SlideShare a Scribd company logo

Splunk conf2014 - Onboarding Data Into Splunk

Splunk
Splunk

This document provides an overview and disclaimer for a Splunk presentation on best practices for data onboarding. It introduces the speaker and outlines the topics to be covered, including data, Splunk components, indexing data, proper parsing, challenging data types, and advanced inputs. The presentation cautions that forward-looking statements are based on current expectations and may differ from actual results.

Technology
1 of 55
Download to read offline
Copyright  ©  2014  Splunk  Inc.   Andrew  Duca   Sr.  Professional  Services  Consultant,  Splunk   Data  On-­‐Boarding  
Disclaimer   2   During  the  course  of  this  presentaGon,  we  may  make  forward-­‐looking  statements  regarding  future  events  or  the   expected  performance  of  the  company.  We  cauGon  you  that  such  statements  reflect  our  current  expectaGons  and   esGmates  based  on  factors  currently  known  to  us  and  that  actual  events  or  results  could  differ  materially.  For   important  factors  that  may  cause  actual  results  to  differ  from  those  contained  in  our  forward-­‐looking  statements,   please  review  our  filings  with  the  SEC.  The  forward-­‐looking  statements  made  in  the  this  presentaGon  are  being  made   as  of  the  Gme  and  date  of  its  live  presentaGon.  If  reviewed  aQer  its  live  presentaGon,  this  presentaGon  may  not  contain   current  or  accurate  informaGon.  We  do  not  assume  any  obligaGon  to  update  any  forward-­‐looking  statements  we  may   make.  In  addiGon,  any  informaGon  about  our  roadmap  outlines  our  general  product  direcGon  and  is  subject  to  change   at  any  Gme  without  noGce.  It  is  for  informaGonal  purposes  only,  and  shall  not  be  incorporated  into  any  contract  or   other  commitment.  Splunk  undertakes  no  obligaGon  either  to  develop  the  features  or  funcGonality  described  or  to   include  any  such  feature  or  funcGonality  in  a  future  release.  
About  Me   !   Senior  Professional  Services  Consultant  based  in  Boston,  MA   !   14+  Years  of  world-­‐wide  Professional  Services  ConsulGng     with  the  last  two  at  Splunk   !   Involved  in  20+  deployments  from  1GB  to  5TB   3  
Agenda   !   Data   !   Splunk  Components   !   Index  Data   !   Proper  Parsing   !   Challenging  Data   !   Advanced  Inputs       4  
Are  You  in  The  Right  Room?   5   !   You  have  used  Splunk  at  least  once,  or  at  least  read  about  it   !   You  are  interested  in  Splunk  best  pracGces   !   You  like  to  use  Splunk’s  default  parsing  rules   !   You  just  took  over  a  Splunk  deployment  and  you’re  not     sure  what  to  do   !   This  is  not  an  educaGon  class;  it’s  best  pracGce  
Data   6   !   Machine  data  is  more  than  just  logs  -­‐  it's  configuraGon  data,  data   from  APIs  and  message  queues,  change  events,  the  output  of   diagnosGc  commands  and  more   !   Log  types:  ApplicaGon,  Web  Access  and  Proxy,  Call  Detail  Records   (CDR),  Clickstream,  Message  Queues,  Packet,  Database  audit  and   tables,  File  audit,  Syslog,  WMI,  PerfMon   !   Manual:  Gecng  Data  In hdp://docs.splunk.com/DocumentaGon/Splunk/latest/Data/ WhatSplunkcanmonitor   Splunk  is  the  engine  for  machine  data    
Splunk  Apps   7   !   Look  to  Splunk  Apps  first  and  uGlize  Technical  Add-­‐On  (TA)   !   Applies  the  Common  InformaGon  Model  (CIM)     !   CIM  details  the  standard  fields,  event  type  tags,  and  host   tags  that  Splunk  uses  when  it  processes  most  IT  data   !   Example  TAs:   Windows   Unix   Exchange   AcGve  Directory   VMware  Vcenter   WebSphere  
Splunk  Distributed  Components   8   Search  Head   Deployment  Server   Indexer   Forwarder  
Test  Environment   9   !   Every  Splunk  deployment  should   have  a  test  environment   !   It  can  be  a  laptop,  virtual   machine  or  spare  server   !   Should  have  the  same  version  of   Splunk  running  in  producGon   !   Accessible  to  other  Splunk   developers  and  administrators  
One  Shot   10   !   Easiest  way  to  get  data  into  your  test  environment   !   Components  of  the  oneshot:      ./splunk  add  oneshot  user_conf.txt  –index  indexname  –sourcetype  sourcetype  name   !   Where  to  find  more  informaGon: hdp://docs.splunk.com/DocumentaGon/Splunk/latest/Data/ MonitorfilesanddirectoriesusingtheCLI  
Data  -­‐  Broken   11  
Props   12   !   Always  set  these  six  parameters          #  USER  CONFERENCE      [user_conf_2014]      TIME_PREFIX  =  ^      TIME_FORMAT  =  %Y-­‐%m-­‐%d  %H:%M:%S      MAX_TIMESTAMP_LOOKAHEAD  =  19      SHOULD_LINEMERGE  =  False      LINE_BREAKER  =  ([nr]+)d{4}-­‐d{2}-­‐d{2}sd{2}:d{2}:d{2}      TRUNCATE  =  10000  
Props   13   !   Defaults  to  empty          #  USER  CONFERENCE      [user_conf_2014]      TIME_PREFIX  =  ^      TIME_FORMAT  =  %Y-­‐%m-­‐%d  %H:%M:%S      MAX_TIMESTAMP_LOOKAHEAD  =  19      SHOULD_LINEMERGE  =  False      LINE_BREAKER  =  ([nr]+)d{4}-­‐d{2}-­‐d{2}sd{2}:d{2}:d{2}      TRUNCATE  =  10000  
Props   14   !   strpGme  Style  format          #  USER  CONFERENCE      [user_conf_2014]      TIME_PREFIX  =  ^      TIME_FORMAT  =  %Y-­‐%m-­‐%d  %H:%M:%S      MAX_TIMESTAMP_LOOKAHEAD  =  19      SHOULD_LINEMERGE  =  False      LINE_BREAKER  =  ([nr]+)d{4}-­‐d{2}-­‐d{2}sd{2}:d{2}:d{2}      TRUNCATE  =  10000  
Props   15   !   By  default  MAX_TIMESTAMP_LOOKAHEAD  =  150  characters          #  USER  CONFERENCE      [user_conf_2014]      TIME_PREFIX  =  ^      TIME_FORMAT  =  %Y-­‐%m-­‐%d  %H:%M:%S      MAX_TIMESTAMP_LOOKAHEAD  =  19      SHOULD_LINEMERGE  =  False      LINE_BREAKER  =  ([nr]+)d{4}-­‐d{2}-­‐d{2}sd{2}:d{2}:d{2}      TRUNCATE  =  10000  
