Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Splunk Ninjas: New Features, Pivot and Search Dojo

734 views

Published on

Besides seeing the newest features in Splunk Enterprise and learning the best practices for data models and pivot, we will show you how to use a handful of search commands that will solve most search needs. Learn these well and become a ninja.

Published in: Technology
  • Be the first to comment

Splunk Ninjas: New Features, Pivot and Search Dojo

  1. 1. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  
  2. 2. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.   Copyright  ©  2014  Splunk,  Inc.   Splunk  Ninjas   New  Features,  Pivot  &   Search  Dojo   May  2015   Jag  Dhillon   Senior  Sales  Engineer,  Splunk  ANZ  
  3. 3. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Agenda   !   Search  Head  Clustering   !   GePng  Data  In  /  Advanced  Field  Extractor   !   Instant  Pivot  /  Event  PaSern  DetecTon   !   Distributed  Management  Console   !   Prebuilt  Panels   !   Dashboard  Enhancements   3  
  4. 4. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Introducing  Splunk  Enterprise  6.2   4   GePng  Data  In   Advanced  Field  Extractor   Instant  Pivot     Event  PaSern  DetecTon     Prebuilt  Panels   Search  Head  Clustering   Distributed   Management  Console     Powerful   Analy.cs  for  Broader   Number  of  Users   Faster  Data   Onboarding   Breakthrough   Scalability  and   Centralized  Mgmt.  
  5. 5. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.   Copyright  ©  2014  Splunk,  Inc.   Search  Head  Clustering  
  6. 6. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Search  Head  Clustering     Ability  to  group  search  heads  into  a  cluster  in  order    to  provide       Highly  Available  and  Scalable  search  services   6   MISSION   CRITICAL   ENTERPRISE  
  7. 7. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   SHP      vs      SHC   SHC   SHP   •  Available  since  v4.2   •  Sharing  configuraTons  through  NFS   •  Single  point  of  failure   •  Performance  issues   •  No  NFS   •  ReplicaTon  using  local  storage   •  Commodity  hardware   7   NFS  
  8. 8. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.       1.  No  Single  Point  of  Failures   2.  “One  ConfiguraTon”   across  SH   3.  Horizontal  Scaling   8   1.  Dynamic  Captain     2.  AutomaTc  Config     replicaTon  across  SH   3.  Ability  to  add  /  remove   nodes  on  running  cluster   Design  Goals   ImplementaTon  
  9. 9. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Search  Head  Clustering  6.2  NEW!   Breakthrough  scalability  improvements  and  storage  cost  savings   •  Increases  the  number  of   concurrent  users  and  searches   •  Uniform  user  experience  among   pooled  search  heads   •  (Almost)  no  single  point  of  failure   •  Search  job  failure  aware   •  Does  not  require  external  storage     such  as  NFS  
  10. 10. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   SHC  –  How  does  it  work?   10   1   1.  Group  search  heads  into  a  cluster   2.  A  captain  gets  elected  dynamically     3.  User  created  reports/dashboards  automaTcally  replicated   to  other  search  heads   2   3  
  11. 11. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Search  Head  Clustering   !   Full  ReplicaTon  of  Knowledge  objects:  Saved  searches,  Data  model,    Field  ExtracTon,  etc   !   ReplicaTon  of  Scheduled  search  result,  a.k.a  ArTfact   –  ReplicaTon  overhead  is  controllable  by  customable  factor   –  Proxy  Adhoc/real  Tme  search  result/Scheduled  search  result  not  exist   !   Dispatch  of  search  query  with  respect  to  loading   !   Preferably  deployed  with  LB   Search  head     Indexer    Universal  Forwarder   Cluster  Master   Search  Head   Deployer  
