Splunk Ninjas: New Features, Pivot and Search Dojo
•
0 likes•490 views
Besides seeing the newest features in Splunk Enterprise and learning the best practices for data models and pivot, we will show you how to use a handful of search commands that will solve most search needs. Learn these well and become a ninja.
Recommended
Recommended
More Related Content
What's hot
What's hot (19)
Viewers also liked
Viewers also liked (9)
Similar to Splunk Ninjas: New Features, Pivot and Search Dojo
Similar to Splunk Ninjas: New Features, Pivot and Search Dojo (20)
More from Splunk
More from Splunk (20)
Recently uploaded
Recently uploaded (20)
Splunk Ninjas: New Features, Pivot and Search Dojo
- 1. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc.
- 2. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk, Inc. Splunk Ninjas New Features, Pivot & Search Dojo May 2015 Jag Dhillon Senior Sales Engineer, Splunk ANZ
- 3. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Agenda ! Search Head Clustering ! GePng Data In / Advanced Field Extractor ! Instant Pivot / Event PaSern DetecTon ! Distributed Management Console ! Prebuilt Panels ! Dashboard Enhancements 3
- 4. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Introducing Splunk Enterprise 6.2 4 GePng Data In Advanced Field Extractor Instant Pivot Event PaSern DetecTon Prebuilt Panels Search Head Clustering Distributed Management Console Powerful Analy.cs for Broader Number of Users Faster Data Onboarding Breakthrough Scalability and Centralized Mgmt.
- 5. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk, Inc. Search Head Clustering
- 6. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Search Head Clustering Ability to group search heads into a cluster in order to provide Highly Available and Scalable search services 6 MISSION CRITICAL ENTERPRISE
- 7. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. SHP vs SHC SHC SHP • Available since v4.2 • Sharing configuraTons through NFS • Single point of failure • Performance issues • No NFS • ReplicaTon using local storage • Commodity hardware 7 NFS
- 8. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. 1. No Single Point of Failures 2. “One ConfiguraTon” across SH 3. Horizontal Scaling 8 1. Dynamic Captain 2. AutomaTc Config replicaTon across SH 3. Ability to add / remove nodes on running cluster Design Goals ImplementaTon
- 9. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Search Head Clustering 6.2 NEW! Breakthrough scalability improvements and storage cost savings • Increases the number of concurrent users and searches • Uniform user experience among pooled search heads • (Almost) no single point of failure • Search job failure aware • Does not require external storage such as NFS
- 10. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. SHC – How does it work? 10 1 1. Group search heads into a cluster 2. A captain gets elected dynamically 3. User created reports/dashboards automaTcally replicated to other search heads 2 3
- 11. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Search Head Clustering ! Full ReplicaTon of Knowledge objects: Saved searches, Data model, Field ExtracTon, etc ! ReplicaTon of Scheduled search result, a.k.a ArTfact – ReplicaTon overhead is controllable by customable factor – Proxy Adhoc/real Tme search result/Scheduled search result not exist ! Dispatch of search query with respect to loading ! Preferably deployed with LB Search head Indexer Universal Forwarder Cluster Master Search Head Deployer
- 12. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Business Benefits of SHC Horizontal Scaling 12 Always-‐on Search Services Consistent User Experience Easy to add / manage premium contents (apps)
- 13. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Job Scheduling
- 14. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. • Captain is job scheduler • Eliminates job-‐server need • Load-‐based heurisTc Job Scheduling OrchestraTon 14 captain scheduler ... search 1 search 2 LOAD SUCC FAIL load balancer search -‐3
- 15. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Details ! Captain updates RA/DM summaries on indexers. ! Scheduler limits honored across the cluster ! Real Tme scheduled searches run one instance across cluster ! Auto-‐failover – New captain becomes scheduler ! captain_is_adhoc_searchhead knob to reduce captain load 15
- 16. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Alerts & Suppression ! Alerts fired when results of search meet alerTng criteria – Historical Searches – within 10 seconds amer job completes – RealTime searches – ongoing basis ! Captain merges and maintains global view of alerts ! Suppression informaTon centralized by the captain ! Merged Alerts/Suppression sent back to members 16
