SlideShare a Scribd company logo

SplunkLive! Advanced Session

Splunk
Splunk
Technology
1 of 35
Copyright © 2013 Splunk Inc. Name: Title: Email: Technical Workshops Advanced User Training
Agenda Assumptions SAs, TAs, Field Aliasing, CIM, Eventtypes, Tags Dashboard Customization Made Easy High Availability and Clustering Report Acceleration Lookups Support and Community 2
Assumptions
You Are in This Session Because…. 4 • You have developed advanced searches with Splunk to manipulate and present data • You have mastered sourcetyping and extracting fields • You have built reports beyond | timechart count • You have created dashboards of some kind • You have http://www.splunk.com/base/Documentation bookmarked
SAs, TAs, Field Aliasing, CIM, Eventtypes and Tags
What Are We Talking About Here? 6 • Terminology • Field Aliasing  ability to add hierarchy of fields for easy transaction analysis. • CIM – Common Information Model  mapping to consistent field across different sources of data • SA – Supporting Add-ons  contains underlying support modules and tools • TA – Technology Add-on  contains field extractions and mapping to CIM • Eventtypes – An event type is a user-defined field that simplifies search by letting you categorize events • Tags – Grouping of event data groups with related field values.
How Can I Learn More??? 7 Searching and Reporting with Splunk - http://www.splunk.com/view/SP-CAAAGCB Advanced Admin - http://www.splunk.com/view/SP- CAAAGNF
Dashboard Customization Fun
Splunk Dashboard Customization? 9 • Splunk Live Advance App – Tips/Tricks Covered: • App Menu Customization  Adding menu’s for your custom created searches/reports/dashboards.. • Adding a Time Selector  Add a time selector dropdown for your Simple XML dashboard. • Converting Simple XML to Advance XML Quickly create an Advance XML dashboard using a Simple XML dashboard as the source. • Adding Dashboard Editor to Advance XML  Add the useful Dashboard editor to your Advance XML dashboards, for quick editing. • Add a custom chart module – Donut Chart  Quickly add a custom chart, leveraging a custom chart module from Highcharts.com
*Disclaimer 10 • The App and Splunk Web customizations that we will show in this presentation are by no means comprehensive • Please see the Developer Manual for more detail http://www.splunk.com/base/Documentation/latest/Developer/
Demo - Walkthrough Dashboard Customization Fun
Other User Control Methods 12 Edit Permissions by App in the App Manager Remove options for users in the AccountBar <module name="AccountBar" layoutPanel="appHeader"> <param name="mode">lite</param> </module>
Other Customization Options 13 • App Icon – create your own icon to show on Home screen – $SPLUNK_HOME/etc/apps/your_app_name/appserver/static/appIcon.png • Custom Cascading Style Sheets (CSS) - background colors, fonts, logos, buttons, navigation, menus, etc – Default: $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/css/skins/defaul t/default.css – Create your application.css in $SPLUNK_HOME/etc/app/your_app_name/appserver/static – See Splunk Apps (Splunk for *NIX, Splunk for Windows, etc) for examples
Where Do I Go From Here? 14 Developing Apps with Splunk - http://www.splunk.com/view/SP-CAAAGCD
High Availability
Index Replication or clustering •New in 5.0, Splunk indexers can be configuredto replicateindexed data amongstthemselvesin a group of servers •Data replicationallows for rapid failure recovery •Fully configurablereplicationallows you to balancespeed of recovery and overall disk usage
Why Use Index Replication? • When you need highly availableaccess to your data – during maintenance, planneddowntimes, etc. • When you want to ensure high data fidelity – add another layer of protection beyond backups • When you need rapid failure (hardware or software) recovery – if you don’t want to resort to tape when hard disks die • Collateralbenefit: multiplesearch peers means faster searches!
Replication cluster Index Replication Distributed Search Peer to peer index data replication Peer nodes Master node Index replication search head
Index Replication Server Types •Master node: Splunk instancewhich controls and manages a replication cluster – there can only be one master •Peer node: Similar to an indexer in any multi-server Splunk install, indexes data from inputs/forwarders PLUS it replicates data to other peer nodes as indicated by the master •Search head: Works as any Splunk search head, but is a required component of any replication cluster
