).

19. 19
Lets also add 300 into the mix, and notice that my event count is higher now.

20. 20
We can see the 400 status codes, but not 300’s. That’s because the string search of 300 doesn’t explicitly
search for status code of 300 – it’ll string match any event that contains “300”.

21. 21
Lets explicitly search for status codes equaling values we want to see returned.

22. 22
Great, we’re now returned all the events containing the two status codes we searched for.
Click on “Top values by time”, which will build out a timechart for us.

23. 23
Notice how our search query changed, there’s a | (pipe), and a timechart command added.
The pipe followed by a command allows further operation on your filtered data set.

24. 24
Let’s change our search to: buttercupgames status=*
And – drill into one bar on the histogram.

25. 25
Click on “top values by time” under the status field on the left, which will produce the timechart above.

26. 26
Let’s exclude 200 status codes by adding AND status!=200, and change Line to Column.

27. 27
After changing from Line to Column, lets Stack the results (middle stack under Stack Mode). Much better!

28. 28
Lets now save this to a dashboard, a place we can go to view this search without having to remember
what we had just searched for. Click Save AS -> Dashboard Panel. Fill in, and click Save. Then View dashboard.

29. 29
Click on Search to get us back to our search bar, and lets key in: buttercupgames.
Development wants to know what web browsers are being used to access the site, but no fields currently
exist. No problem – lets extract the browser field.
Find an event that contains a value that you’re looking for, and click the “>” arrow just to the left of “Time”.
The event will expand with a down arrow, and Extract Fields will be under Event Actions. Click Extract Fields.

30. 30
Click Regular Expression (Splunk will build a regular expression to extract our fields), and click next.
Highlight the value of the field you’d like to create, and lets name the field: browser_type
Click Add Extraction.

31. 31
Let’s verify that the extracted field contains values that are indeed types of browsers.
Good, click next to proceed.
Now, open the permissions to “App” which will allow users of the App the ability to leverage this extraction.
Click Next.

32. 32
Success, Let’s explore the fields just created in search, by clicking the link.

33. 33
You’ll now be taken to search, with the filter set to the sourcetype that the field extraction has been applied
to. Note – field extractions are coupled to a sourcetype.
Click on “Top values”.

34. 34
Notice how the search changed. And, instead of a bar graph, we want a pie chart, so drop down the “bar”
option and change it to Pie.

35. 35
Lets add this search to our dashboard, and then view the dashboard.
Click Edit -> Edit Panels to drag the different panels to different positions.

36. 36
Let’s go back to search, and search for buttercupgames AND status!=200 (we want to see events that aren’t successful. Add
the stats and where clause above, to return when there’s more than 100 unsuccessful status codes.

37. 37
Let’s create an alert. Save As -> Alert. Fill out the Title, Scheduled, Earliest + Latest, and Cron Expression
(Instead of 48, change to minutes a few ahead of your current time. Ie. If it’s 9:00am, change to 05.

38. 38
Add to Triggered Alerts, and Save.

39. 39
You should see an alert trigger once your scheduled search runs at the cron expression you defined.
*Note – it was mentioned that alerts wouldn’t work on a trial license. *Correction – alerts will work until the
trial license expires.

40. 40
Let’s go back to search and: buttercupgames status=* | iplocation clientip
We want to lookup the clientip values against the MaxMind database to pull in City, Country, State, Lat, Lon
of the IPs.

41. 41
Now, business is interested in seeing plots on a map of web users and what they’re doing with the website.
Lets append a geostats command that counts the events by the values of the action field. Pretty cool! This is
definitely dashboard worthy! Lets add to dashboard.

42. 42
Awesome! Now we have a single pane of glass that Operations, Development, and Business all care about –
from one data source! Talk about value!

43. 4
Thank You