  12. 12. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Business  Benefits  of  SHC     Horizontal  Scaling         12     Always-­‐on  Search  Services         Consistent  User  Experience       Easy  to  add  /  manage   premium  contents  (apps)  
  13. 13. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.   Job  Scheduling  
  14. 14. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   •  Captain  is  job  scheduler   •  Eliminates  job-­‐server  need   •  Load-­‐based  heurisTc   Job  Scheduling  OrchestraTon   14   captain   scheduler        ...   search    1   search    2   LOAD   SUCC   FAIL   load   balancer   search  -­‐3    
  15. 15. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Details   !   Captain  updates  RA/DM  summaries  on  indexers.   !   Scheduler  limits  honored  across  the  cluster   !   Real  Tme  scheduled  searches  run  one  instance  across  cluster   !   Auto-­‐failover  –  New  captain  becomes  scheduler   ! captain_is_adhoc_searchhead  knob  to  reduce  captain  load   15  
  16. 16. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Alerts  &  Suppression   !   Alerts  fired  when  results  of  search  meet  alerTng  criteria   –  Historical  Searches  –  within  10  seconds  amer  job  completes   –  RealTime  searches  –  ongoing  basis   !   Captain  merges  and  maintains  global  view  of  alerts   !   Suppression  informaTon  centralized  by  the  captain   !   Merged  Alerts/Suppression  sent  back  to  members   16  
  17. 17. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.   GePng  Data  In  /     Advanced  Field  Extractor  
  18. 18. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   GePng  Data  In  -­‐  Overview   Consolidated  workflow   IntuiTve  wizard-­‐style  interface   Configurable  inputs  on  forwarders   Improved  data  preview   –  No  sourcetype  auto-­‐naming   New  Sourcetype  Picker   –  Categories  &  DescripTons   Contextual  FAQs  &  Docs  links   Other   –  Sandbox  recommendaTon,  no  followtail   18  
  19. 19. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   GePng  Data  In  –  Forwarder  Inputs   Only  supported  for  single  instances  in  6.2   –  Distributed  support  is  a  priority  for  next  release   UTlizes  deployment  server/client   –  Inputs  defined  in  deployment  apps   –  Naming  convenTon:  _server_app_<serverclass>   Input  Types:  Files/Directories,  TCP/UDP,  Scripts   –  Windows  Forwarders  get  WinEventLog  &  Perfmon   WinEventLogs  are  hard  coded   –  System,  ApplicaTon,  Security,  Update   Perfmon  inputs  require  6.2  forwarders   –  All-­‐or-­‐nothing  channels:  can’t  customize  objects   19  
  20. 20. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Demo  
  21. 21. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Advanced  Field  Extractor  -­‐  Overview   Highlight-­‐to-­‐extract     Easier  to  work  with  mulTple  fields   Specify  required  text  in  extracTons     Apply  keyword  search  filters   View  diverse  and  rare  events   Validate  extracTons  with  stats  tabs   –  Click  a  value  to  apply  a  filter   View  exisTng  extracTons   –  props.conf  based  extracTons  only   Manual  mode  for  RegEx  wriTng   –  Leverage  stats  tabs,  no  highlighTng   21  
  22. 22. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Advanced  Field  Extractor  -­‐  Details   New  launch  points:   –  Search  UI:  Field  pickers  (list  &  modal)   –  SePngs  -­‐>  Fields  -­‐>  Field  extracTons   Add  addiTonal  sample  events  to  improve  field   matching   –  Click  events  in  the  list  to  add  as  samples   –  Max  5  sample  events   Required  text  cannot  be  extracted   –  For  now…   Heads  up:  Launch  from  search  UI   –  Search  filters  are  implicitly  inherited   –  Events  in  AFX  will  mirror  search  results   –  Event  acTon  starts  you  with  specific  event   22  
  23. 23. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Demo  
  24. 24. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.   Instant  Pivot  /     Event  PaSern  DetecTon  