Enabling Index Replication •EnablingIndex Replication automatically sets up the following: – Distributed search link is created across the whole replication cluster: master, search head, and peers – Aconfigurable replication port is created on all peers to send and receive replicated data to other peers – Aheartbeat is established between the peers and the master – default timeout 60 seconds
Where Do I Go From Here? 21 Advanced Admin - http://www.splunk.com/view/SP-CAAAGNF
Report Acceleration
Report Acceleration Overview • Reports that cover a large volume of data can: – Takelong timeto complete – Consumea greatdeal ofsystem resources • You can ‘accelerate’a qualifying report when you: – Saveit – Createa dashboardpanel basedonit – Edita qualifying saved search • Common use cases include: - Moreefficientlyrun reportsfor large datasetsover longtimeranges ▸Showthenumberofpageviewsandvisitorsforeachofyour web sitesoverthepast30 days,brokenoutbysite - Buildarolling report thatshows aggregatedstatisticsover longperiods of time ▸Displaya runningcountofdownloadsforaspecificfileonawebsite ▸Calculatetheaverageamountspentperpurchaseoverayear
Report Acceleration Overview (cont’d) •To acceleratethe search, Splunk creates an accelerationsummary •Accelerationsummaries – Efficientlyreport on large volumes of data – Qualify future searches against the summary •To acceleratea report, Search Mode must be set to Smart or Fast – Neither theTimeline nor the Fields sidebar display •By default, only power users can acceleratereports •If you delete all the searches that use a summary, the summary is deleted •If an accelerationsummary is created from a shared search, other reports that can use it, will use it
Populating Search Requirements •Qualifyingsearches – Search must include a reporting command ▸Forexample: chart, timechart, stats, top, and rare – Any command before the reporting command must be a streaming command, that is a command that applies a transformation to each event returned by the search ▸Forexample: eval, fields,multikv, rex,rename, and replace
Search Examples •Qualifyingsearch examples: sourcetype=access_* action=purchase status=200 | stats sum(price) as revenue by productId | eval revenue="$" + revenue sourcetype=* | stats count by sourcetype •Non-qualifying search examples sourcetype=access_* action=purchase status=404 [Noreportingcommand] sourcetype=access_* | transaction startswith="view" endswith="purchase" | stats avg(duration) [Transactionisnotastreamingcommand]
Run as a normal search Creating Acceleration Summaries Power role? # of events returned > 100,000? Qualified search? Select acceleration and summary range Build acceleration summary YES NO Summary too large* [See docs] NO YES Acceleration summary YES Run normal search Launchs earch Run normal search NO YES NO
Cases Where Splunk Will Not Build a Summary •There are cases where Splunk allows you to "accelerate" a search, but a summarywon't be created •Splunk knows what's most efficient and generally won't generate a summary if: – There are fewer than 100K events in the summary range - it’s faster executing the search without a summary – Summary size is projected to too large - it’s faster executing the search because the main index is smaller •If a summary is defined and not created for the above reasons, Splunk continuesto check periodically, then automatically creates a summary once it meets the requirements
Where Do I Go From Here? 29 Searching and Reporting with Splunk - http://www.splunk.com/view/SP-CAAAGCB
Lookups
Use a Lookup Table 31 • In props.conf [access_combined] LOOKUP-prod = prod_id_lookup product_id OUTPUT product_name, price, tdf_price, call_flwrs_price • In transforms.conf [prod_id_lookup] filename = prod_lookup.csv • In lookup directory, prod_lookup.csv product_id,product_name,price,tdf_price,call_ flwrs_price RP-LI-02,Chocolate Dreams Confections,379,299,319
Support and Community
Support Through the Splunk Community 33 Splunkbase
Where to Go for Help 34 • Documentation – http://www.splunk.com/base/Documentation • Technical Support – http://www.splunk.com/support • Videos – http://www.splunk.com/videos • Education – http://www.splunk.com/goto/education • Professional Services
Thank you Date Technical Workshops Advanced User Training