- 17. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. GePng Data In / Advanced Field Extractor
- 18. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. GePng Data In -‐ Overview Consolidated workflow IntuiTve wizard-‐style interface Configurable inputs on forwarders Improved data preview – No sourcetype auto-‐naming New Sourcetype Picker – Categories & DescripTons Contextual FAQs & Docs links Other – Sandbox recommendaTon, no followtail 18
- 19. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. GePng Data In – Forwarder Inputs Only supported for single instances in 6.2 – Distributed support is a priority for next release UTlizes deployment server/client – Inputs defined in deployment apps – Naming convenTon: _server_app_<serverclass> Input Types: Files/Directories, TCP/UDP, Scripts – Windows Forwarders get WinEventLog & Perfmon WinEventLogs are hard coded – System, ApplicaTon, Security, Update Perfmon inputs require 6.2 forwarders – All-‐or-‐nothing channels: can’t customize objects 19
- 20. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Demo
- 21. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Advanced Field Extractor -‐ Overview Highlight-‐to-‐extract Easier to work with mulTple fields Specify required text in extracTons Apply keyword search filters View diverse and rare events Validate extracTons with stats tabs – Click a value to apply a filter View exisTng extracTons – props.conf based extracTons only Manual mode for RegEx wriTng – Leverage stats tabs, no highlighTng 21
- 22. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Advanced Field Extractor -‐ Details New launch points: – Search UI: Field pickers (list & modal) – SePngs -‐> Fields -‐> Field extracTons Add addiTonal sample events to improve field matching – Click events in the list to add as samples – Max 5 sample events Required text cannot be extracted – For now… Heads up: Launch from search UI – Search filters are implicitly inherited – Events in AFX will mirror search results – Event acTon starts you with specific event 22
- 23. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Demo
- 24. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Instant Pivot / Event PaSern DetecTon
- 25. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Instant Pivot Pivot directly on any search to discover relaTonships, build reports • From any search, simply select the StaTsTcs tab and click on the pivot icon • Explore and analyze data from the Pivot interface • Quickly discover relaTonships in the data and build powerful reports 25
- 26. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Instant Pivot – Technical Details ! Generates models from non-‐transforming searches ! When you save a dashboard or report, it saves a data model underneath ! Quick way of creaTng a data model for a user 26
- 27. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. AddiTonal Data Model Changes ! All event objects in a model are now accelerated ! _Tme is now extracted from search based objects and used in Pivot ! Bubble charts now available in Pivot and Search 27
- 28. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Demo
- 29. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Event PaSern DetecTon Auto-‐discover meaningful paSerns in your data with a single click • Search data without having to know specific terms to search on • No need to sim through similar events, just select “PaSerns” tab • IntuiTve interface 29 Screenshot or Image suggesTon
- 30. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Event PaSern DetecTon – Technical Details ! Two commands are running under the hood: cluster and findkeywords ! Runs on a subset of the events in the original data set, configurable in limits.conf with max_events – defaults to 50,000 ! Doesn’t rerun original search, uses loadjob on job results ! Restrict usage of the paSerns tab by removing the paSern_detect capability ! index=* | cluster labelonly=t labelfield=_paSerns | findkeywords labelfield=_paSerns dedup=t 30
- 31. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Demo
- 32. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Distributed Management Console
- 33. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Distributed Management Console Easily monitor health and performance of distributed deployments • New Dashboards – LisTng of Splunk instances and roles – Distributed indexing and search views – Resource usage views – Create logical groups • Ships with Splunk, Nothing to install • Pla{orm Alerts -‐ Splunk admins can receive emails on criTcal condiTons
