Your SlideShare is downloading. ×
  • Like
Splunk .conf2011: Search Language: Intermediate
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Splunk .conf2011: Search Language: Intermediate



Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • How can you leverage Splunk?
  • How can you leverage Splunk?


  • 1. Search Language - Intermediate Karen Hodges, Sr. Instructor
  • 2.
    • Karen Hodges – Senior Instructor – Splunk
    • Over 20 years of experience in software training and education in:
      • UNIX System Administration
      • Intergraph GIS Systems
      • Relational Database Management Systems
      • BMC Remedy
      • Mortgage Fraud Detection
      • Real Property Title Search
      • Splunk
    Your presenter . . .
  • 3.
    • Knowledge Objects
      • Tags
      • Event types
      • Saved searches and alerts
    • Advanced searching techniques
      • Comparison operators
      • The search pipeline
  • 4. Knowledge Objects
  • 5.
    • Type in keywords, hit return, get results . . .
    Splunk as “Search Engine”
  • 6.
    • Splunk allows you to “store” knowledge alongside your IT data
    • Institutional knowledge
      • For example: server function or device location
    • Learned knowledge
      • For example: identify crash precursors or suspicious activity patterns
    • You store these in Splunk using Knowledge Objects
    So Much More than a “Search Engine”
  • 7.
    • Server names aren’t always very helpful!
    • Sometimes they pack too much information into the name
    • Sometimes they make them reflect their hobbies/obsessions
    Scenario – Confusing Server Names
  • 8.
    • Tags are metadata you can add to field values
    Knowledge Objects – Tags to the Rescue
  • 9.
    • Search all hosts tagged as “ webfarm ”
    Using Tags
  • 10.
    • IT data is full of strange and confusing message
    • Some are alarming!
    • Some are low key, but should be alarming
    Scenario – So Many Different Needles and Hays
  • 11.
    • Event types are fields based on a search – similar to a saved search
    Knowledge Objects – Event Types
  • 12.
    • For example: 2 events in linux_secure
    • Save event types to differentiate these 2 events
      • pwd_fail_known and pwd_fail_unknown
    Event Type Example - Different Events
  • 13.
    • For example: 2 different types of firewalls
      • CheckPoint firewall “action=reject”
      • Netscreen firewall “action=deny”
    Event Type Example – Same Event
  • 14. Using Event Types
    • Use the eventtype as you would any other field
  • 15.
    • Servers and devices run 24/7
    • Hackers, bugs and crashes (oh my!) are lurking 24/7
    • Humans aren’t 24/7 – they need things like sleep, vacations, lunch, or just a few minutes away from staring at a screen in a freezing cold server room!
    Scenario – 24/7 Monitoring
  • 16.
    • Searches can be run on a schedule and be setup to “do something” based on the results
    • We call these Alerts
    Splunk Alerts Never Sleep!
  • 17.
    • Hackers need a user name AND a password to log in to your systems
    • Public web pages often contain names of CEOs, sales folks, etc. is no exception
    Alerting Scenario – Public User Logins
  • 18.
    • Since only certain users appear on the web page, we can give those users the tag=publicID
    • We can use the “ pwd_fail_known ” Event Type we created earlier
    Leverage Tagging and Event Types
  • 19.
    • Craft the search that searches for login attempts from public users then create the alert
    • Click next to define alert conditions
    Craft Your Search and Create the Alert
  • 20.
    • You can specify alert conditions which will trigger the alert
    • In our case we are looking for four or more login attempts since after that legitimate users are locked out
    Alert Conditions
  • 21.
    • Can send email, create RSS feed, or trigger shell script
    • We have opted to have the results included in our email so we can evaluate the severity of the attack easily
    • Tracking allows us to view fired alerts in the Alert manager
    Alert Actions
  • 22.
    • Use the Alerts menu item in the main Splunk navigation to display the Alerts manager window.
    • Click Results to view the events that triggered the alert
    • Click Edit to edit the alert settings
    Alert Manager Failed Logins Failed Logins
  • 23. Advanced Searching Techniques
  • 24.
    • Comparison operators make your searches more exacting
    • Splunk’s full-featured search language permits you to organize and analyze data in amazing ways!
    So Much More than a “Search Engine”- Part II
  • 25.
    • Comparison operators
      • != > < <= >=
    Towards More Sophisticated Searches
  • 26.
    • Search is a data generating command
    • You can organize and analyze data using the search pipeline
    The Search Pipeline sourcetype=syslog ERROR | top user | fields - percent Fetch events from disk that match Remove column showing percentage Intermediate results table Intermediate results table Final results table Disk Summarize into table of top 10 users
  • 27.
    • After the search command use the “|” symbol to pipe your search results to a subsequent command
    • For example here we are changing the sort order to sort by user name descending – grouping all the logins together
    Organize and Analyze Your Data
  • 28.
    • We’ve already seen sort, there are many MANY more . . .
      • dedup removes duplicates
        • Weeding out duplicate entries makes results easier to use AND keeps statistical operations more pure
      • regex allows you filter your results using a regular expression
        • REGEX gurus can filter using all the ?’s and *’s they want!
      • transaction allows you to group your events by a certain field and time range
        • See all the web pages your boss visited in the past hour from your proxy data
    Data Processing Commands
  • 29.
    • When you type in a command after the | symbol Splunk’s Search Assistant provides an instant mini “man page”
    Splunk Makes Using its Search Language Easy
  • 30.
    • The table command is useful for visually organizing events
    • Columns are displayed in the same order of fields entered in the command
      • Column headers are field names
      • Rows are field values
      • Each row represents an event
    View Events in a Table
  • 31.
    • The top command finds the most common values of a given field
      • Returns top 10 results by default
    • Automatically returns a count and percentage
    • Adding limit=# after the top command returns the specified number of results
    Top Scenario – Getting Top Site Visitors
  • 32.
    • count returns the number of occurrences of a given field
    • The by clause returns a count for each field value of a named field
    Stats Scenario – Counting Product Sales
  • 33.
    • Online trading activity is captured in a log file which includes each trader’s unique identification
    • Company policy requires that we monitor each trader’s activity in hourly chunks, but the trades are all jumbled up together making it hard to spot patterns in each trader’s trades
    Transaction Scenario – Monitor Trading Activity
  • 34.
    • Use transaction to group each trade by TradeID
    • Set your time span to an hour and your max pause to one hour in case some traders only have one or two trades per hour
    Use Transaction to Group Your Trades
  • 35.
    • Event types and tags are excellent ways to capture existent knowledge as well as knowledge learned from using Splunk
    • Splunk’s search language includes many powerful commands which allow you to organize and analyze your data easily
  • 36.
    • You’ve just seen some of the many ways Splunk can be used to leverage the intelligence in your IT data
    • Further your Splunk education with official Splunk training
    • Using Splunk – Gets deeper into basic search, alerts, knowledge objects, quick reports and more…
    • Searching and Reporting with Splunk – Takes you to the next level leveraging statistical operations and reporting in Splunk
  • 37. August 15, 2011 Questions? Karen Hodges, Sr. Instructor