Props   16   !   By  default  set  to  True          #  USER  CONFERENCE      [user_conf_2014]      TIME_PREFIX  =  ^      TIME_FORMAT  =  %Y-­‐%m-­‐%d  %H:%M:%S      MAX_TIMESTAMP_LOOKAHEAD  =  19      SHOULD_LINEMERGE  =  False      LINE_BREAKER  =  ([nr]+)d{4}-­‐d{2}-­‐d{2}sd{2}:d{2}:d{2}      TRUNCATE  =  10000  
Props   17   !   By  default  set  to  ([rn]+);  change  to  posiGve  lookahead          #  USER  CONFERENCE      [user_conf_2014]      TIME_PREFIX  =  ^      TIME_FORMAT  =  %Y-­‐%m-­‐%d  %H:%M:%S      MAX_TIMESTAMP_LOOKAHEAD  =  19      SHOULD_LINEMERGE  =  False      LINE_BREAKER  =  ([nr]+)d{4}-­‐d{2}-­‐d{2}sd{2}:d{2}:d{2}      TRUNCATE  =  10000  
Props   18   !   By  default  set  to  10000  bytes;  set  to  0  to  never  truncate          #  USER  CONFERENCE      [user_conf_2014]      TIME_PREFIX  =  ^      TIME_FORMAT  =  %Y-­‐%m-­‐%d  %H:%M:%S      MAX_TIMESTAMP_LOOKAHEAD  =  19      SHOULD_LINEMERGE  =  False      LINE_BREAKER  =  ([nr]+)d{4}-­‐d{2}-­‐d{2}sd{2}:d{2}:d{2}      TRUNCATE  =  10000  
Data  -­‐  Fixed   19  
6.2  Splunk  Web  Data   On-­‐Boarding    
Why  to  Use  Splunk  Web  to  On-­‐board?   21   Quick  and  easy  way  to…   !   Easily  visualize  the  data  into  events  rather  then  lines  of  text   !   Quickly  get  the  data  properly  broken  into  events   !   Accurately  get  the  Gme  stamp  extracted   All  in  a  wicked  cool  GUI   Once  everything  is  good  you  take  your  PROPS  secngs  and  deploy    
Splunk  Web  Data  On-­‐Boarding   22   !   Locate  the  source  file  on  the  Splunk  Server’s  file  system  
Splunk  Web  Data  On-­‐Boarding   23   !   Validate  event  breaking  and  Gmestamp  recogniGon  
Splunk  Web  Data  On-­‐Boarding   24   !   Resolve  event  breaking  
Splunk  Web  Data  On-­‐Boarding   25   !   Set  Gmestamp  format  even  if  Splunk  figures  it  out  automaGcally  
Splunk  Web  Data  On-­‐Boarding   26   !   Copy  the  props.conf  secngs  and  deploy  in  a  custom  app  
Challenging  Data  
Limit  Indexed  Data   28   !   Anonymize  data:    [source::.../accounts.log]    SEDCMD-­‐accounts  =  s/ssn=d{5}(d{4})/ssn=xxxxx1/g  s/cc=(d{4}-­‐){3}(d{4})/cc=xxxx-­‐xxxx-­‐xxxx-­‐2/g     !   Rewrite  raw  data:    [source::.../sql.log]    SEDCMD-­‐sqllog  =  s/(.*?)Command:EXECUTE[.dDwW]*/1/g     !   Discard  events:    props    [source::/var/log/user_conf.txt]    TRANSFORMS-­‐null=  setnull   transforms   [setnull]   REGEX        =  (?i)DEBUG   DEST_KEY  =    queue   FORMAT      =    nullQueue  
Limit  Indexed  Data   29   !   Anonymize  data:    [source::.../accounts.log]    SEDCMD-­‐accounts  =  s/ssn=d{5}(d{4})/ssn=xxxxx1/g  s/cc=(d{4}-­‐){3}(d{4})/cc=xxxx-­‐xxxx-­‐xxxx-­‐2/g     !   Rewrite  raw  data:    [source::.../sql.log]    SEDCMD-­‐sqllog  =  s/(.*?)Command:EXECUTE[.dDwW]*/1/g     !   Discard  events:    props    [source::/var/log/user_conf.txt]    TRANSFORMS-­‐null=  setnull   transforms   [setnull]   REGEX        =  (?i)DEBUG   DEST_KEY  =    queue   FORMAT      =    nullQueue  
Limit  Indexed  Data   30   !   Anonymize  data:    [source::.../accounts.log]    SEDCMD-­‐accounts  =  s/ssn=d{5}(d{4})/ssn=xxxxx1/g  s/cc=(d{4}-­‐){3}(d{4})/cc=xxxx-­‐xxxx-­‐xxxx-­‐2/g     !   Rewrite  raw  data:    [source::.../sql.log]    SEDCMD-­‐sqllog  =  s/(.*?)Command:EXECUTE[.dDwW]*/1/g     !   Discard  events:    props    [source::/var/log/user_conf.txt]    TRANSFORMS-­‐null=  setnull   transforms   [setnull]   REGEX        =  (?i)DEBUG   DEST_KEY  =    queue   FORMAT      =    nullQueue  
Limit  Indexed  Data   31   6.X  or  later  Windows  forwarders       !   Whitelist  events  or  blacklist  specific  events   !   Inputs.conf  ConfiguraGon      
Index  ExtracGons   32   !   Provides  reliable  and  consistent  indexing  of  data  with  headers.   !   Address  issue  on  forwarder:      INDEX_EXTRACTIONS  =  {CSV  |  W3C  |  TSV  |  PSV  |  JSON}   !   Supports  custom  header  parsing  and  easy  mode  for  common  formats.   !   Extract  IIS  fields  using  Props.conf  on  Windows  forwarder:     [iis]   INDEX_EXTRACTIONS  =  w3c  
MulGple  Timestamps   33   datePme.xml   <datetime>      <define  name=”two_tz"  extract="day,  litmonth,  year,  hour,  minute,  second,  zone">          <text><![CDATA[^(d+)-­‐(w+)-­‐(d+),(d+):(d+):(d+),(?:[^,]*,){2}([w-­‐]*)]]></text>      </define>      <timePatterns>            <use  name=”two_tz">      </timePatterns>      <datePatterns>            <use  name=”two_tz">      </datePatterns>   </datetime>       props.conf   #  USER  CONF   [user_conf]   DATETIME_CONFIG  =  /etc/apps/splk_ps_user_conf_props/local/datetime.xml   *  Do  not  set  TIME_FORMAT   12-­‐Sep-­‐2014,09:01:00,12-­‐Sep-­‐2014,09:02:00,-­‐4  INFO    Gtle="User  Conference"  msg="Splunk  hosted  user  conference  in  Las  Vegas."   12-­‐Sep-­‐2014,19:01:00,12-­‐Sep-­‐2014,19:02:00,-­‐5  DEBUG  Gtle="User  Conference"  msg="Gecng  Data  In,  Correctly  is  a  solid  session."  
Database  Connect  
Database  Connect   35   !   Allows  for  indexing  data  from  database  sources  directly   !   Allows  for  adding  meta  data  to  events  from  database  sources  using   lookups     Caveats   !   Java  required  on  Splunk  server   !   Search  head  pooling  requires  custom  configuraGon  to  share  the  DB   connecGon  passwords.  Not  meant  for  data  input  sources    
Database  Connect  Best  PracGces   36   !   Normalize  Gmestamps  naGvely  inside  the  SQL  Query   !   Filter  results  down  in  SQL  Query  to  reduce  garbage  in  Splunk  index   !   Repeated  DBLookups  should  be  converted  to  staGc  lookup   !   Search  head  pooling  requires  encrypted  password  replicaGon      
Modular  and     Scripted  Inputs  