  25. 25. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Instant  Pivot   Pivot  directly  on  any  search  to  discover  relaTonships,  build  reports   •  From  any  search,  simply  select  the   StaTsTcs  tab  and  click  on  the     pivot  icon   •  Explore  and  analyze  data  from  the   Pivot  interface   •  Quickly  discover  relaTonships  in  the   data  and  build  powerful  reports   25  
  26. 26. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Instant  Pivot  –  Technical  Details   !   Generates  models  from  non-­‐transforming  searches     !   When  you  save  a  dashboard  or  report,  it  saves  a  data  model   underneath     !   Quick  way  of  creaTng  a  data  model  for  a  user   26  
  27. 27. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   AddiTonal  Data  Model  Changes   !   All  event  objects  in  a  model  are  now  accelerated   !   _Tme  is  now  extracted  from  search  based  objects  and  used  in  Pivot   !   Bubble  charts  now  available  in  Pivot  and  Search     27  
  28. 28. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Demo  
  29. 29. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Event  PaSern  DetecTon   Auto-­‐discover  meaningful  paSerns  in  your  data  with  a  single  click   •  Search  data  without  having  to   know  specific  terms  to  search  on   •  No  need  to  sim  through  similar   events,  just  select  “PaSerns”  tab   •  IntuiTve  interface     29   Screenshot  or  Image   suggesTon  
  30. 30. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Event  PaSern  DetecTon  –  Technical  Details   !   Two  commands  are  running  under  the  hood:  cluster  and  findkeywords   !   Runs  on  a  subset  of  the  events  in  the  original  data  set,  configurable  in   limits.conf  with  max_events  –  defaults  to  50,000   !   Doesn’t  rerun  original  search,  uses  loadjob  on  job  results   !   Restrict  usage  of  the  paSerns  tab  by  removing  the  paSern_detect  capability     !   index=*  |  cluster  labelonly=t  labelfield=_paSerns  |  findkeywords   labelfield=_paSerns  dedup=t       30  
  31. 31. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Demo  
  32. 32. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.   Distributed  Management   Console  
  33. 33. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Distributed  Management  Console   Easily  monitor  health  and  performance  of  distributed  deployments   •  New  Dashboards   –  LisTng  of  Splunk  instances  and  roles   –  Distributed  indexing  and  search  views   –  Resource  usage  views   –  Create  logical  groups   •  Ships  with  Splunk,  Nothing  to  install     •  Pla{orm  Alerts  -­‐  Splunk  admins  can   receive  emails  on  criTcal  condiTons  
  34. 34. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Underpinning  Technologies   !   Resource  CollecTon  Framework   –  introspecTon_generator_addon   –  $SPLUNK_HOME/var/log/introspecTon   –  index=_introspecTon   !   REST  Endpoints   –  /services/server/status/resource-­‐usage   ê  Snapshots  of  CPU,  Memory,  Disk   –  /services/server/info   ê  Pla{orm,  Core  count,  Server  Role   !   Server  Roles   –  Derived  or  User  Defined   34  
  35. 35. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Distributed  Management  Console  Architecture   35   Search  Heads   Indexers   Universal  Forwarder   Distributed  Search   Management   Data   Monitoring  Console   Host  
  36. 36. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Setup  Tasks   !   Prerequisites   –  Where  does  the  DMC  live?   –  Topology  DefiniTon   –  Forward  all  logs  from  all  components  back  to  the  indexing  Ter   –  All  components  must  be  Search  Peers  of  the  DMC  Host   !   Standalone  vs  Distributed  Mode   –  Server  Roles   –  Custom  Groups   36  
  37. 37. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Instance  View  (Topology  list)   37  