Recommended

SplunkLive 2011 Advanced Session
SplunkLive 2011 Advanced SessionSplunkLive 2011 Advanced Session
SplunkLive 2011 Advanced Session
Splunk
 
Making Pretty Charts in Splunk
Making Pretty Charts in SplunkMaking Pretty Charts in Splunk
Making Pretty Charts in Splunk
Splunk
 
Splunk Dynamic lookup
Splunk Dynamic lookupSplunk Dynamic lookup
Splunk Dynamic lookup
Splunk
 
Spark Summit EU talk by Simon Whitear
Spark Summit EU talk by Simon WhitearSpark Summit EU talk by Simon Whitear
Spark Summit EU talk by Simon Whitear
Spark Summit
 
Cost-based Query Optimization
Cost-based Query Optimization Cost-based Query Optimization
Cost-based Query Optimization
DataWorks Summit/Hadoop Summit
 
Calcite meetup-2016-04-20
Calcite meetup-2016-04-20Calcite meetup-2016-04-20
Calcite meetup-2016-04-20
Josh Elser
 
Deduplication Using Solr: Presented by Neeraj Jain, Stubhub
Deduplication Using Solr: Presented by Neeraj Jain, StubhubDeduplication Using Solr: Presented by Neeraj Jain, Stubhub
Deduplication Using Solr: Presented by Neeraj Jain, Stubhub
Lucidworks
 
Operational Tips For Deploying Apache Spark
Operational Tips For Deploying Apache SparkOperational Tips For Deploying Apache Spark
Operational Tips For Deploying Apache Spark
Databricks
 

Recommended

SplunkLive 2011 Advanced Session
SplunkLive 2011 Advanced SessionSplunkLive 2011 Advanced Session
SplunkLive 2011 Advanced Session
Splunk
 
Making Pretty Charts in Splunk
Making Pretty Charts in SplunkMaking Pretty Charts in Splunk
Making Pretty Charts in Splunk
Splunk
 
Splunk Dynamic lookup
Splunk Dynamic lookupSplunk Dynamic lookup
Splunk Dynamic lookup
Splunk
 
Spark Summit EU talk by Simon Whitear
Spark Summit EU talk by Simon WhitearSpark Summit EU talk by Simon Whitear
Spark Summit EU talk by Simon Whitear
Spark Summit
 
Cost-based Query Optimization
Cost-based Query Optimization Cost-based Query Optimization
Cost-based Query Optimization
DataWorks Summit/Hadoop Summit
 
Calcite meetup-2016-04-20
Calcite meetup-2016-04-20Calcite meetup-2016-04-20
Calcite meetup-2016-04-20
Josh Elser
 
Deduplication Using Solr: Presented by Neeraj Jain, Stubhub
Deduplication Using Solr: Presented by Neeraj Jain, StubhubDeduplication Using Solr: Presented by Neeraj Jain, Stubhub
Deduplication Using Solr: Presented by Neeraj Jain, Stubhub
Lucidworks
 
Operational Tips For Deploying Apache Spark
Operational Tips For Deploying Apache SparkOperational Tips For Deploying Apache Spark
Operational Tips For Deploying Apache Spark
Databricks
 
Cost-Based Optimizer in Apache Spark 2.2 Ron Hu, Sameer Agarwal, Wenchen Fan ...
Cost-Based Optimizer in Apache Spark 2.2 Ron Hu, Sameer Agarwal, Wenchen Fan ...Cost-Based Optimizer in Apache Spark 2.2 Ron Hu, Sameer Agarwal, Wenchen Fan ...
Cost-Based Optimizer in Apache Spark 2.2 Ron Hu, Sameer Agarwal, Wenchen Fan ...
Databricks
 