Modular  and  Scripted  Inputs   38   Benefits   !   Almost  any  program  that  can  output  text  can  be  used  to  index     !   Modular  inputs  allow  for  configuraGon  files  and  configuraGon  secngs  inside  Splunk   Differences   !   Scripted  inputs  require  configuraGon  to  be  done  in  the  script     !   Modular  inputs  can  be  configured  via  deployed  .conf  files  and  accessed  via  REST  API   !   Scripted  inputs  need  are  specific  to  the  OS  deployed  on  where  modular  inputs  can   support  mulGple   Examples    vmstat,  iostat,  Checkpoint  Opsec,  Twider,  Stream,  Amazon  S3  Online  storage  and  more…      
Scripted  Inputs  Example   39   !   Shell  script  saved  in  /opt/splunk/bin/scripts/  OR  in  a  specific  app   !   Allows  you  to  execute  any  program  on  Splunk  forwarder  and  index   STDOUT  data.   !   UGlizing  key  value  pairs  makes  for  easier  searching.   Sample  output  from  custom  script  /Applica3ons/Splunk/bin/scripts/FantasyFootball.sh  
Scripted  Inputs  Example   40   Shell  script  calls  local  system  binary  programs  and  can  provide  configuraGon  opGons.   Use  Inputs.conf  to  define  INDEX,  SOURCETYPE,  and  INTERVAL  for  the  scripted  input  
ProducGon   Deployment  
ProducGon  Environment   42   !   Complexity  managing   configuraGons  across  tens,   hundreds,  or  thousands  of   forwarders   !   Not  all  indexers  and  search   heads  receive  the  same   configuraGons   !   Should  think  about  version   control  for  deployment  apps,   e.g.,  GitHub   SHP  
Deployment  Server  Terminology   43   !   Deployment  Server  -­‐  A  Splunk  instance  that  acts  as  a  centralized  configuraGon  manager,   grouping  together  and  collecGvely  managing  any  number  of  Splunk  instances.  Any  Splunk   instance  can  act  as  a  deployment  server,  even  one  that  is  indexing  data  locally.  Splunk   instances  that  are  remotely  configured  by  deployment  servers  are  called  deployment   clients.   !   Deployment  Client  -­‐  A  Splunk  instance  that  is  remotely  configured  by  a  deployment  server.   !   Server  Class  -­‐  Represents  a  configuraGon  of  Splunk  deployment  clients.  Server  classes   enable  the  management  of  a  group  of  deployment  clients  as  a  single  unit.  A  server  class  can   be  used  to  group  deployment  clients  together  by  applicaGon,  OS,  data  type  to  be  indexed,   or  any  other  feature  of  your  Splunk  deployment.  
Deployment  App   44   !   A  deployment  app  (configuraGon  bundle)  is  a  set  of  deployment   content  (including  configuraGon  files)  deployed  as  a  unit  to  clients  of   a  server  class   !   Located  in  $SPLUNK_HOME/etc/deployment-­‐apps  and  pushed  to   deployment  client’s  $SPLUNK_HOME/etc/apps  folder   ! DO  NOT  store  configuraGons  in  $SPLUNK_HOME/etc/system/local   !   Use  deployment  apps  regardless  of  your  deployment  tool    
Deployment  App  -­‐  Naming  ConvenGon   45   org   acme   acme   splk   splk   group   finance   markeGng   all   ps   applicaGon   apache   iis     indexer   user_conf   configuraGon   inputs   props   Base   inputs  
Deployment  App  -­‐  Naming  ConvenGon   46   org   acme   acme   splk   splk   group   finance   markeGng   all   ps   applicaGon   apache   iis     indexer   user_conf   configuraGon   inputs   props   base   inputs  
Deployment  App  -­‐  Naming  ConvenGon   47   org   acme   acme   splk   splk   group   finance   markeGng   all   ps   applicaGon   apache   iis     indexer   user_conf   configuraGon   inputs   props   base   inputs  
Deployment  App  -­‐  Naming  ConvenGon   48   org   acme   acme   splk   splk   group   finance   markeGng   all   ps   applicaGon   apache   iis     indexer   user_conf   configuraGon   inputs   props   base   inputs  
Deployment  App  -­‐  Naming  ConvenGon   49   org   acme   acme   splk   splk   group   finance   markeGng   all   ps   applicaGon   apache   iis     indexer   user_conf   configuraGon   inputs   props   base   inputs  
Deployment  App  -­‐  Naming  ConvenGon   50   org   acme   acme   splk   splk   group   finance   markeGng   all   ps   applicaGon   apache   iis     indexer   user_conf   configuraGon   inputs   props   base   inputs   splk_ps_user_conf_inputs  
Deployment  Apps   51   !   SplunkForwarder   !   SplunkLightForwarder   !   Splunk_for_AcGveDirectory   !   Splunk_for_Exchange   !   splk_all_deploymentclient   !   splk_all_forwarder_outputs   !   splk_all_indexer_base   !   splk_all_search_base   !   splk_ps_user_conf_inputs   !   splk_ps_user_conf_props   !   splk_ps_user_conf_web   !   splunk_app_was   •  user-­‐prefs   mba13:apps  $  ls  -­‐la  
CollecGng  Syslog   52   !   Send  device,  e.g.,  routers,  firewalls   to  a  syslog  collector   !   Write  files  to  this  directory   structure:  /sourcetype/host/log.txt   !   Monitor  the  sourcetype  level   cisco_asa   my.firewall.name   #  CISCO  ASA   [monitor:///data/cisco_asa/…/]   sourcetype  =  cisco_asa   host_segment  =  3   index  =  firewall    
Summary   53   !   Test  in  a  non-­‐producGon  environment   !   Always  use  key  props  parameters:     –  TIME_PREFIX   –  TIME_FORMAT   –  MAX_TIMESTAMP_LOOKAHEAD   –  SHOULD_LINEMERGE   –  LINE_BREAKER   –  TRUNCATE   !   Deploy  apps  to  /etc/apps;  not  /etc/system/local   !   Clear  predictable  naming  convenGon   !   When  you’re  stuck,  use  Answers  and  Re-­‐Use  apps  from  Apps.Splunk.com    
Resources   54   !   Get  educated:  hdp://www.splunk.com/view/educaGon/SP-­‐CAAAAH9   !   Download  Splunk  applicaGons:  hdp://apps.splunk.com/   !   Hire  Splunk  Professional  Services:   hdp://www.splunk.com/view/professional-­‐services/SP-­‐CAAABH9   !   Watch  some  videos:  hdp://www.splunk.com/videos  
THANK  YOU  