  38. 38. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Design  PaSerns   !   Instances  and  Machines   –  One  machine  can  have  several  instances   !   Deployment  Wide   –  Aggregate  staTsTcs   –  Uses  a  Count  of  Instances  Banded  by  a  parTcular  measurement   !   Snapshot  Views   –  Endpoint  derived   !   Historical  Views   –  Indexer  derived   38  
  39. 39. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Median  Search  Concurrency  by  Type   39  
  40. 40. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Maximum  Search  Concurrency  by  Mode   40  
  41. 41. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Maximum  CPU  usage  by  App   41  
  42. 42. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Top  10  Memory-­‐consuming  Searches   42  
  43. 43. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Memory-­‐consuming  Searches  -­‐  Details   43  
  44. 44. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Search  AcTvity:  Deployment   44  
  45. 45. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Instances  by  Median  Search  Concurrency   45  
  46. 46. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Instances  by  Maximum  Memory  Usage   46  
  47. 47. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Instances  by  Indexing  Rate   47  
  48. 48. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Instances  by  Indexing  Rate  -­‐  Drilldown   48  
  49. 49. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Instances  by  Indexing  Rate  -­‐  Drilldown   49  
  50. 50. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Indexing  Performance:  Instance   50  
  51. 51. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Indexing  Rate   51  
  52. 52. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Median  Fill  RaTo  of  Queues   52  
  53. 53. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Resource  Usage:  Machine   53  
  54. 54. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Resource  Usage:  Machine   54  
  55. 55. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Resource  Usage:  Machine   55  
  56. 56. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Deployment-­‐wide  CPU  Usage   56  
  57. 57. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Pla{orm  Alerts   57  
  58. 58. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Pla{orm  Alerts  Email  Examples   58  
  59. 59. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.   Prebuilt  Panels  /  Dashboard   Enhancements  
  60. 60. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Prebuilt  Panels   Build  custom  dashboards  faster  using  prebuilt  panels  packaged  within  apps       !   New  add  workflow   –  Browse,  discover,  search,  and  preview   –  Browse  reports,  other  dashboards,  and  prebuilt  panels   !   Packaged  within  apps  and  add-­‐ons   !   Purpose-­‐built  for  dashboard  re-­‐use   –  No  further  configuraTon  required  by  users   !   Panel  objects  may  include   –  MulTple  searches   –  MulTple  visualizaTons   –  Full  drilldown  (including  in-­‐page,  contextual)   –  Form  inputs   60  
  61. 61. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Prebuilt  Panels  –  Technical  Details   !   Panels  are  new  knowledge  objects  in  Splunk   –  Included  in  dashboard  “by  reference”   !   Management  /  Permissions   –  UI:  “SePngs  >  User  interface  >  Prebuilt  panels”   –  FS:  $SPLUNK_HOME/etc/apps/<app_name>/default/data/ui/panels   –  Syntax  for  default.meta  is  “[panels]”   !   Building  Panels   –  Via  Dashboard  Editor  (recommended)   ê  Build  panel  >  “Convert  to  Prebuilt  Panel”   –  Via  Manager  Page   ê  Required  for  ediTng   !   Convert  to  Inline   –  For  any  customizaTon   !   Note:  Panels  do  not  support  custom  js/css  extensions   61  