Apache Calcite overview
Apache Calcite overviewApache Calcite overview
Apache Calcite overview
Julian Hyde
 
Cost-based Query Optimization in Apache Phoenix using Apache Calcite
Cost-based Query Optimization in Apache Phoenix using Apache CalciteCost-based Query Optimization in Apache Phoenix using Apache Calcite
Cost-based Query Optimization in Apache Phoenix using Apache Calcite
Julian Hyde
 
Friction-free ETL: Automating data transformation with Impala | Strata + Hado...
Friction-free ETL: Automating data transformation with Impala | Strata + Hado...Friction-free ETL: Automating data transformation with Impala | Strata + Hado...
Friction-free ETL: Automating data transformation with Impala | Strata + Hado...
Cloudera, Inc.
 
Designing Structured Streaming Pipelines—How to Architect Things Right
Designing Structured Streaming Pipelines—How to Architect Things RightDesigning Structured Streaming Pipelines—How to Architect Things Right
Designing Structured Streaming Pipelines—How to Architect Things Right
Databricks
 
Apache Accumulo 1.8.0 Overview
Apache Accumulo 1.8.0 OverviewApache Accumulo 1.8.0 Overview
Apache Accumulo 1.8.0 Overview
Josh Elser
 
Accelerating SQL queries in NoSQL Databases using Apache Drill and Secondary ...
Accelerating SQL queries in NoSQL Databases using Apache Drill and Secondary ...Accelerating SQL queries in NoSQL Databases using Apache Drill and Secondary ...
Accelerating SQL queries in NoSQL Databases using Apache Drill and Secondary ...
Aman Sinha
 
Apache Drill talk ApacheCon 2018
Apache Drill talk ApacheCon 2018Apache Drill talk ApacheCon 2018
Apache Drill talk ApacheCon 2018
Aman Sinha
 
Apache Phoenix and Apache HBase: An Enterprise Grade Data Warehouse
Apache Phoenix and Apache HBase: An Enterprise Grade Data WarehouseApache Phoenix and Apache HBase: An Enterprise Grade Data Warehouse
Apache Phoenix and Apache HBase: An Enterprise Grade Data Warehouse
Josh Elser
 
ASHviz - Dats visualization research experiments using ASH data
ASHviz - Dats visualization research experiments using ASH dataASHviz - Dats visualization research experiments using ASH data
ASHviz - Dats visualization research experiments using ASH data
John Beresniewicz
 
Hortonworks Technical Workshop: HBase and Apache Phoenix
Hortonworks Technical Workshop: HBase and Apache Phoenix Hortonworks Technical Workshop: HBase and Apache Phoenix
Hortonworks Technical Workshop: HBase and Apache Phoenix
Hortonworks
 
Installing and tweaking FASTSearch
Installing and tweaking FASTSearchInstalling and tweaking FASTSearch
Installing and tweaking FASTSearch
Arno Flapper
 
Hadoop summit-diverse-workload
Hadoop summit-diverse-workloadHadoop summit-diverse-workload
Hadoop summit-diverse-workload
Wangda Tan
 
Presentations from the Cloudera Impala meetup on Aug 20 2013
Presentations from the Cloudera Impala meetup on Aug 20 2013Presentations from the Cloudera Impala meetup on Aug 20 2013
Presentations from the Cloudera Impala meetup on Aug 20 2013
Cloudera, Inc.
 
