Your SlideShare is downloading. ×
Splunk .conf2011: Search Language: Beginner
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Splunk .conf2011: Search Language: Beginner


Published on

Did you know you can do crazy useful things with Splunk’s search search language? Sort, use fields, apply wildcards – but even better, it allows you to drill-down into the results using Splunk’s …

Did you know you can do crazy useful things with Splunk’s search search language? Sort, use fields, apply wildcards – but even better, it allows you to drill-down into the results using Splunk’s Search interface timeline. This session will show some concrete examples of how to use Splunk with web access and other types of commonly-used data so you can craft simple but powerful searches based on what’s interesting in your data. Learn the basics of the Splunk search language in this beginner class, then move on to the Intermediate and Advanced classes to become a real pro.

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • How can you leverage Splunk?
  • How can you leverage Splunk?
  • How can you leverage Splunk?
  • How can you leverage Splunk?
  • How can you leverage Splunk?
  • Transcript

    • 1. Search Language - Beginner Dan Plaza, Sr. Instructor
    • 2.
      • Getting started – Search summary view
      • Running basic searches and viewing results
      • Navigating through search results
      • Understanding and using fields in search
      • Saving searches
    • 3.
      • Dan Plaza – Senior Instructor – Splunk
      • Splunker since November 2010
      • Experience in database, security, web apps and compliance standards
      • Constantly amazed by the cool stuff Splunk can do
      About Your Presenter
    • 4. Getting started
    • 5. Launching the Search App
    • 6. Summary View current view global stats menus and action links time range picker data sources do it search box
    • 7. Basic Searching
    • 8.
      • Everything is searchable
      • * wildcard supported
      • Search terms are case insensitive
      • Booleans AND, OR, NOT
        • Booleans must be uppercase
        • Implied AND between search terms
        • Use () for complex searches
      • Quote phrases
      Basic Search
    • 9. Search Results timeline field picker timestamp event data Highlighted search terms
    • 10.
      • Searches return events
      • An event is single piece of data in Splunk, like a record in a log file or other data input
      • Splunk breaks up data into individual events and gives each a timestamp , host , source and source type
    • 11.
      • By default, Splunk searches over all time
      • Use the time range picker to narrow your search, or search in real time
      Selecting the Time Range
    • 12.
      • Real-time searching allows you to view events as they come in
      • Useful in troubleshooting an active issue or creating critical alerts
      Real-time Searching
    • 13. Navigating Through Results
    • 14. Navigating Search Results – click Click a term in the events to add it to the search
    • 15. Navigating Results – Alt+Click alt+click a term in the events to remove events with that term from the results
    • 16. Navigating Results – Timeline Click a bar in the timeline to drill-down to events that occurred in that time period
    • 17. Navigating Results – Timeline (cont.) Select all returns to the original timeframe You can also zoom in / zoom out to narrow or broaden the timerange
    • 18.
      • Select custom time from the time range picker to indicate specific date or relative time ranges
      Indicating a Custom Time Range
    • 19. Using Fields
    • 20.
      • Fields turn plain old log data into Splunked data
      • There are 2 types of fields
        • Default fields – host , source , sourcetype . These fields exist for every event in Splunk.
        • Data-defined fields – fields that are specific to a given type of data
    • 21.
      • Splunk identifies fields in events, including the action field
      • In these events, the action field has five values
      Identify the Fields
    • 22. Use the Field Picker remove events from results that don’t have the field create reports click on a value to add to the search ALT + click on a value to remove from a search
    • 23.
      • This search example returns events where:
        • The sourcetype – or type of data – is apache weblogs
        • The action field has a value of purchase
        • The HTTP status returned was NOT 200
      Searching with Fields sourcetype=access_* action=purchase status!=200 36 events where an e-commerce purchase failed because of an HTTP error!!
    • 24. Quick Reporting Click to generate a quick report
    • 25. Saving Searches
    • 26.
      • 1. Click the save search icon
      • 2. Name the search
        • You can also edit the search string and time
        • Optionally, share the search with other users
      Saving a Search 500 OR 503 500 OR 503
    • 27.
      • Run saved searches from the Searches and Reports menu
      • Lists all searches you have permission to run
      Running a Saved Search
    • 28.
      • Splunk has many powerful features and search commands that allow you to
        • Calculate statistics
        • Format and organize values within search results
        • Create compelling data visualizations and reports
        • And more!
      • Learn about some of these features in the Search language – intermediate session
      Beyond Basic Searching
    • 29. August 15, 2011 Questions? Dan Plaza, Senior Instructor