  62. 62. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Dashboard  Enhancements   !   Performance  &  Efficiency   ê  MulT-­‐Search  Management   !   Forms  &  InteracTvity  Logic   ê  Input  MulT-­‐token  SeSer   ê  Dropdown/MulTselect  Custom  Values  Support   !   Enable  User-­‐driven  Dashboard   CustomizaTon   ê  Discover,  Search,  Preview  Content  to  add  to   dashboards   ê  Prebuilt  Panels     Featured  in  “Splunk  6.2  Overview”  app   62  
  63. 63. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.   QuesTons?   63  
  64. 64. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.   Thank  you  
  65. 65. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.   Supplimental   slides   65  
  66. 66. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   MulT-­‐Search  Management   Improve  search  efficiency  in  your  dashboards  with  mulCple  background  searches   !   Run  mulTple  background  searches   ê  Locate  within  global  space,  or  within  panels   !   Post-­‐process  search  binding   !   Re-­‐use  search  results  to  drive  visualizaTons,   form  inputs,  and  more   !   Normalized  search  syntax   ê  Replaces  current,  confusing  search  syntax   ê  <searchTemplate>,  <searchString>,   <searchPostProcess>,  <populaTngSearch>,   <populaTngSavedSearch>   !   Splunk  6.2  is  fully  backward  compaTble   66  
  67. 67. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   MulT-­‐Search  Management  -­‐  Basics   hSp://docs.splunk.com/DocumentaTon/Splunk/6.2/Viz/PanelreferenceforSimplifiedXML#search     67   Basic Search w/ Option to Use Globally <search id=“MyTopSourceptyes”> <query>index=_internal | top sourcetype</query> <earliest>-60m@m</earliest> <latest>now</latest> </search> Search Post Process <search base=“MyTopSourceptyes”> <query>sort +count</query> </search> Reference Report w/ Time Range Override <search ref=“MyReportTopSourceptyes”> <earliest>-60m@m</earliest> <latest>now</latest> </search> Name   Type   Descrip.on   base   search  aSribute   A  reference  to  a  base  search  by  a   post-­‐process  search.   id   search  aSribute   IdenTfier  for  a  search.  A  post-­‐process   search  references  a  base  search  by   this  idenTfier.   ref   search  aSribute   Reference  to  a  report  containing  a   search.   app   search  aSribute   App  context.    Only  needed  if  there  is   a  report  name  conflict.   query   element   Search  query  string.     earliest   element   Earliest  Tme   latest   element   Latest  Tme  
  68. 68. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   MulT-­‐Search  Management   !   ExisTng  6.1  Scenarios  (Using  New  Search  Syntax):   ê  Inline  search  that  drives  a  single  visualizaTon   ê  Report-­‐based  search  that  drives  a  single  visualizaTon  (using  report  Tme  range)   ê  Report-­‐based  search  that  drives  a  single  visualizaTon  (using  inline  Tme  range)   ê  Inline  search  that  populates  available  choices  in  a  form  input   ê  Report-­‐based  search  that  populates  available  choices  in  a  form  input   ê  Single  global  search  to  drive  mulTple  visualizaTons  w/  and  w/o  post  process   !   Newly  Enabled  6.2  Scenarios:   ê  MulTple  background  searches  that  can  be  referenced  directly  for  visualizaTons,  or  post  processes   ê  Binding  form  input  to  a  global  search  both  directly,  and  using  post  process  filtering   ê  Performance  opTmizaTons  for  token  subsTtuTon-­‐based  searches   68  
  69. 69. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   MulT-­‐Search  Management   !   ExisTng  6.1  Scenarios  (Using  New  Search  Syntax):   ê  Inline  search  that  drives  a  single  visualiza.on   69   <dashboard> <label>Search Management</label> <row> <panel> <chart> <title>Top Sourcetypes</title> <search> <query>index=_internal | top sourcetype</query> <earliest>-60m@m</earliest> <latest>now</latest> </search> <option name="charting.chart">bar</option> </chart> </panel> </row> </dashboard>