Apache Apex & Apace Geode In-Memory Computation, Storage & Analysis
Apache Apex & Apace Geode In-Memory Computation, Storage & Analysis Apache Apex & Apace Geode In-Memory Computation, Storage & Analysis
Apache Apex & Apace Geode In-Memory Computation, Storage & Analysis
Apache Apex
 
Monitor Apache Spark 3 on Kubernetes using Metrics and Plugins
Monitor Apache Spark 3 on Kubernetes using Metrics and PluginsMonitor Apache Spark 3 on Kubernetes using Metrics and Plugins
Monitor Apache Spark 3 on Kubernetes using Metrics and Plugins
Databricks
 
Query Compilation in Impala
Query Compilation in ImpalaQuery Compilation in Impala
Query Compilation in Impala
Cloudera, Inc.
 
Degrading Performance? You Might be Suffering From the Small Files Syndrome
Degrading Performance? You Might be Suffering From the Small Files SyndromeDegrading Performance? You Might be Suffering From the Small Files Syndrome
Degrading Performance? You Might be Suffering From the Small Files Syndrome
Databricks
 
In-Memory Computing, Storage & Analysis: Apache Apex + Apache Geode
In-Memory Computing, Storage & Analysis: Apache Apex + Apache GeodeIn-Memory Computing, Storage & Analysis: Apache Apex + Apache Geode
In-Memory Computing, Storage & Analysis: Apache Apex + Apache Geode
imcpune
 
Hadoop Summit - Scheduling policies in YARN - San Jose 2016
Hadoop Summit - Scheduling policies in YARN - San Jose 2016Hadoop Summit - Scheduling policies in YARN - San Jose 2016
Hadoop Summit - Scheduling policies in YARN - San Jose 2016
Wangda Tan
 
SplunkLive! Hamburg / München Beginner Session
SplunkLive! Hamburg / München Beginner SessionSplunkLive! Hamburg / München Beginner Session
SplunkLive! Hamburg / München Beginner Session
Georg Knon
 
Power of SPL
Power of SPLPower of SPL
Power of SPL
Splunk
 

More Related Content

What's hot

Cost-Based Optimizer in Apache Spark 2.2 Ron Hu, Sameer Agarwal, Wenchen Fan ...
Cost-Based Optimizer in Apache Spark 2.2 Ron Hu, Sameer Agarwal, Wenchen Fan ...Cost-Based Optimizer in Apache Spark 2.2 Ron Hu, Sameer Agarwal, Wenchen Fan ...
Cost-Based Optimizer in Apache Spark 2.2 Ron Hu, Sameer Agarwal, Wenchen Fan ...
Databricks
 
Cost-based Query Optimization in Apache Phoenix using Apache Calcite
Cost-based Query Optimization in Apache Phoenix using Apache CalciteCost-based Query Optimization in Apache Phoenix using Apache Calcite
Cost-based Query Optimization in Apache Phoenix using Apache Calcite
Julian Hyde
 
Friction-free ETL: Automating data transformation with Impala | Strata + Hado...
Friction-free ETL: Automating data transformation with Impala | Strata + Hado...Friction-free ETL: Automating data transformation with Impala | Strata + Hado...
Friction-free ETL: Automating data transformation with Impala | Strata + Hado...
Cloudera, Inc.
 
Designing Structured Streaming Pipelines—How to Architect Things Right
Designing Structured Streaming Pipelines—How to Architect Things RightDesigning Structured Streaming Pipelines—How to Architect Things Right
Designing Structured Streaming Pipelines—How to Architect Things Right
Databricks
 
Apache Apex & Apace Geode In-Memory Computation, Storage & Analysis
Apache Apex & Apace Geode In-Memory Computation, Storage & Analysis Apache Apex & Apace Geode In-Memory Computation, Storage & Analysis
Apache Apex & Apace Geode In-Memory Computation, Storage & Analysis
Apache Apex
 
Monitor Apache Spark 3 on Kubernetes using Metrics and Plugins
Monitor Apache Spark 3 on Kubernetes using Metrics and PluginsMonitor Apache Spark 3 on Kubernetes using Metrics and Plugins
Monitor Apache Spark 3 on Kubernetes using Metrics and Plugins
Databricks
 
Query Compilation in Impala
Query Compilation in ImpalaQuery Compilation in Impala
Query Compilation in Impala
Cloudera, Inc.
 