- 34. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Underpinning Technologies ! Resource CollecTon Framework – introspecTon_generator_addon – $SPLUNK_HOME/var/log/introspecTon – index=_introspecTon ! REST Endpoints – /services/server/status/resource-‐usage ê Snapshots of CPU, Memory, Disk – /services/server/info ê Pla{orm, Core count, Server Role ! Server Roles – Derived or User Defined 34
- 35. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Distributed Management Console Architecture 35 Search Heads Indexers Universal Forwarder Distributed Search Management Data Monitoring Console Host
- 36. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Setup Tasks ! Prerequisites – Where does the DMC live? – Topology DefiniTon – Forward all logs from all components back to the indexing Ter – All components must be Search Peers of the DMC Host ! Standalone vs Distributed Mode – Server Roles – Custom Groups 36
- 37. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Instance View (Topology list) 37
- 38. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Design PaSerns ! Instances and Machines – One machine can have several instances ! Deployment Wide – Aggregate staTsTcs – Uses a Count of Instances Banded by a parTcular measurement ! Snapshot Views – Endpoint derived ! Historical Views – Indexer derived 38
- 39. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Median Search Concurrency by Type 39
- 40. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Maximum Search Concurrency by Mode 40
- 41. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Maximum CPU usage by App 41
- 42. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Top 10 Memory-‐consuming Searches 42
- 43. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Memory-‐consuming Searches -‐ Details 43
- 44. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Search AcTvity: Deployment 44
- 45. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Instances by Median Search Concurrency 45
- 46. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Instances by Maximum Memory Usage 46
- 47. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Instances by Indexing Rate 47
- 48. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Instances by Indexing Rate -‐ Drilldown 48
- 49. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Instances by Indexing Rate -‐ Drilldown 49
- 50. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Indexing Performance: Instance 50
- 51. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Indexing Rate 51
- 52. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Median Fill RaTo of Queues 52
- 53. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Resource Usage: Machine 53
- 54. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Resource Usage: Machine 54
- 55. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Resource Usage: Machine 55
- 56. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Deployment-‐wide CPU Usage 56
- 57. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Pla{orm Alerts 57
- 58. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Pla{orm Alerts Email Examples 58
- 59. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Prebuilt Panels / Dashboard Enhancements
- 60. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Prebuilt Panels Build custom dashboards faster using prebuilt panels packaged within apps ! New add workflow – Browse, discover, search, and preview – Browse reports, other dashboards, and prebuilt panels ! Packaged within apps and add-‐ons ! Purpose-‐built for dashboard re-‐use – No further configuraTon required by users ! Panel objects may include – MulTple searches – MulTple visualizaTons – Full drilldown (including in-‐page, contextual) – Form inputs 60
- 61. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Prebuilt Panels – Technical Details ! Panels are new knowledge objects in Splunk – Included in dashboard “by reference” ! Management / Permissions – UI: “SePngs > User interface > Prebuilt panels” – FS: $SPLUNK_HOME/etc/apps/<app_name>/default/data/ui/panels – Syntax for default.meta is “[panels]” ! Building Panels – Via Dashboard Editor (recommended) ê Build panel > “Convert to Prebuilt Panel” – Via Manager Page ê Required for ediTng ! Convert to Inline – For any customizaTon ! Note: Panels do not support custom js/css extensions 61
- 62. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Dashboard Enhancements ! Performance & Efficiency ê MulT-‐Search Management ! Forms & InteracTvity Logic ê Input MulT-‐token SeSer ê Dropdown/MulTselect Custom Values Support ! Enable User-‐driven Dashboard CustomizaTon ê Discover, Search, Preview Content to add to dashboards ê Prebuilt Panels Featured in “Splunk 6.2 Overview” app 62