  70. 70. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   MulT-­‐Search  Management   !   ExisTng  6.1  Scenarios  (Using  New  Search  Syntax):   ê  Inline  search  that  drives  a  single  visualizaTon   ê  Report-­‐based  search  that  drives  a  single  visualiza.on  (using  report  .me  range)   70   <dashboard> <label>Search Management</label> <row> <panel> <chart> <title>Top Sourcetypes</title> <search ref=“Top Sourcetypes Report”></search> <option name="charting.chart">bar</option> </chart> </panel> </row> </dashboard>
  71. 71. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   MulT-­‐Search  Management   !   ExisTng  6.1  Scenarios  (Using  New  Search  Syntax):   ê  Inline  search  that  drives  a  single  visualizaTon   ê  Report-­‐based  search  that  drives  a  single  visualizaTon  (using  report  Tme  range)   ê  Report-­‐based  search  that  drives  a  single  visualiza.on  (using  inline  .me  range)   71   <dashboard> <label>Search Management</label> <row> <panel> <chart> <title>Top Sourcetypes</title> <search ref=“Top Sourcetypes Report”> <earliest>-60m@m</earliest> <latest>now</latest> </search> <option name="charting.chart">bar</option> </chart> </panel> </row> </dashboard>
  72. 72. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   MulT-­‐Search  Management   !   ExisTng  6.1  Scenarios  (Using  New   Search  Syntax):   ê  Inline  search  that  drives  a  single   visualizaTon   ê  Report-­‐based  search  that  drives  a  single   visualizaTon  (using  report  Tme  range)   ê  Report-­‐based  search  that  drives  a  single   visualizaTon  (using  inline  Tme  range)   ê  Inline  search  that  populates  available   choices  in  a  form  input   72   <form> <label>Search Management</label> <fieldset submitButton="false"> <input type="dropdown" token="s_sourcetype"> <label>Sourcetype</label> <search> <query>index=_internal | top sourcetype</query> <earliest>-60m@m</earliest> <latest>now</latest> </search> <fieldForLabel>sourcetype</fieldForLabel> <fieldForValue>sourcetype</fieldForValue> </input> </fieldset> ... </form>
  73. 73. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   MulT-­‐Search  Management   !   ExisTng  6.1  Scenarios  (Using  New  Search  Syntax):   ê  Inline  search  that  drives  a  single  visualizaTon   ê  Report-­‐based  search  that  drives  a  single  visualizaTon  (using  report  Tme  range)   ê  Report-­‐based  search  that  drives  a  single  visualizaTon  (using  inline  Tme  range)   ê  Inline  search  that  populates  available  choices  in  a  form  input   ê  Report-­‐based  search  that  populates  available  choices  in  a  form  input   73   <form> <label>Search Management</label> <fieldset submitButton="false"> <input type="dropdown" token="s_sourcetype"> <label>Sourcetype</label> <search ref=“Top Sourcetypes Report”></search> <fieldForLabel>sourcetype</fieldForLabel> <fieldForValue>sourcetype</fieldForValue> </input> </fieldset> ... </form>
  74. 74. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   MulT-­‐Search  Management   !   ExisTng  6.1  Scenarios  (Using  New  Search   Syntax):   ê  Inline  search  that  drives  a  single  visualizaTon   ê  Report-­‐based  search  that  drives  a  single   visualizaTon  (using  report  Tme  range)   ê  Report-­‐based  search  that  drives  a  single   visualizaTon  (using  inline  Tme  range)   ê  Inline  search  that  populates  available  choices  in   a  form  input   ê  Report-­‐based  search  that  populates  available   choices  in  a  form  input   ê  Single  global  search  to  drive  mul.ple   visualiza.ons  w/  and  w/o  post  process   74   <form> <label>Search Management</label> <search id="globalSearch"> <query>index=_internal | top sourcetype</query> <earliest>-60m@m</earliest> <latest></latest> </search> <row> <panel> <chart> <title>My Top Sourcetypes</title> <search base="globalSearch"></search> </chart> <table> <title>My Top Sourcetypes</title> <search base="globalSearch"> <query>sourcetype="splunkd"</query> </search> …