Recommended

Apache Arrow: Leveling Up the Data Science Stack
Apache Arrow: Leveling Up the Data Science StackApache Arrow: Leveling Up the Data Science Stack
Apache Arrow: Leveling Up the Data Science Stack
Wes McKinney
 
SplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with Splunk
Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at Netflix
Brendan Gregg
 
Splunk Search Optimization
Splunk Search OptimizationSplunk Search Optimization
Splunk Search Optimization
Splunk
 
Spark Autotuning: Spark Summit East talk by Lawrence Spracklen
Spark Autotuning: Spark Summit East talk by Lawrence SpracklenSpark Autotuning: Spark Summit East talk by Lawrence Spracklen
Spark Autotuning: Spark Summit East talk by Lawrence Spracklen
Spark Summit
 
Splunk HTTP Event Collector
Splunk HTTP Event CollectorSplunk HTTP Event Collector
Splunk HTTP Event Collector
Splunk
 
Best practices for ansible
Best practices for ansibleBest practices for ansible
Best practices for ansible
George Shuklin
 

Recommended

Apache Arrow: Leveling Up the Data Science Stack
Apache Arrow: Leveling Up the Data Science StackApache Arrow: Leveling Up the Data Science Stack
Apache Arrow: Leveling Up the Data Science Stack
Wes McKinney
 
SplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with Splunk
Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at Netflix
Brendan Gregg
 
Splunk Search Optimization
Splunk Search OptimizationSplunk Search Optimization
Splunk Search Optimization
Splunk
 
Spark Autotuning: Spark Summit East talk by Lawrence Spracklen
Spark Autotuning: Spark Summit East talk by Lawrence SpracklenSpark Autotuning: Spark Summit East talk by Lawrence Spracklen
Spark Autotuning: Spark Summit East talk by Lawrence Spracklen
Spark Summit
 
Splunk HTTP Event Collector
Splunk HTTP Event CollectorSplunk HTTP Event Collector
Splunk HTTP Event Collector
Splunk
 
Best practices for ansible
Best practices for ansibleBest practices for ansible
Best practices for ansible
George Shuklin
 
Conf2014_SplunkSearchOptimization
Conf2014_SplunkSearchOptimizationConf2014_SplunkSearchOptimization
Conf2014_SplunkSearchOptimization
Splunk
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding
Splunk
 
OpenStack Ironic - Bare Metal-as-a-Service
OpenStack Ironic - Bare Metal-as-a-ServiceOpenStack Ironic - Bare Metal-as-a-Service
OpenStack Ironic - Bare Metal-as-a-Service
Ramon Acedo Rodriguez
 
Apache NiFi- MiNiFi meetup Slides
Apache NiFi- MiNiFi meetup SlidesApache NiFi- MiNiFi meetup Slides
Apache NiFi- MiNiFi meetup Slides
Isheeta Sanghi
 
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
Gabrielle Knowles
 
Conf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuConf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsu
Splunk
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk Enterprise
Splunk
 
[오픈소스컨설팅]Scouter 설치 및 사용가이드(JBoss)
[오픈소스컨설팅]Scouter 설치 및 사용가이드(JBoss)[오픈소스컨설팅]Scouter 설치 및 사용가이드(JBoss)
[오픈소스컨설팅]Scouter 설치 및 사용가이드(JBoss)
Ji-Woong Choi
 
Monitoring Kubernetes with Prometheus
Monitoring Kubernetes with PrometheusMonitoring Kubernetes with Prometheus
Monitoring Kubernetes with Prometheus
Grafana Labs
 
Improving Spark SQL at LinkedIn
Improving Spark SQL at LinkedInImproving Spark SQL at LinkedIn
Improving Spark SQL at LinkedIn
Databricks
 
MeetUp Monitoring with Prometheus and Grafana (September 2018)
MeetUp Monitoring with Prometheus and Grafana (September 2018)MeetUp Monitoring with Prometheus and Grafana (September 2018)
MeetUp Monitoring with Prometheus and Grafana (September 2018)
Lucas Jellema
 
Building a Virtual Data Lake with Apache Arrow
Building a Virtual Data Lake with Apache ArrowBuilding a Virtual Data Lake with Apache Arrow
Building a Virtual Data Lake with Apache Arrow
Dremio Corporation
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Road to NODES - Handling Neo4j Data with Apache Hop
Road to NODES - Handling Neo4j Data with Apache HopRoad to NODES - Handling Neo4j Data with Apache Hop
Road to NODES - Handling Neo4j Data with Apache Hop
Neo4j
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
Alexei Starovoitov
 
Ansible - Introduction
Ansible - IntroductionAnsible - Introduction
Ansible - Introduction
Stephane Manciot
 
Native Support of Prometheus Monitoring in Apache Spark 3.0
Native Support of Prometheus Monitoring in Apache Spark 3.0Native Support of Prometheus Monitoring in Apache Spark 3.0
Native Support of Prometheus Monitoring in Apache Spark 3.0
Databricks
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Introduction to Apache Airflow - Data Day Seattle 2016
Introduction to Apache Airflow - Data Day Seattle 2016Introduction to Apache Airflow - Data Day Seattle 2016
Introduction to Apache Airflow - Data Day Seattle 2016
Sid Anand
 
Monitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaMonitoring using Prometheus and Grafana
Monitoring using Prometheus and Grafana
Arvind Kumar G.S
 
dlux - Splunk Technical Overview
dlux - Splunk Technical Overviewdlux - Splunk Technical Overview
dlux - Splunk Technical Overview
David Lutz
 
Getting Data into Splunk
Getting Data into SplunkGetting Data into Splunk
Getting Data into Splunk
Splunk
 

More Related Content

What's hot

SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk Enterprise
Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 

What's hot (20)

Conf2014_SplunkSearchOptimization
Conf2014_SplunkSearchOptimizationConf2014_SplunkSearchOptimization
Conf2014_SplunkSearchOptimization
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding
 
OpenStack Ironic - Bare Metal-as-a-Service
OpenStack Ironic - Bare Metal-as-a-ServiceOpenStack Ironic - Bare Metal-as-a-Service
OpenStack Ironic - Bare Metal-as-a-Service
 
Apache NiFi- MiNiFi meetup Slides
Apache NiFi- MiNiFi meetup SlidesApache NiFi- MiNiFi meetup Slides
Apache NiFi- MiNiFi meetup Slides
 
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
 
Conf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuConf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsu
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk Enterprise
 
[오픈소스컨설팅]Scouter 설치 및 사용가이드(JBoss)
[오픈소스컨설팅]Scouter 설치 및 사용가이드(JBoss)[오픈소스컨설팅]Scouter 설치 및 사용가이드(JBoss)
[오픈소스컨설팅]Scouter 설치 및 사용가이드(JBoss)
 
Monitoring Kubernetes with Prometheus
Monitoring Kubernetes with PrometheusMonitoring Kubernetes with Prometheus
Monitoring Kubernetes with Prometheus
 
Improving Spark SQL at LinkedIn
Improving Spark SQL at LinkedInImproving Spark SQL at LinkedIn
Improving Spark SQL at LinkedIn
 
MeetUp Monitoring with Prometheus and Grafana (September 2018)
MeetUp Monitoring with Prometheus and Grafana (September 2018)MeetUp Monitoring with Prometheus and Grafana (September 2018)
MeetUp Monitoring with Prometheus and Grafana (September 2018)
 
