• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Splunk .conf2011: Search Language: Beginner
 

Splunk .conf2011: Search Language: Beginner

on

  • 2,276 views

Did you know you can do crazy useful things with Splunk’s search search language? Sort, use fields, apply wildcards – but even better, it allows you to drill-down into the results using Splunk’s ...

Did you know you can do crazy useful things with Splunk’s search search language? Sort, use fields, apply wildcards – but even better, it allows you to drill-down into the results using Splunk’s Search interface timeline. This session will show some concrete examples of how to use Splunk with web access and other types of commonly-used data so you can craft simple but powerful searches based on what’s interesting in your data. Learn the basics of the Splunk search language in this beginner class, then move on to the Intermediate and Advanced classes to become a real pro.

Statistics

Views

Total Views
2,276
Views on SlideShare
2,248
Embed Views
28

Actions

Likes
3
Downloads
0
Comments
0

3 Embeds 28

http://www.besecure.gr 10
http://athena 9
http://www.linkedin.com 9

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • How can you leverage Splunk?
  • How can you leverage Splunk?
  • How can you leverage Splunk?
  • How can you leverage Splunk?
  • How can you leverage Splunk?

Splunk .conf2011: Search Language: Beginner Splunk .conf2011: Search Language: Beginner Presentation Transcript

  • Search Language - Beginner Dan Plaza, Sr. Instructor
    • Getting started – Search summary view
    • Running basic searches and viewing results
    • Navigating through search results
    • Understanding and using fields in search
    • Saving searches
    Agenda
    • Dan Plaza – Senior Instructor – Splunk
    • Splunker since November 2010
    • Experience in database, security, web apps and compliance standards
    • Constantly amazed by the cool stuff Splunk can do
    About Your Presenter
  • Getting started
  • Launching the Search App
  • Summary View current view global stats menus and action links time range picker data sources do it search box
  • Basic Searching
    • Everything is searchable
    • * wildcard supported
    • Search terms are case insensitive
    • Booleans AND, OR, NOT
      • Booleans must be uppercase
      • Implied AND between search terms
      • Use () for complex searches
    • Quote phrases
    Basic Search
  • Search Results timeline field picker timestamp event data Highlighted search terms
    • Searches return events
    • An event is single piece of data in Splunk, like a record in a log file or other data input
    • Splunk breaks up data into individual events and gives each a timestamp , host , source and source type
    Events
    • By default, Splunk searches over all time
    • Use the time range picker to narrow your search, or search in real time
    Selecting the Time Range
    • Real-time searching allows you to view events as they come in
    • Useful in troubleshooting an active issue or creating critical alerts
    Real-time Searching
  • Navigating Through Results
  • Navigating Search Results – click Click a term in the events to add it to the search
  • Navigating Results – Alt+Click alt+click a term in the events to remove events with that term from the results
  • Navigating Results – Timeline Click a bar in the timeline to drill-down to events that occurred in that time period
  • Navigating Results – Timeline (cont.) Select all returns to the original timeframe You can also zoom in / zoom out to narrow or broaden the timerange
    • Select custom time from the time range picker to indicate specific date or relative time ranges
    Indicating a Custom Time Range
  • Using Fields
    • Fields turn plain old log data into Splunked data
    • There are 2 types of fields
      • Default fields – host , source , sourcetype . These fields exist for every event in Splunk.
      • Data-defined fields – fields that are specific to a given type of data
    Fields
    • Splunk identifies fields in events, including the action field
    • In these events, the action field has five values
    Identify the Fields
  • Use the Field Picker remove events from results that don’t have the field create reports click on a value to add to the search ALT + click on a value to remove from a search
    • This search example returns events where:
      • The sourcetype – or type of data – is apache weblogs
      • The action field has a value of purchase
      • The HTTP status returned was NOT 200
    Searching with Fields sourcetype=access_* action=purchase status!=200 36 events where an e-commerce purchase failed because of an HTTP error!!
  • Quick Reporting Click to generate a quick report
  • Saving Searches
    • 1. Click the save search icon
    • 2. Name the search
      • You can also edit the search string and time
      • Optionally, share the search with other users
    Saving a Search 500 OR 503 500 OR 503
    • Run saved searches from the Searches and Reports menu
    • Lists all searches you have permission to run
    Running a Saved Search
    • Splunk has many powerful features and search commands that allow you to
      • Calculate statistics
      • Format and organize values within search results
      • Create compelling data visualizations and reports
      • And more!
    • Learn about some of these features in the Search language – intermediate session
    Beyond Basic Searching
  • August 15, 2011 Questions? Dan Plaza, Senior Instructor