  75. 75. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   MulT-­‐Search  Management   !   Newly  Enabled  6.2  Scenarios:   ê  Mul.ple  background  searches  that   can  be  referenced  directly  for   visualiza.ons,  or  post  processes   75   <form> <label>Search Management</label> <search id="globalSearch1"> <query>index=_internal | top sourcetype</query> <earliest>-60m@m</earliest> <latest></latest> </search> <row> <panel> <search id="globalSearch2"> <query>index=_internal | top sourcetype</query> <earliest>-60m@m</earliest> <latest></latest> </search> <chart> <title>My Top Sourcetypes</title> <search base="globalSearch1"></search> </chart> <table> <title>My Top Sourcetypes</title> <search base="globalSearch2"> <query>sourcetype="splunkd"</query> </search> </table> </panel> </row> </form>
  76. 76. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   MulT-­‐Search  Management   !   Newly  Enabled  6.2  Scenarios:   ê  MulTple  background  searches  that   can  be  referenced  directly  for   visualizaTons,  or  post  processes   ê  Binding  form  input  to  a  global  search   both  directly,  and  using  post  process   filtering   76   <form> <label>Search Management</label> <search id=“globalSearch”> <query>index=_internal | top sourcetype</query> <earliest>-60m@m</earliest> <latest>now</latest> </search> <fieldset submitButton="false"> <input type="dropdown" token="s_sourcetype"> <label>Sourcetype</label> <search base=“globalSearch”> <query>sort +sourcetype</query> </search> <fieldForLabel>sourcetype</fieldForLabel> <fieldForValue>sourcetype</fieldForValue> </input> </fieldset> ... </form>
  77. 77. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   MulT-­‐Search  Management   !   Newly  Enabled  6.2  Scenarios:   ê  MulTple  background  searches   that  can  be  referenced  directly   for  visualizaTons,  or  post   processes   ê  Binding  form  input  to  a  global   search  both  directly,  and  using   post  process  filtering   ê  Performance  op.miza.ons  for   token  subs.tu.on-­‐based   searches   77   <form> <label>Search Management</label> <row> <panel> <search id="globalSearch"> <query>index=_internal | stats count by sourcetype</query> <earliest>-60m@m</earliest> <latest></latest> </search> <input type=“dropdown” token=“s_sourcetype”> <search base=“globalSearch”></search> <fieldForLabel>sourcetype</fieldForLabel> <fieldForValue>sourcetype</fieldForValue> </input> <single> <title>My Top Sourcetypes</title> <search base="globalSearch"> <query>sourcetype=“$s_sourcetype$”</query> </search> </single> </panel> </row> </form>
  78. 78. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   MulT-­‐Search  Management  –  Last  Words   !   Splunk  6.2  Search  Syntax  is  Fully  Backward  CompaTble   ê  You  can  conTnue  to  use  prior  dashboards  with  old  syntax   ê  Note,  we  are  officially  “deprecaTng”  old  search  syntax   !   Dashboard  Searches  are  run  in  “Fast”  Mode  by  Default   ê  If  you  want  to  pass  fields  down  to  post  process  searches,  use  “|  fields”   –  Use  “|  fields  *”  if  you  don’t  know  what  fields  are  needed  for  post  process  searches   78  
  79. 79. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Form  Input  MulT-­‐token  SeSer   Integrate  more  logic  into  form  inputs   !   Key  use  cases:   ê  SePng  tokens  for  labels   ê  Simple  Tme  range  pickers   ê  Complex  token  sePng  w/  search     ê  HiddenSearchSwapper   !   On  <change>  event   –  OpTonally  use  <condiTon>  logic   –  For  value  or  label   –  Then  use  standard  <set  token=“”></set>   79  