Building a Virtual Data Lake with Apache Arrow
Building a Virtual Data Lake with Apache ArrowBuilding a Virtual Data Lake with Apache Arrow
Building a Virtual Data Lake with Apache Arrow
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Road to NODES - Handling Neo4j Data with Apache Hop
Road to NODES - Handling Neo4j Data with Apache HopRoad to NODES - Handling Neo4j Data with Apache Hop
Road to NODES - Handling Neo4j Data with Apache Hop
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
 
Ansible - Introduction
Ansible - IntroductionAnsible - Introduction
Ansible - Introduction
 
Native Support of Prometheus Monitoring in Apache Spark 3.0
Native Support of Prometheus Monitoring in Apache Spark 3.0Native Support of Prometheus Monitoring in Apache Spark 3.0
Native Support of Prometheus Monitoring in Apache Spark 3.0
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Introduction to Apache Airflow - Data Day Seattle 2016
Introduction to Apache Airflow - Data Day Seattle 2016Introduction to Apache Airflow - Data Day Seattle 2016
Introduction to Apache Airflow - Data Day Seattle 2016
 
Monitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaMonitoring using Prometheus and Grafana
Monitoring using Prometheus and Grafana
 

Viewers also liked

Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
Splunk
 
SplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case SwisscomSplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case Swisscom
Splunk
 
SplunkLive! Customer Presentation - Garmin International
SplunkLive! Customer Presentation - Garmin InternationalSplunkLive! Customer Presentation - Garmin International
SplunkLive! Customer Presentation - Garmin International
Splunk
 
SplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners Session
Splunk
 
Daten anonymisieren und pseudonymisieren in Splunk Enterprise
Daten anonymisieren und pseudonymisieren in Splunk EnterpriseDaten anonymisieren und pseudonymisieren in Splunk Enterprise
Daten anonymisieren und pseudonymisieren in Splunk Enterprise
jenny_splunk
 

Viewers also liked (20)

dlux - Splunk Technical Overview
dlux - Splunk Technical Overviewdlux - Splunk Technical Overview
dlux - Splunk Technical Overview
 
Getting Data into Splunk
Getting Data into SplunkGetting Data into Splunk
Getting Data into Splunk
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
 
Exploring Splunk
Exploring SplunkExploring Splunk
Exploring Splunk
 
Cisco UCS and Splunk Workshop
Cisco UCS and Splunk WorkshopCisco UCS and Splunk Workshop
Cisco UCS and Splunk Workshop
 
SplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case SwisscomSplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case Swisscom
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding
 
Taking Splunk to the Next Level – Architecture
Taking Splunk to the Next Level – ArchitectureTaking Splunk to the Next Level – Architecture
Taking Splunk to the Next Level – Architecture
 
SplunkLive! Customer Presentation - Garmin International
SplunkLive! Customer Presentation - Garmin InternationalSplunkLive! Customer Presentation - Garmin International
SplunkLive! Customer Presentation - Garmin International
 
SplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners Session
 
SplunkLive! Wien 2016 - Use Case TTTech Computertechnik
SplunkLive! Wien 2016 - Use Case TTTech ComputertechnikSplunkLive! Wien 2016 - Use Case TTTech Computertechnik
SplunkLive! Wien 2016 - Use Case TTTech Computertechnik
 
Viasat Customer Presentation
Viasat Customer PresentationViasat Customer Presentation
Viasat Customer Presentation
 
Splunk for ITOA Breakout Session
Splunk for ITOA Breakout SessionSplunk for ITOA Breakout Session
Splunk for ITOA Breakout Session
 
Get your Service Intelligence off to a Flying Start
Get your Service Intelligence off to a Flying StartGet your Service Intelligence off to a Flying Start
Get your Service Intelligence off to a Flying Start
 
Daten anonymisieren und pseudonymisieren in Splunk Enterprise
Daten anonymisieren und pseudonymisieren in Splunk EnterpriseDaten anonymisieren und pseudonymisieren in Splunk Enterprise
Daten anonymisieren und pseudonymisieren in Splunk Enterprise
 
AWS Loft London: Finding the signal in the noise - Effective SecOps with Soph...
AWS Loft London: Finding the signal in the noise - Effective SecOps with Soph...AWS Loft London: Finding the signal in the noise - Effective SecOps with Soph...
AWS Loft London: Finding the signal in the noise - Effective SecOps with Soph...
 
Ecetera uses Splunk to facilitate DevOps in forex
Ecetera uses Splunk to facilitate DevOps in forexEcetera uses Splunk to facilitate DevOps in forex
Ecetera uses Splunk to facilitate DevOps in forex
 
Splunk for DevOps - Faster Insights - Better Code
Splunk for DevOps - Faster Insights - Better CodeSplunk for DevOps - Faster Insights - Better Code
Splunk for DevOps - Faster Insights - Better Code
 
Splunk Implementation and Usage - Garmin
Splunk Implementation and Usage - GarminSplunk Implementation and Usage - Garmin
Splunk Implementation and Usage - Garmin
 

Similar to Splunk conf2014 - Onboarding Data Into Splunk

SplunkLive! Hunk Technical Deep Dive
SplunkLive! Hunk Technical Deep DiveSplunkLive! Hunk Technical Deep Dive
SplunkLive! Hunk Technical Deep Dive
Splunk
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into Insight
Splunk
 
Recharge_report_Automation
Recharge_report_AutomationRecharge_report_Automation
Recharge_report_Automation
KIIT
 

Similar to Splunk conf2014 - Onboarding Data Into Splunk (20)

Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
 
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding OverviewSplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
 
SplunkLive! Munich 2018: Data Onboarding Overview
SplunkLive! Munich 2018: Data Onboarding OverviewSplunkLive! Munich 2018: Data Onboarding Overview
SplunkLive! Munich 2018: Data Onboarding Overview
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101
 
Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout Session
 
SplunkLive! Hunk Technical Deep Dive
SplunkLive! Hunk Technical Deep DiveSplunkLive! Hunk Technical Deep Dive
SplunkLive! Hunk Technical Deep Dive
 
Real-Time Status Commands
Real-Time Status CommandsReal-Time Status Commands
Real-Time Status Commands
 
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction ProfilerSplunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
 
Splunk in Staples: IT Operations
Splunk in Staples: IT OperationsSplunk in Staples: IT Operations
Splunk in Staples: IT Operations
 
SplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boardingSplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boarding
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into Insight
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
FNC2751.pdf
FNC2751.pdfFNC2751.pdf
FNC2751.pdf
 
Recharge_report_Automation
Recharge_report_AutomationRecharge_report_Automation
Recharge_report_Automation
 
Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...
Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...
Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...
 