- 63. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. QuesTons? 63
- 64. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Thank you
- 65. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Supplimental slides 65
- 66. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. MulT-‐Search Management Improve search efficiency in your dashboards with mulCple background searches ! Run mulTple background searches ê Locate within global space, or within panels ! Post-‐process search binding ! Re-‐use search results to drive visualizaTons, form inputs, and more ! Normalized search syntax ê Replaces current, confusing search syntax ê <searchTemplate>, <searchString>, <searchPostProcess>, <populaTngSearch>, <populaTngSavedSearch> ! Splunk 6.2 is fully backward compaTble 66
- 67. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. MulT-‐Search Management -‐ Basics hSp://docs.splunk.com/DocumentaTon/Splunk/6.2/Viz/PanelreferenceforSimplifiedXML#search 67 Basic Search w/ Option to Use Globally <search id=“MyTopSourceptyes”> <query>index=_internal | top sourcetype</query> <earliest>-60m@m</earliest> <latest>now</latest> </search> Search Post Process <search base=“MyTopSourceptyes”> <query>sort +count</query> </search> Reference Report w/ Time Range Override <search ref=“MyReportTopSourceptyes”> <earliest>-60m@m</earliest> <latest>now</latest> </search> Name Type Descrip.on base search aSribute A reference to a base search by a post-‐process search. id search aSribute IdenTfier for a search. A post-‐process search references a base search by this idenTfier. ref search aSribute Reference to a report containing a search. app search aSribute App context. Only needed if there is a report name conflict. query element Search query string. earliest element Earliest Tme latest element Latest Tme
- 68. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. MulT-‐Search Management ! ExisTng 6.1 Scenarios (Using New Search Syntax): ê Inline search that drives a single visualizaTon ê Report-‐based search that drives a single visualizaTon (using report Tme range) ê Report-‐based search that drives a single visualizaTon (using inline Tme range) ê Inline search that populates available choices in a form input ê Report-‐based search that populates available choices in a form input ê Single global search to drive mulTple visualizaTons w/ and w/o post process ! Newly Enabled 6.2 Scenarios: ê MulTple background searches that can be referenced directly for visualizaTons, or post processes ê Binding form input to a global search both directly, and using post process filtering ê Performance opTmizaTons for token subsTtuTon-‐based searches 68
- 69. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. MulT-‐Search Management ! ExisTng 6.1 Scenarios (Using New Search Syntax): ê Inline search that drives a single visualiza.on 69 <dashboard> <label>Search Management</label> <row> <panel> <chart> <title>Top Sourcetypes</title> <search> <query>index=_internal | top sourcetype</query> <earliest>-60m@m</earliest> <latest>now</latest> </search> <option name="charting.chart">bar</option> </chart> </panel> </row> </dashboard>
- 70. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. MulT-‐Search Management ! ExisTng 6.1 Scenarios (Using New Search Syntax): ê Inline search that drives a single visualizaTon ê Report-‐based search that drives a single visualiza.on (using report .me range) 70 <dashboard> <label>Search Management</label> <row> <panel> <chart> <title>Top Sourcetypes</title> <search ref=“Top Sourcetypes Report”></search> <option name="charting.chart">bar</option> </chart> </panel> </row> </dashboard>
- 71. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. MulT-‐Search Management ! ExisTng 6.1 Scenarios (Using New Search Syntax): ê Inline search that drives a single visualizaTon ê Report-‐based search that drives a single visualizaTon (using report Tme range) ê Report-‐based search that drives a single visualiza.on (using inline .me range) 71 <dashboard> <label>Search Management</label> <row> <panel> <chart> <title>Top Sourcetypes</title> <search ref=“Top Sourcetypes Report”> <earliest>-60m@m</earliest> <latest>now</latest> </search> <option name="charting.chart">bar</option> </chart> </panel> </row> </dashboard>