  80. 80. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Form  Input  MulT-­‐token  SeSer  -­‐  Example   SeDng  token  to  represent  the  user  selected  label   !   Time  Picker  SelecTon  –  show  the  selected  label  within  panel  Ttles,  element  Ttles,  etc   80   <form> <label>Token Management</label> <fieldset submitButton="false"> <input type="time" token="time"> <label></label> <default> <earliest>-60m@m</earliest> <latest>now</latest> </default> <change> <set token="time.label">$label$</set> </change> </input> </fieldset> ... </form>
  81. 81. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Form  Input  MulT-­‐token  SeSer  -­‐  Example   Simple  Time  Range  Picker   !   Limited  preset  values   !   Fiscal  Quarters/Years   81   <input type="dropdown" token="simple"> <label>Simple Time Picker</label> <choice value="last_24h">Last 24 Hours</choice> <choice value="last_7d">Last 7 days</choice> <choice value="last_30d">Last 30 days</choice> <default>last_24h</default> <change> <condition value="last_24h"> <set token="simple.label">$label$</set> <set token="simple.earliest">-24h</set> <set token="simple.latest">now</set> </condition> <condition value="last_7d"> <set token="simple.label">$label$</set> <set token="simple.earliest">-7d</set> <set token="simple.latest">now</set> </condition> <condition value="last_30d"> <set token="simple.label">$label$</set> <set token="simple.earliest">-30d</set> <set token="simple.latest">now</set> </condition> </change> </input>
  82. 82. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Form  Input  MulT-­‐token  SeSer  -­‐  Example   Hidden  Search  Swapper   !   Based  on  Tme  selected,   use  a  different  search   string   82   <form> <label>test search swapper</label> <fieldset submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-60m@m</earliest> <latest>now</latest> </default> <change> <condition label="All time"> <set token="new_search">`set_sos_index` sourcetype="ps" $host$ | multikv | `get_splunk_process_type` | eval RSZ_MB=RSZ_KB/1024 | eval VSZ_MB=VSZ_KB/1024 | bin _time span=5s | stats first(pctCPU) AS pctCPU, first(RSZ_MB) AS RSZ_MB, first(VSZ_MB) AS VSZ_MB first(type) AS type by PID _time | stats sum(pctCPU) AS pctCPU, sum(RSZ_MB) AS RSZ_MB, sum(VSZ_MB) AS VSZ_MB by type, _time | bin _time span=10s | sistats avg(pctCPU), median(pctCPU), median(RSZ_MB), median(VSZ_MB) by type, _time</ set> </condition> <condition label="Last 24 hours"> <set token="new_search">index=_internal sourcetype=splunkd | table _time sourcetype message</ set> </condition> <condition value="*"> <set token="new_search">index=_internal sourcetype=splunkd | table _time source sourcetype message</set> </condition> </change> </input> </fieldset> </form>
  83. 83. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Free-­‐form  Text  Support  for  Dropdown/MulT-­‐select   Integrate  more  logic  into  form  inputs   !   Operates    similar  to  text  input  w/  auto-­‐ complete  assistance   !   Key  use  cases:   ê  Best  for  hostname-­‐type  inputs   ê  Inputs  where  you  may  want  to  use  *  wildcards   !   Enable  via  XML   –  <allowCustomValues>true</allowCustomValues>   –  Default  is  false   83  
  84. 84. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Dashboard  Display  Controls   Enable/disable  dashboard  chrome  and  controls   !   Enhanced  OEM  and/or  embed  capabiliTes   !   2  integraTon  points   –  As  hSp  get  param   –  As  form/dashboard  aSribute   !   New  aSributes/parameters  available   ê  hideSplunkBar  -­‐  hides  just  the  splunkbar   ê  hideAppBar  -­‐  hides  just  the  appbar   ê  hideFooter  -­‐  hides  just  the  footer   ê  hideChrome  -­‐  shortcut  to  hide  splunkbar,  appbar,   and  footer   ê  hideTitle  -­‐  hides  Ttle  and  descripTon   ê  hideEdit  -­‐  hides  all  the  dashboard  controls   84  
  85. 85. Global  Field  Enablement  -­‐  Copyright  ©  2014  Splunk,  Inc.  Copyright  ©  2014  Splunk  Inc.   Dashboard  DeprecaTon  List   –  Old  search  syntax   ê  searchString,  searchTemplate,  searchName,  searchPostProcess   ê  earliestTime,  latestTime   ê  populaTngSearch,  populaTngSavedSearch   –  Row  grouping   –  Viz  element  “list”   85  

×