Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Copyright © 2014 Splunk Inc.
Getting Started
Philipp Drieger
Sales Engineer
During the course of this presentation, we may make forward-looking statements regarding future events or the
expected per...
What is Splunk?
Getting Started with Splunk
Search
Alert
Dashboard
Deployment and Integration
Community
Help & Questions
A...
Spelunking:
Splunking:
to explore
underground caves
to explore machine data
4
Log files
Custom applications
Web servers
User clickstreams
Social platforms
Servers/hypervisors/virtual machines
Configur...
MachineData ContainsCriticalInsights
What Does Splunk Really Do?
Into thisIt turns this
[Thu Sep 24 14:57:33 2009] [error] [client 10.2.1.44] ap_proxy: trying ...
Industry Leading Platform For Machine Data
Machine Data: Any Location, Type, Volume
Online
Services Web
Services
Servers
S...
IT
Operations
Security and
Compliance
Mobile
Intelligence
App Dev
and
App Mgmt.
Developer Platform (REST API, SDKs)
Busine...
Getting Started
In this room:
13:15 – 14:15 Getting Started with Splunk
14:15 – 15:15 Splunk for Security
InstallSplunk
Splunk Home
• WIN: Program FilesSplunk
• Other: /opt/splunk (Applications/splunk)
Start Splunk
• WIN: Progra...
InstallSplunk continued…
Splunk Online Sandbox
Splunk Licenses
Free Download Limits Indexing to 500MB/day
• Enterprise Trial License expires after 60 days
• Reverts to F...
Default installation on: http://localhost:8000
Splunk Web Basics
Browser Support
• Firefox 10.x and latest
• Internet Expl...
Add some data
Downloadthesamplefile,followthislinkandsavethefiletoyourdesktop,then
unzip:http://www.splunkbook.com(UsingSp...
Best PracticeSuggestion:
CreateanindividualIndexbasedon
sourcetype.
• Easiertore-indexdataifyoumakeamistake.
• Easiertorem...
Demo:
Add Data
SearchBasics
Search app – Summary view
current view
global stats
app navigation time range
picker
Selecting Data
Summary:
• Host
• Sour...
Searching
Search > *
Select Time Range
• Historical, custom, or real-time
Select Mode
• Smart, Fast, Verbose
Using the tim...
Everything is searchable
Everything is searchable
• * wildcards supported
• Search terms are case insensitive
• Booleans A...
Search Assistant
Contextual Help
- advanced type-ahead
History
- search
- commands
Search Reference
- short/long descripti...
Searches can be managed as
asynchronous processes
Jobs can be
• Scheduled
• Moved to background tasks
• Paused, stopped, r...
Search Commands
Search > error | head 1
Search results are “piped” to the command
Commands for:
• Manipulating fields
• Fo...
Over 130 Commands!
splunk.com > Documentation >
Search Reference
abstract accum addcoltotals addinfo addtotals af analyzef...
Demo
Search Data
Field Extraction Fun
Fields
Default fields
• host, source, sourcetype, linecount, etc.
• View on left panel in search results or all in field p...
Sources,Sourcetypes,Hosts
• Host
- hostname, IP address,
or name of the network
host from which the
events originated
• So...
Tagging and Event Typing
Eventtypes for more human-readable reports
• to categorize and make sense of mountains of data
• ...
Extract Fields
Interactive Field Extractor
• generate PCRE
• editable regex
• preview/save
Demo
Extract Fields
Saved Search & Alert
Basics
Saved Searches
Leverage Searches for future Insights!
• Reports
• Dashboards
• Alerts
• Eventtypes
Add a Time Range Picker...
Create Alerts
Scheduled or Real-Time
• Define Time Ranges
• Conditions
• Thresholds
AlertingContinued…
Searches run on a schedule and fire an alert
• Example: Run a search for “Failed password” every 15 min...
AlertingActions
• Send email
• RSS
• Execute a script
• Track Alert Details
Demo
Setup Alert
Report & Dashboard
Wackiness
Reporting
results of any search
Define your Search and set your time range,
accelerate you search and more
Choose the type...
ReportingExamples
• Use wizard or reporting commands (timechart, top, etc)
• Build real-time reports with real-time search...
Dashboards
Create dashboards from search results
Dashboard Examples
Demo
Create Dashboard
Deployment and
Integration
Splunk Has Four PrimaryFunctions
SearchingandReporting(SearchHead)
IndexingandSearchServices(Indexer)
LocalandDistributedM...
IngestsDataFromHeterogeneousDataSources
Agent-lessandAgentApproachforFlexibilityandOptimization
perf
shell
API
Mounted Fil...
Understandingthe UniversalForwarder
Forward data without negatively impacting production performance.
Scripts
Universal Fo...
Horizontal Scaling
Load balanced search and indexing for massive, linear scale out.
Forwarder
Auto Load
Balancing
Distribu...
Multiple Datacenters
Headquarters
London Hong Kong Tokyo New York
Distributed Search
Index and store locally. Distribute s...
HighAvailability,OnCommodityServersandStorage
As Splunk collects data, it keeps
multiple identical copies
If indexer fails...
Service Desk
SIEM
Send Data to Other Systems
Route raw data in real time or send alerts based on searches.
Event Console
Integrate External Data
LDAP, AD Watch
Lists
CRM/ER
P
CMDB
Correlate IP addresses with locations, accounts with regions
Ex...
Integrate Usersand Roles
Problem Investigation Problem Investigation Problem Investigation
Save
Searches
Share
Searches
LD...
PowerfulDeveloperPlatform
REST API
Build Splunk Apps Extend and Integrate Splunk
Simple XML
JavaScript
HTML5
Web
Framework...
Support and Community
SupportThroughthe Splunk Community
Browse and share Apps
from Splunk, Partners and
the Community
apps.splunk.com
Community...
Where to Go for Help
Documentation
– http://www.splunk.com/base/Documentation
TechnicalSupport
– http://www.splunk.com/sup...
Thank You – Q&A
Upcoming SlideShare
Loading in …5
×