- 72. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. MulT-‐Search Management ! ExisTng 6.1 Scenarios (Using New Search Syntax): ê Inline search that drives a single visualizaTon ê Report-‐based search that drives a single visualizaTon (using report Tme range) ê Report-‐based search that drives a single visualizaTon (using inline Tme range) ê Inline search that populates available choices in a form input 72 <form> <label>Search Management</label> <fieldset submitButton="false"> <input type="dropdown" token="s_sourcetype"> <label>Sourcetype</label> <search> <query>index=_internal | top sourcetype</query> <earliest>-60m@m</earliest> <latest>now</latest> </search> <fieldForLabel>sourcetype</fieldForLabel> <fieldForValue>sourcetype</fieldForValue> </input> </fieldset> ... </form>
- 73. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. MulT-‐Search Management ! ExisTng 6.1 Scenarios (Using New Search Syntax): ê Inline search that drives a single visualizaTon ê Report-‐based search that drives a single visualizaTon (using report Tme range) ê Report-‐based search that drives a single visualizaTon (using inline Tme range) ê Inline search that populates available choices in a form input ê Report-‐based search that populates available choices in a form input 73 <form> <label>Search Management</label> <fieldset submitButton="false"> <input type="dropdown" token="s_sourcetype"> <label>Sourcetype</label> <search ref=“Top Sourcetypes Report”></search> <fieldForLabel>sourcetype</fieldForLabel> <fieldForValue>sourcetype</fieldForValue> </input> </fieldset> ... </form>
- 74. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. MulT-‐Search Management ! ExisTng 6.1 Scenarios (Using New Search Syntax): ê Inline search that drives a single visualizaTon ê Report-‐based search that drives a single visualizaTon (using report Tme range) ê Report-‐based search that drives a single visualizaTon (using inline Tme range) ê Inline search that populates available choices in a form input ê Report-‐based search that populates available choices in a form input ê Single global search to drive mul.ple visualiza.ons w/ and w/o post process 74 <form> <label>Search Management</label> <search id="globalSearch"> <query>index=_internal | top sourcetype</query> <earliest>-60m@m</earliest> <latest></latest> </search> <row> <panel> <chart> <title>My Top Sourcetypes</title> <search base="globalSearch"></search> </chart> <table> <title>My Top Sourcetypes</title> <search base="globalSearch"> <query>sourcetype="splunkd"</query> </search> …
- 75. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. MulT-‐Search Management ! Newly Enabled 6.2 Scenarios: ê Mul.ple background searches that can be referenced directly for visualiza.ons, or post processes 75 <form> <label>Search Management</label> <search id="globalSearch1"> <query>index=_internal | top sourcetype</query> <earliest>-60m@m</earliest> <latest></latest> </search> <row> <panel> <search id="globalSearch2"> <query>index=_internal | top sourcetype</query> <earliest>-60m@m</earliest> <latest></latest> </search> <chart> <title>My Top Sourcetypes</title> <search base="globalSearch1"></search> </chart> <table> <title>My Top Sourcetypes</title> <search base="globalSearch2"> <query>sourcetype="splunkd"</query> </search> </table> </panel> </row> </form>
- 76. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. MulT-‐Search Management ! Newly Enabled 6.2 Scenarios: ê MulTple background searches that can be referenced directly for visualizaTons, or post processes ê Binding form input to a global search both directly, and using post process filtering 76 <form> <label>Search Management</label> <search id=“globalSearch”> <query>index=_internal | top sourcetype</query> <earliest>-60m@m</earliest> <latest>now</latest> </search> <fieldset submitButton="false"> <input type="dropdown" token="s_sourcetype"> <label>Sourcetype</label> <search base=“globalSearch”> <query>sort +sourcetype</query> </search> <fieldForLabel>sourcetype</fieldForLabel> <fieldForValue>sourcetype</fieldForValue> </input> </fieldset> ... </form>
- 77. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. MulT-‐Search Management ! Newly Enabled 6.2 Scenarios: ê MulTple background searches that can be referenced directly for visualizaTons, or post processes ê Binding form input to a global search both directly, and using post process filtering ê Performance op.miza.ons for token subs.tu.on-‐based searches 77 <form> <label>Search Management</label> <row> <panel> <search id="globalSearch"> <query>index=_internal | stats count by sourcetype</query> <earliest>-60m@m</earliest> <latest></latest> </search> <input type=“dropdown” token=“s_sourcetype”> <search base=“globalSearch”></search> <fieldForLabel>sourcetype</fieldForLabel> <fieldForValue>sourcetype</fieldForValue> </input> <single> <title>My Top Sourcetypes</title> <search base="globalSearch"> <query>sourcetype=“$s_sourcetype$”</query> </search> </single> </panel> </row> </form>