Serverless in production, an experience report (London DevOps)
Serverless in production, an experience report (London DevOps)Serverless in production, an experience report (London DevOps)
Serverless in production, an experience report (London DevOps)
 
Data Analysis in Python
Data Analysis in PythonData Analysis in Python
Data Analysis in Python
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17
 
SplunkLive! Frankfurt 2018 - Monitoring the End User Experience with Splunk
SplunkLive! Frankfurt 2018 - Monitoring the End User Experience with SplunkSplunkLive! Frankfurt 2018 - Monitoring the End User Experience with Splunk
SplunkLive! Frankfurt 2018 - Monitoring the End User Experience with Splunk
 

More from Splunk

SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
 

More from Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Splunk conf2014 - Onboarding Data Into Splunk

  • 1. Copyright  ©  2014  Splunk  Inc.   Andrew  Duca   Sr.  Professional  Services  Consultant,  Splunk   Data  On-­‐Boarding  
  • 2. Disclaimer   2   During  the  course  of  this  presentaGon,  we  may  make  forward-­‐looking  statements  regarding  future  events  or  the   expected  performance  of  the  company.  We  cauGon  you  that  such  statements  reflect  our  current  expectaGons  and   esGmates  based  on  factors  currently  known  to  us  and  that  actual  events  or  results  could  differ  materially.  For   important  factors  that  may  cause  actual  results  to  differ  from  those  contained  in  our  forward-­‐looking  statements,   please  review  our  filings  with  the  SEC.  The  forward-­‐looking  statements  made  in  the  this  presentaGon  are  being  made   as  of  the  Gme  and  date  of  its  live  presentaGon.  If  reviewed  aQer  its  live  presentaGon,  this  presentaGon  may  not  contain   current  or  accurate  informaGon.  We  do  not  assume  any  obligaGon  to  update  any  forward-­‐looking  statements  we  may   make.  In  addiGon,  any  informaGon  about  our  roadmap  outlines  our  general  product  direcGon  and  is  subject  to  change   at  any  Gme  without  noGce.  It  is  for  informaGonal  purposes  only,  and  shall  not  be  incorporated  into  any  contract  or   other  commitment.  Splunk  undertakes  no  obligaGon  either  to  develop  the  features  or  funcGonality  described  or  to   include  any  such  feature  or  funcGonality  in  a  future  release.  
  • 3. About  Me   !   Senior  Professional  Services  Consultant  based  in  Boston,  MA   !   14+  Years  of  world-­‐wide  Professional  Services  ConsulGng     with  the  last  two  at  Splunk   !   Involved  in  20+  deployments  from  1GB  to  5TB   3  
  • 4. Agenda   !   Data   !   Splunk  Components   !   Index  Data   !   Proper  Parsing   !   Challenging  Data   !   Advanced  Inputs       4  
  • 5. Are  You  in  The  Right  Room?   5   !   You  have  used  Splunk  at  least  once,  or  at  least  read  about  it   !   You  are  interested  in  Splunk  best  pracGces   !   You  like  to  use  Splunk’s  default  parsing  rules   !   You  just  took  over  a  Splunk  deployment  and  you’re  not     sure  what  to  do   !   This  is  not  an  educaGon  class;  it’s  best  pracGce  
  • 6. Data   6   !   Machine  data  is  more  than  just  logs  -­‐  it's  configuraGon  data,  data   from  APIs  and  message  queues,  change  events,  the  output  of   diagnosGc  commands  and  more   !   Log  types:  ApplicaGon,  Web  Access  and  Proxy,  Call  Detail  Records   (CDR),  Clickstream,  Message  Queues,  Packet,  Database  audit  and   tables,  File  audit,  Syslog,  WMI,  PerfMon   !   Manual:  Gecng  Data  In hdp://docs.splunk.com/DocumentaGon/Splunk/latest/Data/ WhatSplunkcanmonitor   Splunk  is  the  engine  for  machine  data    
  • 7. Splunk  Apps   7   !   Look  to  Splunk  Apps  first  and  uGlize  Technical  Add-­‐On  (TA)   !   Applies  the  Common  InformaGon  Model  (CIM)     !   CIM  details  the  standard  fields,  event  type  tags,  and  host   tags  that  Splunk  uses  when  it  processes  most  IT  data   !   Example  TAs:   Windows   Unix   Exchange   AcGve  Directory   VMware  Vcenter   WebSphere  
  • 8. Splunk  Distributed  Components   8   Search  Head   Deployment  Server   Indexer   Forwarder  
  • 9. Test  Environment   9   !   Every  Splunk  deployment  should   have  a  test  environment   !   It  can  be  a  laptop,  virtual   machine  or  spare  server   !   Should  have  the  same  version  of   Splunk  running  in  producGon   !   Accessible  to  other  Splunk   developers  and  administrators  
  • 10. One  Shot   10   !   Easiest  way  to  get  data  into  your  test  environment   !   Components  of  the  oneshot:      ./splunk  add  oneshot  user_conf.txt  –index  indexname  –sourcetype  sourcetype  name   !   Where  to  find  more  informaGon: hdp://docs.splunk.com/DocumentaGon/Splunk/latest/Data/ MonitorfilesanddirectoriesusingtheCLI  
  • 12. Props   12   !   Always  set  these  six  parameters          #  USER  CONFERENCE      [user_conf_2014]      TIME_PREFIX  =  ^      TIME_FORMAT  =  %Y-­‐%m-­‐%d  %H:%M:%S      MAX_TIMESTAMP_LOOKAHEAD  =  19      SHOULD_LINEMERGE  =  False      LINE_BREAKER  =  ([nr]+)d{4}-­‐d{2}-­‐d{2}sd{2}:d{2}:d{2}      TRUNCATE  =  10000  
  • 13. Props   13   !   Defaults  to  empty          #  USER  CONFERENCE      [user_conf_2014]      TIME_PREFIX  =  ^      TIME_FORMAT  =  %Y-­‐%m-­‐%d  %H:%M:%S      MAX_TIMESTAMP_LOOKAHEAD  =  19      SHOULD_LINEMERGE  =  False      LINE_BREAKER  =  ([nr]+)d{4}-­‐d{2}-­‐d{2}sd{2}:d{2}:d{2}      TRUNCATE  =  10000  
  • 14. Props   14   !   strpGme  Style  format          #  USER  CONFERENCE      [user_conf_2014]      TIME_PREFIX  =  ^      TIME_FORMAT  =  %Y-­‐%m-­‐%d  %H:%M:%S      MAX_TIMESTAMP_LOOKAHEAD  =  19      SHOULD_LINEMERGE  =  False      LINE_BREAKER  =  ([nr]+)d{4}-­‐d{2}-­‐d{2}sd{2}:d{2}:d{2}      TRUNCATE  =  10000  