Degrading Performance? You Might be Suffering From the Small Files Syndrome
Degrading Performance? You Might be Suffering From the Small Files SyndromeDegrading Performance? You Might be Suffering From the Small Files Syndrome
Degrading Performance? You Might be Suffering From the Small Files Syndrome
Databricks
 
In-Memory Computing, Storage & Analysis: Apache Apex + Apache Geode
In-Memory Computing, Storage & Analysis: Apache Apex + Apache GeodeIn-Memory Computing, Storage & Analysis: Apache Apex + Apache Geode
In-Memory Computing, Storage & Analysis: Apache Apex + Apache Geode
imcpune
 
Hadoop Summit - Scheduling policies in YARN - San Jose 2016
Hadoop Summit - Scheduling policies in YARN - San Jose 2016Hadoop Summit - Scheduling policies in YARN - San Jose 2016
Hadoop Summit - Scheduling policies in YARN - San Jose 2016
Wangda Tan
 

What's hot (20)

Cost-Based Optimizer in Apache Spark 2.2 Ron Hu, Sameer Agarwal, Wenchen Fan ...
Cost-Based Optimizer in Apache Spark 2.2 Ron Hu, Sameer Agarwal, Wenchen Fan ...Cost-Based Optimizer in Apache Spark 2.2 Ron Hu, Sameer Agarwal, Wenchen Fan ...
Cost-Based Optimizer in Apache Spark 2.2 Ron Hu, Sameer Agarwal, Wenchen Fan ...
 
Apache Calcite overview
Apache Calcite overviewApache Calcite overview
Apache Calcite overview
 
Cost-based Query Optimization in Apache Phoenix using Apache Calcite
Cost-based Query Optimization in Apache Phoenix using Apache CalciteCost-based Query Optimization in Apache Phoenix using Apache Calcite
Cost-based Query Optimization in Apache Phoenix using Apache Calcite
 
Friction-free ETL: Automating data transformation with Impala | Strata + Hado...
Friction-free ETL: Automating data transformation with Impala | Strata + Hado...Friction-free ETL: Automating data transformation with Impala | Strata + Hado...
Friction-free ETL: Automating data transformation with Impala | Strata + Hado...
 
Designing Structured Streaming Pipelines—How to Architect Things Right
Designing Structured Streaming Pipelines—How to Architect Things RightDesigning Structured Streaming Pipelines—How to Architect Things Right
Designing Structured Streaming Pipelines—How to Architect Things Right
 
Apache Accumulo 1.8.0 Overview
Apache Accumulo 1.8.0 OverviewApache Accumulo 1.8.0 Overview
Apache Accumulo 1.8.0 Overview
 
Accelerating SQL queries in NoSQL Databases using Apache Drill and Secondary ...
Accelerating SQL queries in NoSQL Databases using Apache Drill and Secondary ...Accelerating SQL queries in NoSQL Databases using Apache Drill and Secondary ...
Accelerating SQL queries in NoSQL Databases using Apache Drill and Secondary ...
 
Apache Drill talk ApacheCon 2018
Apache Drill talk ApacheCon 2018Apache Drill talk ApacheCon 2018
Apache Drill talk ApacheCon 2018
 
Apache Phoenix and Apache HBase: An Enterprise Grade Data Warehouse
Apache Phoenix and Apache HBase: An Enterprise Grade Data WarehouseApache Phoenix and Apache HBase: An Enterprise Grade Data Warehouse
Apache Phoenix and Apache HBase: An Enterprise Grade Data Warehouse
 
ASHviz - Dats visualization research experiments using ASH data
ASHviz - Dats visualization research experiments using ASH dataASHviz - Dats visualization research experiments using ASH data
ASHviz - Dats visualization research experiments using ASH data
 
