Copyright	  ©	  2013	  Splunk	  Inc.	  Search	  Language	  -­‐	  Beginner	  Dan	  Plaza,	  Senior	  Instructor	  
Agenda	  GeEng	  Started	  	  Basic	  Searching	  NavigaHng	  through	  Results	  Using	  Fields	  Saving	  Searches	  Nex...
About	  Your	  Presenter	  !   Senior	  Instructor	  ! Splunker	  since	  November	  2010	  !   Experience	  in	  database...
GeEng	  Started	  
5	  Launching	  the	  Search	  App	  
6	  Summary	  View	  current viewglobal statsmenus and action linkstime rangepickerdatasourcessearchsearch box
Basic	  Searching	  
8	  Basic	  Search	  Everything	  is	  searchable	  !   *	  wildcard	  supported	  	  !   Search	  terms	  are	  case	  in...
9	  Search	  Results	  timelinefield sidebartimestampevent dataHighlightedsearch terms
10	  Events	  !   Searches	  return	  events	  !   An	  event	  is	  single	  piece	  of	  data	  in	  Splunk,	  like	  a	...
11	  SelecHng	  the	  Time	  Range	  !   By	  default,	  Splunk	  searches	  over	  all	  Hme	  !   Use	  the	  Hme	  rang...
12	  Real-­‐Hme	  Searching	  !   Real-­‐Hme	  searching	  allows	  you	  to	  view	  events	  as	  they	  stream	  into	 ...
NavigaHng	  Through	  Results	  	  
14	  NavigaHng	  Search	  Results	  –	  Click	  Click a term in the eventsto add it to the search
15	  NavigaHng	  Results	  –	  Alt+Click	  alt+click a term in theevents to remove eventswith that term from theresults
16	  NavigaHng	  Results	  –	  Timeline	  	  Click a bar in thetimeline to drill-down toevents that occurred inthat time p...
17	  NavigaHng	  Results	  –	  Timeline	  (cont.)	  These are not functionalunless part of thetimeline is selectedYou can ...
18	  IndicaHng	  a	  Custom	  Time	  Range	  !   Select	  custom	  Hme	  from	  the	  Hme	  range	  picker	  to	  indicate...
Using	  Fields	  
20	  What	  are	  Fields?	  !   Gives	  more	  focus	  to	  your	  searches	  !   There	  are	  2	  types	  of	  fields:	  ...
21	  Discovering	  Fields	  ! Splunk	  extracts	  fields	  from	  events,	  for	  example,	  the	  acHon	  field	  !   In	  ...
22	  remove events fromresults that don’thave the fieldcreate reportsclick on a value toadd to the searchALT + click on a ...
23	  Searching	  with	  Fields	  !   This	  search	  example	  returns	  events	  where:	  –  The	  sourcetype	  –	  or	  ...
24	  Quick	  ReporHng	  Click to generate aquick report
Saving	  Searches	  
26	  Saving	  a	  Search	  1.	  Click	  the	  Save	  menu	  	  2.	  Select	  Save	  Search…	  3.	  Name	  the	  search	  –...
27	  Running	  a	  Saved	  Search	  !   Run	  saved	  searches	  from	  the	  Searches	  and	  Reports	  menu	  !   Lists	...
Next	  Steps	  
Beyond	  the	  Basics	  29	  ! Splunk	  has	  many	  powerful	  features	  and	  search	  commands	  that	  allow	  you	  ...
Learn	  More	  Cool	  Stuff	  30	  
Akend	  a	  Free	  Class	  31	  
Watch	  a	  Video	  32	  
Build	  Your	  Own	  Learning	  Lab	  33	  Download	  the	  Splunk	  Enterprise	  Trial	  &	  build	  your	  own	  sandbox...
Thank	  You	  
Upcoming SlideShare
Loading in …5
×

SplunkLive! Washington DC May 2013 - Search Language Beginner

876 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
876
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