Getting started with Splunk Breakout Session

764 views

Published on

Getting started with Splunk Breakout Session

Published in: Technology
  • Be the first to comment

Getting started with Splunk Breakout Session

  1. 1. Copyright © 2014 Splunk Inc. Getting Started Philipp Drieger Sales Engineer
  2. 2. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward- looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Splunk Storm, Listen to Your Data, SPL and The Engine for Machine Data are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. ©2013 Splunk Inc. All rights reserved. Legal Notices 2
  3. 3. What is Splunk? Getting Started with Splunk Search Alert Dashboard Deployment and Integration Community Help & Questions AGENDA
  4. 4. Spelunking: Splunking: to explore underground caves to explore machine data 4
  5. 5. Log files Custom applications Web servers User clickstreams Social platforms Servers/hypervisors/virtual machines Configurations Telecom devices Storage devices Network devices Security devices, firewalls, IDS Databases Web services System metrics GPS DNS, DHCP AAA logs Proxy servers Errors Scripts Sensors What is MachineData?
  6. 6. MachineData ContainsCriticalInsights
  7. 7. What Does Splunk Really Do? Into thisIt turns this [Thu Sep 24 14:57:33 2009] [error] [client 10.2.1.44] ap_proxy: trying GET /petstore/ enter_order_information.screen at backend host '127.0.0.1/7001; got exception 'CONNECTION_REFUSED [os error=0, line 1739 of ../nsapi/URL.cpp]: Error connecting to host 127.0.0.1:7001', referer: http://10.2.1.223/petstore/cart.do?action= purchase&itemId=EST-14
  8. 8. Industry Leading Platform For Machine Data Machine Data: Any Location, Type, Volume Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom Applications Messaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID On- Premises Private Cloud Public Cloud Platform Support (Apps / API / SDKs) Enterprise Scalability Universal Indexing Answer Any Question Developer Platform Report and analyze Custom dashboards Monitor and alert Ad hoc search SCADA Automation and Control Systems 8
  9. 9. IT Operations Security and Compliance Mobile Intelligence App Dev and App Mgmt. Developer Platform (REST API, SDKs) Business Analytics Industrial Data and Internet of Things Small Data. Big Data. Huge Data. SplunkDeliversValueAcrossIT andtheBusiness
  10. 10. Getting Started In this room: 13:15 – 14:15 Getting Started with Splunk 14:15 – 15:15 Splunk for Security
  11. 11. InstallSplunk Splunk Home • WIN: Program FilesSplunk • Other: /opt/splunk (Applications/splunk) Start Splunk • WIN: Program FilesSplunkbinsplunk.exe start (services start) • *NIX: /opt/splunk/bin/splunk start www.splunk.com/download • 32 or 64 Bit? • Indexer or Universal Forwarder?
  12. 12. InstallSplunk continued… Splunk Online Sandbox
  13. 13. Splunk Licenses Free Download Limits Indexing to 500MB/day • Enterprise Trial License expires after 60 days • Reverts to Free License Features Disabled in Free License • Multiple user accounts and role-based access controls • Distributed search • Forwarding to non-Splunk Instances • Deployment management • Scheduled saved searches and alerting • Summary indexing Other License Types • Enterprise, Forwarder, Trial
  14. 14. Default installation on: http://localhost:8000 Splunk Web Basics Browser Support • Firefox 10.x and latest • Internet Explorer 7, 8, 9 and 10 • Safari (latest) • Chrome (latest) Index data • Add data • Getting Started App • Install an App (Splunk for Windows, *NIX)
  15. 15. Add some data Downloadthesamplefile,followthislinkandsavethefiletoyourdesktop,then unzip:http://www.splunkbook.com(UsingSplunkBook) ToaddthefiletoSplunk: – FromtheWelcomescreen,clickAddData. – ClickFromfilesanddirectoriesonthebottomhalfofthescreen. – SelectSkippreview. – ClicktheradiobuttonnexttoUploadandindexafile. – ClickSave.
  16. 16. Best PracticeSuggestion: CreateanindividualIndexbasedon sourcetype. • Easiertore-indexdataifyoumakeamistake. • Easiertoremovedata. • Easiertodefinepermissionsanddataretention.
  17. 17. Demo: Add Data
  18. 18. SearchBasics
  19. 19. Search app – Summary view current view global stats app navigation time range picker Selecting Data Summary: • Host • Source • Sourcetype start search search box