  • 15. Props   15   !   By  default  MAX_TIMESTAMP_LOOKAHEAD  =  150  characters          #  USER  CONFERENCE      [user_conf_2014]      TIME_PREFIX  =  ^      TIME_FORMAT  =  %Y-­‐%m-­‐%d  %H:%M:%S      MAX_TIMESTAMP_LOOKAHEAD  =  19      SHOULD_LINEMERGE  =  False      LINE_BREAKER  =  ([nr]+)d{4}-­‐d{2}-­‐d{2}sd{2}:d{2}:d{2}      TRUNCATE  =  10000  
  • 16. Props   16   !   By  default  set  to  True          #  USER  CONFERENCE      [user_conf_2014]      TIME_PREFIX  =  ^      TIME_FORMAT  =  %Y-­‐%m-­‐%d  %H:%M:%S      MAX_TIMESTAMP_LOOKAHEAD  =  19      SHOULD_LINEMERGE  =  False      LINE_BREAKER  =  ([nr]+)d{4}-­‐d{2}-­‐d{2}sd{2}:d{2}:d{2}      TRUNCATE  =  10000  
  • 17. Props   17   !   By  default  set  to  ([rn]+);  change  to  posiGve  lookahead          #  USER  CONFERENCE      [user_conf_2014]      TIME_PREFIX  =  ^      TIME_FORMAT  =  %Y-­‐%m-­‐%d  %H:%M:%S      MAX_TIMESTAMP_LOOKAHEAD  =  19      SHOULD_LINEMERGE  =  False      LINE_BREAKER  =  ([nr]+)d{4}-­‐d{2}-­‐d{2}sd{2}:d{2}:d{2}      TRUNCATE  =  10000  
  • 18. Props   18   !   By  default  set  to  10000  bytes;  set  to  0  to  never  truncate          #  USER  CONFERENCE      [user_conf_2014]      TIME_PREFIX  =  ^      TIME_FORMAT  =  %Y-­‐%m-­‐%d  %H:%M:%S      MAX_TIMESTAMP_LOOKAHEAD  =  19      SHOULD_LINEMERGE  =  False      LINE_BREAKER  =  ([nr]+)d{4}-­‐d{2}-­‐d{2}sd{2}:d{2}:d{2}      TRUNCATE  =  10000  
  • 20. 6.2  Splunk  Web  Data   On-­‐Boarding    
  • 21. Why  to  Use  Splunk  Web  to  On-­‐board?   21   Quick  and  easy  way  to…   !   Easily  visualize  the  data  into  events  rather  then  lines  of  text   !   Quickly  get  the  data  properly  broken  into  events   !   Accurately  get  the  Gme  stamp  extracted   All  in  a  wicked  cool  GUI   Once  everything  is  good  you  take  your  PROPS  secngs  and  deploy    
  • 22. Splunk  Web  Data  On-­‐Boarding   22   !   Locate  the  source  file  on  the  Splunk  Server’s  file  system  
  • 23. Splunk  Web  Data  On-­‐Boarding   23   !   Validate  event  breaking  and  Gmestamp  recogniGon  
  • 24. Splunk  Web  Data  On-­‐Boarding   24   !   Resolve  event  breaking  
  • 25. Splunk  Web  Data  On-­‐Boarding   25   !   Set  Gmestamp  format  even  if  Splunk  figures  it  out  automaGcally  
  • 26. Splunk  Web  Data  On-­‐Boarding   26   !   Copy  the  props.conf  secngs  and  deploy  in  a  custom  app  
  • 28. Limit  Indexed  Data   28   !   Anonymize  data:    [source::.../accounts.log]    SEDCMD-­‐accounts  =  s/ssn=d{5}(d{4})/ssn=xxxxx1/g  s/cc=(d{4}-­‐){3}(d{4})/cc=xxxx-­‐xxxx-­‐xxxx-­‐2/g     !   Rewrite  raw  data:    [source::.../sql.log]    SEDCMD-­‐sqllog  =  s/(.*?)Command:EXECUTE[.dDwW]*/1/g     !   Discard  events:    props    [source::/var/log/user_conf.txt]    TRANSFORMS-­‐null=  setnull   transforms   [setnull]   REGEX        =  (?i)DEBUG   DEST_KEY  =    queue   FORMAT      =    nullQueue  
  • 29. Limit  Indexed  Data   29   !   Anonymize  data:    [source::.../accounts.log]    SEDCMD-­‐accounts  =  s/ssn=d{5}(d{4})/ssn=xxxxx1/g  s/cc=(d{4}-­‐){3}(d{4})/cc=xxxx-­‐xxxx-­‐xxxx-­‐2/g     !   Rewrite  raw  data:    [source::.../sql.log]    SEDCMD-­‐sqllog  =  s/(.*?)Command:EXECUTE[.dDwW]*/1/g     !   Discard  events:    props    [source::/var/log/user_conf.txt]    TRANSFORMS-­‐null=  setnull   transforms   [setnull]   REGEX        =  (?i)DEBUG   DEST_KEY  =    queue   FORMAT      =    nullQueue  
  • 30. Limit  Indexed  Data   30   !   Anonymize  data:    [source::.../accounts.log]    SEDCMD-­‐accounts  =  s/ssn=d{5}(d{4})/ssn=xxxxx1/g  s/cc=(d{4}-­‐){3}(d{4})/cc=xxxx-­‐xxxx-­‐xxxx-­‐2/g     !   Rewrite  raw  data:    [source::.../sql.log]    SEDCMD-­‐sqllog  =  s/(.*?)Command:EXECUTE[.dDwW]*/1/g     !   Discard  events:    props    [source::/var/log/user_conf.txt]    TRANSFORMS-­‐null=  setnull   transforms   [setnull]   REGEX        =  (?i)DEBUG   DEST_KEY  =    queue   FORMAT      =    nullQueue  
  • 31. Limit  Indexed  Data   31   6.X  or  later  Windows  forwarders       !   Whitelist  events  or  blacklist  specific  events   !   Inputs.conf  ConfiguraGon      
  • 32. Index  ExtracGons   32   !   Provides  reliable  and  consistent  indexing  of  data  with  headers.   !   Address  issue  on  forwarder:      INDEX_EXTRACTIONS  =  {CSV  |  W3C  |  TSV  |  PSV  |  JSON}   !   Supports  custom  header  parsing  and  easy  mode  for  common  formats.   !   Extract  IIS  fields  using  Props.conf  on  Windows  forwarder:     [iis]   INDEX_EXTRACTIONS  =  w3c  
  • 33. MulGple  Timestamps   33   datePme.xml   <datetime>      <define  name=”two_tz"  extract="day,  litmonth,  year,  hour,  minute,  second,  zone">          <text><![CDATA[^(d+)-­‐(w+)-­‐(d+),(d+):(d+):(d+),(?:[^,]*,){2}([w-­‐]*)]]></text>      </define>      <timePatterns>            <use  name=”two_tz">      </timePatterns>      <datePatterns>            <use  name=”two_tz">      </datePatterns>   </datetime>       props.conf   #  USER  CONF   [user_conf]   DATETIME_CONFIG  =  /etc/apps/splk_ps_user_conf_props/local/datetime.xml   *  Do  not  set  TIME_FORMAT   12-­‐Sep-­‐2014,09:01:00,12-­‐Sep-­‐2014,09:02:00,-­‐4  INFO    Gtle="User  Conference"  msg="Splunk  hosted  user  conference  in  Las  Vegas."   12-­‐Sep-­‐2014,19:01:00,12-­‐Sep-­‐2014,19:02:00,-­‐5  DEBUG  Gtle="User  Conference"  msg="Gecng  Data  In,  Correctly  is  a  solid  session."  
  • 35. Database  Connect   35   !   Allows  for  indexing  data  from  database  sources  directly   !   Allows  for  adding  meta  data  to  events  from  database  sources  using   lookups     Caveats   !   Java  required  on  Splunk  server   !   Search  head  pooling  requires  custom  configuraGon  to  share  the  DB   connecGon  passwords.  Not  meant  for  data  input  sources    
  • 36. Database  Connect  Best  PracGces   36   !   Normalize  Gmestamps  naGvely  inside  the  SQL  Query   !   Filter  results  down  in  SQL  Query  to  reduce  garbage  in  Splunk  index   !   Repeated  DBLookups  should  be  converted  to  staGc  lookup   !   Search  head  pooling  requires  encrypted  password  replicaGon      