SplunkLive! Washington DC May 2013 - Search Language Beginner

  1. 1. Copyright  ©  2013  Splunk  Inc.  Search  Language  -­‐  Beginner  Dan  Plaza,  Senior  Instructor  
  2. 2. Agenda  GeEng  Started    Basic  Searching  NavigaHng  through  Results  Using  Fields  Saving  Searches  Next  Steps  2  
  3. 3. About  Your  Presenter  !   Senior  Instructor  ! Splunker  since  November  2010  !   Experience  in  database,  security,  web  apps  and  compliance  standards  !   Constantly  amazed  by  the  cool  stuff  Splunk  can  do  3  
  4. 4. GeEng  Started  
  5. 5. 5  Launching  the  Search  App  
  6. 6. 6  Summary  View  current viewglobal statsmenus and action linkstime rangepickerdatasourcessearchsearch box
  7. 7. Basic  Searching  
  8. 8. 8  Basic  Search  Everything  is  searchable  !   *  wildcard  supported    !   Search  terms  are  case  insensiHve  !   Booleans  AND,  OR,  NOT    –  Booleans  must  be  uppercase  –  Implied  AND  between  search  terms  –  Use  ()  for  complex  searches  !   Quote  phrases    fail*  fail*  nfs  error  OR  404  error  OR  failed  OR  (sourcetype=access_*(500  OR  503))  "login  failure"  
  9. 9. 9  Search  Results  timelinefield sidebartimestampevent dataHighlightedsearch terms
  10. 10. 10  Events  !   Searches  return  events  !   An  event  is  single  piece  of  data  in  Splunk,  like  a  record  in  a  log  file  or  other  data  input  !   Splunk  breaks  up  data  into  individual  events  and  gives  each  a  *mestamp,  host,  source  and  source  type  10  
  11. 11. 11  SelecHng  the  Time  Range  !   By  default,  Splunk  searches  over  all  Hme  !   Use  the  Hme  range  picker  to  narrow  your  search,  or  search  in  real  Hme  
  12. 12. 12  Real-­‐Hme  Searching  !   Real-­‐Hme  searching  allows  you  to  view  events  as  they  stream  into  Splunk  !   Useful  in  troubleshooHng  an  acHve  issue  or  creaHng  criHcal  alerts  
  13. 13. NavigaHng  Through  Results    
  14. 14. 14  NavigaHng  Search  Results  –  Click  Click a term in the eventsto add it to the search
  15. 15. 15  NavigaHng  Results  –  Alt+Click  alt+click a term in theevents to remove eventswith that term from theresults
  16. 16. 16  NavigaHng  Results  –  Timeline    Click a bar in thetimeline to drill-down toevents that occurred inthat time period
  17. 17. 17  NavigaHng  Results  –  Timeline  (cont.)  These are not functionalunless part of thetimeline is selectedYou can also zoom outto broaden the timerange
  18. 18. 18  IndicaHng  a  Custom  Time  Range  !   Select  custom  Hme  from  the  Hme  range  picker  to  indicate  specific  date  or  relaHve  Hme  ranges  
  19. 19. Using  Fields  
  20. 20. 20  What  are  Fields?  !   Gives  more  focus  to  your  searches  !   There  are  2  types  of  fields:  –  Default  fields  –  host,  source,  sourcetype.  These  fields  exist  for  every  event  in  Splunk.  –  Data-­‐defined  fields  –  fields  specific  to  a  given  type  of  data  
  21. 21. 21  Discovering  Fields  ! Splunk  extracts  fields  from  events,  for  example,  the  acHon  field  !   In  this  set  of  events,  the  acHon  field  has  five  values  
  22. 22. 22  remove events fromresults that don’thave the fieldcreate reportsclick on a value toadd to the searchALT + click on a valueto remove from asearchUse  the  Field  Sidebar  
  23. 23. 23  Searching  with  Fields  !   This  search  example  returns  events  where:  –  The  sourcetype  –  or  type  of  data  –  is  apache  weblogs  –  The  ac*on  field  has  a  value  of  purchase  –  The  HTTP  status  returned  was  NOT  200  sourcetype=access_* action=purchase status!=20072 events where an e-commerce purchase failed because ofan HTTP error!!
  24. 24. 24  Quick  ReporHng  Click to generate aquick report
  25. 25. Saving  Searches  
  26. 26. 26  Saving  a  Search  1.  Click  the  Save  menu    2.  Select  Save  Search…  3.  Name  the  search  –  You  can  also  edit  the  search  string  and  Hme  –  OpHonally,  share  the  search  with  other  users  tag="webfarm"  
  27. 27. 27  Running  a  Saved  Search  !   Run  saved  searches  from  the  Searches  and  Reports  menu  !   Lists  all  searches  you  have  created  or  have  permission  to  run  
  28. 28. Next  Steps  
  29. 29. Beyond  the  Basics  29  ! Splunk  has  many  powerful  features  and  search  commands  that  allow  you  to  –  Create  Alerts  –  Capture  and  share  knowledge  –  Calculate  staHsHcs  –  Format  and  organize  values  within  search  results  –  Create  compelling  data  visualizaHons  and  reports  –  And  more!  !   Learn  about  these  features  in  Splunk  Educa*onal  offerings  (shameless  plug)  
  30. 30. Learn  More  Cool  Stuff  30  
  31. 31. Akend  a  Free  Class  31  
  32. 32. Watch  a  Video  32  
  33. 33. Build  Your  Own  Learning  Lab  33  Download  the  Splunk  Enterprise  Trial  &  build  your  own  sandbox  
  34. 34. Thank  You  

×