  20. 20. Searching Search > * Select Time Range • Historical, custom, or real-time Select Mode • Smart, Fast, Verbose Using the timeline • Click events and zoom in and out • Click and drag over events for a specific range
  21. 21. Everything is searchable Everything is searchable • * wildcards supported • Search terms are case insensitive • Booleans AND, OR, NOT – Booleans must be uppercase – Implied AND between terms – Use () for complex searches • Quote phrases fail* fail* nfs error OR 404 error OR failed OR (sourcetype=access_*(500 OR 503)) "login failure"
  22. 22. Search Assistant Contextual Help - advanced type-ahead History - search - commands Search Reference - short/long description - examples suggests search terms updates as you type shows examples and help toggle off / on
  23. 23. Searches can be managed as asynchronous processes Jobs can be • Scheduled • Moved to background tasks • Paused, stopped, resumed, finalized • Managed • Archived • Cancelled Job Management Modify Job Settings pause finalize delete
  24. 24. Search Commands Search > error | head 1 Search results are “piped” to the command Commands for: • Manipulating fields • Formatting • Handling results • Reporting
  25. 25. Over 130 Commands! splunk.com > Documentation > Search Reference abstract accum addcoltotals addinfo addtotals af analyzefields anomalies anomalousvalue append appendcols ar associate audit autoregress bin bucket chart cluster collect common contingency convert correlate counttable crawl ctable dbinspect dedup delete delta diff discretize erex eval eventcount eventstats excerpt extract file fillnull folderize format gentimes head highlight iconify input inputcsv inputlookup iplocation join kmeans kv kvform loadjob localize localop lookup macro makecontinuous makemv maketable map metadata multikv mvcombine mvexpand nomv outlier outlierfilter outputcsv outputlookup outputtext overlap rangemap rare regex relevancy rename replace reverse run savedsearch savedsplunk script scrub selfjoin sendemail set sichart sirare sistats sitimechart sitop slc stash strcat streamstats sumindex summaryindex tail test timechart top transaction transam trendline typeahead typelearner typer uniq untable xmlkv xmlunescape xpath xyseries http://www.splunk.com/base/Documentation/latest/SearchReference/SearchCheatsheet
  26. 26. Demo Search Data
  27. 27. Field Extraction Fun
  28. 28. Fields Default fields • host, source, sourcetype, linecount, etc. • View on left panel in search results or all in field picker Where do fields come from? • Pre-defined by sourcetypes • Automatically extracted key-value pairs • User defined
  29. 29. Sources,Sourcetypes,Hosts • Host - hostname, IP address, or name of the network host from which the events originated • Source - the name of the file, stream, or other input • Sourcetype - a specific data type or data format
  30. 30. Tagging and Event Typing Eventtypes for more human-readable reports • to categorize and make sense of mountains of data • punctuation helps find events with similar patterns Search > eventtype=failed_login instead of Search > “failed login” OR “FAILED LOGIN” OR “Authentication failure” OR “Failed to ………………authenticate user” Tags are labels • apply ad-hoc knowledge • create logical divisions or groups • tag hosts, sources, fields, even eventtypes Search > tag=web_servers instead of Search > host=“apache1.splunk.com” OR host=“apache2.splunk.com” OR …………….host=“apache3.splunk.com”
  31. 31. Extract Fields Interactive Field Extractor • generate PCRE • editable regex • preview/save
  32. 32. Demo Extract Fields
  33. 33. Saved Search & Alert Basics
  34. 34. Saved Searches Leverage Searches for future Insights! • Reports • Dashboards • Alerts • Eventtypes Add a Time Range Picker • Preset • Relative • Real-time • Date-Range • Date & Time Range • Advanced
  35. 35. Create Alerts Scheduled or Real-Time • Define Time Ranges • Conditions • Thresholds
  36. 36. AlertingContinued… Searches run on a schedule and fire an alert • Example: Run a search for “Failed password” every 15 min over the last 15 min and alert if the number of events is greater than 10 Searches are running in real-time and fire an alert • Example: Run a search for “Failed password user=john.doe” in a 1 minute window and alert if an event is found