- 78. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. MulT-‐Search Management – Last Words ! Splunk 6.2 Search Syntax is Fully Backward CompaTble ê You can conTnue to use prior dashboards with old syntax ê Note, we are officially “deprecaTng” old search syntax ! Dashboard Searches are run in “Fast” Mode by Default ê If you want to pass fields down to post process searches, use “| fields” – Use “| fields *” if you don’t know what fields are needed for post process searches 78
- 79. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Form Input MulT-‐token SeSer Integrate more logic into form inputs ! Key use cases: ê SePng tokens for labels ê Simple Tme range pickers ê Complex token sePng w/ search ê HiddenSearchSwapper ! On <change> event – OpTonally use <condiTon> logic – For value or label – Then use standard <set token=“”></set> 79
- 80. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Form Input MulT-‐token SeSer -‐ Example SeDng token to represent the user selected label ! Time Picker SelecTon – show the selected label within panel Ttles, element Ttles, etc 80 <form> <label>Token Management</label> <fieldset submitButton="false"> <input type="time" token="time"> <label></label> <default> <earliest>-60m@m</earliest> <latest>now</latest> </default> <change> <set token="time.label">$label$</set> </change> </input> </fieldset> ... </form>
- 81. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Form Input MulT-‐token SeSer -‐ Example Simple Time Range Picker ! Limited preset values ! Fiscal Quarters/Years 81 <input type="dropdown" token="simple"> <label>Simple Time Picker</label> <choice value="last_24h">Last 24 Hours</choice> <choice value="last_7d">Last 7 days</choice> <choice value="last_30d">Last 30 days</choice> <default>last_24h</default> <change> <condition value="last_24h"> <set token="simple.label">$label$</set> <set token="simple.earliest">-24h</set> <set token="simple.latest">now</set> </condition> <condition value="last_7d"> <set token="simple.label">$label$</set> <set token="simple.earliest">-7d</set> <set token="simple.latest">now</set> </condition> <condition value="last_30d"> <set token="simple.label">$label$</set> <set token="simple.earliest">-30d</set> <set token="simple.latest">now</set> </condition> </change> </input>
- 82. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Form Input MulT-‐token SeSer -‐ Example Hidden Search Swapper ! Based on Tme selected, use a different search string 82 <form> <label>test search swapper</label> <fieldset submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-60m@m</earliest> <latest>now</latest> </default> <change> <condition label="All time"> <set token="new_search">`set_sos_index` sourcetype="ps" $host$ | multikv | `get_splunk_process_type` | eval RSZ_MB=RSZ_KB/1024 | eval VSZ_MB=VSZ_KB/1024 | bin _time span=5s | stats first(pctCPU) AS pctCPU, first(RSZ_MB) AS RSZ_MB, first(VSZ_MB) AS VSZ_MB first(type) AS type by PID _time | stats sum(pctCPU) AS pctCPU, sum(RSZ_MB) AS RSZ_MB, sum(VSZ_MB) AS VSZ_MB by type, _time | bin _time span=10s | sistats avg(pctCPU), median(pctCPU), median(RSZ_MB), median(VSZ_MB) by type, _time</ set> </condition> <condition label="Last 24 hours"> <set token="new_search">index=_internal sourcetype=splunkd | table _time sourcetype message</ set> </condition> <condition value="*"> <set token="new_search">index=_internal sourcetype=splunkd | table _time source sourcetype message</set> </condition> </change> </input> </fieldset> </form>
- 83. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Free-‐form Text Support for Dropdown/MulT-‐select Integrate more logic into form inputs ! Operates similar to text input w/ auto-‐ complete assistance ! Key use cases: ê Best for hostname-‐type inputs ê Inputs where you may want to use * wildcards ! Enable via XML – <allowCustomValues>true</allowCustomValues> – Default is false 83
- 84. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Dashboard Display Controls Enable/disable dashboard chrome and controls ! Enhanced OEM and/or embed capabiliTes ! 2 integraTon points – As hSp get param – As form/dashboard aSribute ! New aSributes/parameters available ê hideSplunkBar -‐ hides just the splunkbar ê hideAppBar -‐ hides just the appbar ê hideFooter -‐ hides just the footer ê hideChrome -‐ shortcut to hide splunkbar, appbar, and footer ê hideTitle -‐ hides Ttle and descripTon ê hideEdit -‐ hides all the dashboard controls 84
- 85. Global Field Enablement -‐ Copyright © 2014 Splunk, Inc. Copyright © 2014 Splunk Inc. Dashboard DeprecaTon List – Old search syntax ê searchString, searchTemplate, searchName, searchPostProcess ê earliestTime, latestTime ê populaTngSearch, populaTngSavedSearch – Row grouping – Viz element “list” 85