  • 37. Modular  and     Scripted  Inputs  
  • 38. Modular  and  Scripted  Inputs   38   Benefits   !   Almost  any  program  that  can  output  text  can  be  used  to  index     !   Modular  inputs  allow  for  configuraGon  files  and  configuraGon  secngs  inside  Splunk   Differences   !   Scripted  inputs  require  configuraGon  to  be  done  in  the  script     !   Modular  inputs  can  be  configured  via  deployed  .conf  files  and  accessed  via  REST  API   !   Scripted  inputs  need  are  specific  to  the  OS  deployed  on  where  modular  inputs  can   support  mulGple   Examples    vmstat,  iostat,  Checkpoint  Opsec,  Twider,  Stream,  Amazon  S3  Online  storage  and  more…      
  • 39. Scripted  Inputs  Example   39   !   Shell  script  saved  in  /opt/splunk/bin/scripts/  OR  in  a  specific  app   !   Allows  you  to  execute  any  program  on  Splunk  forwarder  and  index   STDOUT  data.   !   UGlizing  key  value  pairs  makes  for  easier  searching.   Sample  output  from  custom  script  /Applica3ons/Splunk/bin/scripts/FantasyFootball.sh  
  • 40. Scripted  Inputs  Example   40   Shell  script  calls  local  system  binary  programs  and  can  provide  configuraGon  opGons.   Use  Inputs.conf  to  define  INDEX,  SOURCETYPE,  and  INTERVAL  for  the  scripted  input  
  • 42. ProducGon  Environment   42   !   Complexity  managing   configuraGons  across  tens,   hundreds,  or  thousands  of   forwarders   !   Not  all  indexers  and  search   heads  receive  the  same   configuraGons   !   Should  think  about  version   control  for  deployment  apps,   e.g.,  GitHub   SHP  
  • 43. Deployment  Server  Terminology   43   !   Deployment  Server  -­‐  A  Splunk  instance  that  acts  as  a  centralized  configuraGon  manager,   grouping  together  and  collecGvely  managing  any  number  of  Splunk  instances.  Any  Splunk   instance  can  act  as  a  deployment  server,  even  one  that  is  indexing  data  locally.  Splunk   instances  that  are  remotely  configured  by  deployment  servers  are  called  deployment   clients.   !   Deployment  Client  -­‐  A  Splunk  instance  that  is  remotely  configured  by  a  deployment  server.   !   Server  Class  -­‐  Represents  a  configuraGon  of  Splunk  deployment  clients.  Server  classes   enable  the  management  of  a  group  of  deployment  clients  as  a  single  unit.  A  server  class  can   be  used  to  group  deployment  clients  together  by  applicaGon,  OS,  data  type  to  be  indexed,   or  any  other  feature  of  your  Splunk  deployment.  
  • 44. Deployment  App   44   !   A  deployment  app  (configuraGon  bundle)  is  a  set  of  deployment   content  (including  configuraGon  files)  deployed  as  a  unit  to  clients  of   a  server  class   !   Located  in  $SPLUNK_HOME/etc/deployment-­‐apps  and  pushed  to   deployment  client’s  $SPLUNK_HOME/etc/apps  folder   ! DO  NOT  store  configuraGons  in  $SPLUNK_HOME/etc/system/local   !   Use  deployment  apps  regardless  of  your  deployment  tool    
  • 45. Deployment  App  -­‐  Naming  ConvenGon   45   org   acme   acme   splk   splk   group   finance   markeGng   all   ps   applicaGon   apache   iis     indexer   user_conf   configuraGon   inputs   props   Base   inputs  
  • 46. Deployment  App  -­‐  Naming  ConvenGon   46   org   acme   acme   splk   splk   group   finance   markeGng   all   ps   applicaGon   apache   iis     indexer   user_conf   configuraGon   inputs   props   base   inputs  
  • 47. Deployment  App  -­‐  Naming  ConvenGon   47   org   acme   acme   splk   splk   group   finance   markeGng   all   ps   applicaGon   apache   iis     indexer   user_conf   configuraGon   inputs   props   base   inputs  
  • 48. Deployment  App  -­‐  Naming  ConvenGon   48   org   acme   acme   splk   splk   group   finance   markeGng   all   ps   applicaGon   apache   iis     indexer   user_conf   configuraGon   inputs   props   base   inputs  
  • 49. Deployment  App  -­‐  Naming  ConvenGon   49   org   acme   acme   splk   splk   group   finance   markeGng   all   ps   applicaGon   apache   iis     indexer   user_conf   configuraGon   inputs   props   base   inputs  
  • 50. Deployment  App  -­‐  Naming  ConvenGon   50   org   acme   acme   splk   splk   group   finance   markeGng   all   ps   applicaGon   apache   iis     indexer   user_conf   configuraGon   inputs   props   base   inputs   splk_ps_user_conf_inputs  
  • 51. Deployment  Apps   51   !   SplunkForwarder   !   SplunkLightForwarder   !   Splunk_for_AcGveDirectory   !   Splunk_for_Exchange   !   splk_all_deploymentclient   !   splk_all_forwarder_outputs   !   splk_all_indexer_base   !   splk_all_search_base   !   splk_ps_user_conf_inputs   !   splk_ps_user_conf_props   !   splk_ps_user_conf_web   !   splunk_app_was   •  user-­‐prefs   mba13:apps  $  ls  -­‐la  
  • 52. CollecGng  Syslog   52   !   Send  device,  e.g.,  routers,  firewalls   to  a  syslog  collector   !   Write  files  to  this  directory   structure:  /sourcetype/host/log.txt   !   Monitor  the  sourcetype  level   cisco_asa   my.firewall.name   #  CISCO  ASA   [monitor:///data/cisco_asa/…/]   sourcetype  =  cisco_asa   host_segment  =  3   index  =  firewall    
  • 53. Summary   53   !   Test  in  a  non-­‐producGon  environment   !   Always  use  key  props  parameters:     –  TIME_PREFIX   –  TIME_FORMAT   –  MAX_TIMESTAMP_LOOKAHEAD   –  SHOULD_LINEMERGE   –  LINE_BREAKER   –  TRUNCATE   !   Deploy  apps  to  /etc/apps;  not  /etc/system/local   !   Clear  predictable  naming  convenGon   !   When  you’re  stuck,  use  Answers  and  Re-­‐Use  apps  from  Apps.Splunk.com    
  • 54. Resources   54   !   Get  educated:  hdp://www.splunk.com/view/educaGon/SP-­‐CAAAAH9   !   Download  Splunk  applicaGons:  hdp://apps.splunk.com/   !   Hire  Splunk  Professional  Services:   hdp://www.splunk.com/view/professional-­‐services/SP-­‐CAAABH9   !   Watch  some  videos:  hdp://www.splunk.com/videos