  37. 37. AlertingActions • Send email • RSS • Execute a script • Track Alert Details
  38. 38. Demo Setup Alert
  39. 39. Report & Dashboard Wackiness
  40. 40. Reporting results of any search Define your Search and set your time range, accelerate you search and more Choose the type of chart (line, area, column, etc) and other formatting options Build reports from
  41. 41. ReportingExamples • Use wizard or reporting commands (timechart, top, etc) • Build real-time reports with real-time searches • Save reports for use on dashboards
  42. 42. Dashboards Create dashboards from search results
  43. 43. Dashboard Examples
  44. 44. Demo Create Dashboard
  45. 45. Deployment and Integration
  46. 46. Splunk Has Four PrimaryFunctions SearchingandReporting(SearchHead) IndexingandSearchServices(Indexer) LocalandDistributedManagement(DeploymentServer) DataCollectionandForwarding(Forwarder) A Splunk install can be one or all roles…
  47. 47. IngestsDataFromHeterogeneousDataSources Agent-lessandAgentApproachforFlexibilityandOptimization perf shell API Mounted File Systems hostnamemount syslog TCP/UDP Event Logs Performance Active Directory syslog hosts and network devices Unix, Linux and Windows hosts Local File Monitoring Splunk Forwarder virtual host Windows Scripted or Modular Inputs shell scripts API subscriptions Mainframes*nix Wire Data Splunk App for Stream
  48. 48. Understandingthe UniversalForwarder Forward data without negatively impacting production performance. Scripts Universal Forwarder Deployment Logs ConfigurationsMessages Metrics Central Deployment Management Monitor files, changes and the system registry; capture metrics and status. Universal Forwarder Regular (Heavy) Forwarder Monitor All Supported Inputs ✔ ✔ Routing, Filtering, Cloning ✔ ✔ Splunk Web ✔ Python Libraries ✔ Event Based Routing ✔ Scripted Inputs ✔
  49. 49. Horizontal Scaling Load balanced search and indexing for massive, linear scale out. Forwarder Auto Load Balancing Distributed Search
  50. 50. Multiple Datacenters Headquarters London Hong Kong Tokyo New York Distributed Search Index and store locally. Distribute searches to datacenters, networks & geographies.
  51. 51. HighAvailability,OnCommodityServersandStorage As Splunk collects data, it keeps multiple identical copies If indexer fails, incoming data continues to get indexed Indexed data continues to be searchable Easy setup and administration Data integrity and resilience without a SAN Index Replication Splunk Universal Forwarder Pool Constant Uptime
  52. 52. Service Desk SIEM Send Data to Other Systems Route raw data in real time or send alerts based on searches. Event Console
  53. 53. Integrate External Data LDAP, AD Watch Lists CRM/ER P CMDB Correlate IP addresses with locations, accounts with regions Extend search with lookups to external data sources.
  54. 54. Integrate Usersand Roles Problem Investigation Problem Investigation Problem Investigation Save Searches Share Searches LDAP, AD Users and Groups Splunk Flexible Roles Manage Users Manage Indexes Capabilities& Filters NOT tag=PCI App=ERP … Map LDAP & AD groups to flexible Splunk roles. Define any search as a filter. Integrate authentication with LDAP and Active Directory.
  55. 55. PowerfulDeveloperPlatform REST API Build Splunk Apps Extend and Integrate Splunk Simple XML JavaScript HTML5 Web Framework Java JavaScript Python Ruby C# PHP Data Models Search Extensibility Modular Inputs SDKs
  56. 56. Support and Community
  57. 57. SupportThroughthe Splunk Community Browse and share Apps from Splunk, Partners and the Community apps.splunk.com Community-driven knowledge exchange and Q&A answers.splunk.com 2015 -> more than 140 sessions conf.splunk.com .conf2015
  58. 58. Where to Go for Help Documentation – http://www.splunk.com/base/Documentation TechnicalSupport – http://www.splunk.com/support Videos – http://www.splunk.com/videos Education – http://www.splunk.com/goto/education Community – http://answers.splunk.com – http://apps.splunk.com • SplunkBook – http://splunkbook.com
  59. 59. Thank You – Q&A

×