Hortonworks Technical Workshop: HBase and Apache Phoenix
Hortonworks Technical Workshop: HBase and Apache Phoenix Hortonworks Technical Workshop: HBase and Apache Phoenix
Hortonworks Technical Workshop: HBase and Apache Phoenix
 
Installing and tweaking FASTSearch
Installing and tweaking FASTSearchInstalling and tweaking FASTSearch
Installing and tweaking FASTSearch
 
Hadoop summit-diverse-workload
Hadoop summit-diverse-workloadHadoop summit-diverse-workload
Hadoop summit-diverse-workload
 
Presentations from the Cloudera Impala meetup on Aug 20 2013
Presentations from the Cloudera Impala meetup on Aug 20 2013Presentations from the Cloudera Impala meetup on Aug 20 2013
Presentations from the Cloudera Impala meetup on Aug 20 2013
 
Apache Apex & Apace Geode In-Memory Computation, Storage & Analysis
Apache Apex & Apace Geode In-Memory Computation, Storage & Analysis Apache Apex & Apace Geode In-Memory Computation, Storage & Analysis
Apache Apex & Apace Geode In-Memory Computation, Storage & Analysis
 
Monitor Apache Spark 3 on Kubernetes using Metrics and Plugins
Monitor Apache Spark 3 on Kubernetes using Metrics and PluginsMonitor Apache Spark 3 on Kubernetes using Metrics and Plugins
Monitor Apache Spark 3 on Kubernetes using Metrics and Plugins
 
Query Compilation in Impala
Query Compilation in ImpalaQuery Compilation in Impala
Query Compilation in Impala
 
Degrading Performance? You Might be Suffering From the Small Files Syndrome
Degrading Performance? You Might be Suffering From the Small Files SyndromeDegrading Performance? You Might be Suffering From the Small Files Syndrome
Degrading Performance? You Might be Suffering From the Small Files Syndrome
 
In-Memory Computing, Storage & Analysis: Apache Apex + Apache Geode
In-Memory Computing, Storage & Analysis: Apache Apex + Apache GeodeIn-Memory Computing, Storage & Analysis: Apache Apex + Apache Geode
In-Memory Computing, Storage & Analysis: Apache Apex + Apache Geode
 
Hadoop Summit - Scheduling policies in YARN - San Jose 2016
Hadoop Summit - Scheduling policies in YARN - San Jose 2016Hadoop Summit - Scheduling policies in YARN - San Jose 2016
Hadoop Summit - Scheduling policies in YARN - San Jose 2016
 

Viewers also liked

SplunkLive! Hamburg / München Beginner Session
SplunkLive! Hamburg / München Beginner SessionSplunkLive! Hamburg / München Beginner Session
SplunkLive! Hamburg / München Beginner Session
Georg Knon
 
SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2
Splunk
 
Getting Started With Splunk It Service Intelligence
Getting Started With Splunk It Service IntelligenceGetting Started With Splunk It Service Intelligence
Getting Started With Splunk It Service Intelligence
Splunk
 
Webinar: Was ist neu in Splunk Enterprise 6.5
Webinar: Was ist neu in Splunk Enterprise 6.5Webinar: Was ist neu in Splunk Enterprise 6.5
Webinar: Was ist neu in Splunk Enterprise 6.5
Splunk
 
SplunkLive Sydney Enterprise Security & User Behaviour Analytics
SplunkLive Sydney Enterprise Security & User Behaviour AnalyticsSplunkLive Sydney Enterprise Security & User Behaviour Analytics
SplunkLive Sydney Enterprise Security & User Behaviour Analytics
Splunk
 

Viewers also liked (20)

SplunkLive! Hamburg / München Beginner Session
SplunkLive! Hamburg / München Beginner SessionSplunkLive! Hamburg / München Beginner Session
SplunkLive! Hamburg / München Beginner Session
 
Power of SPL
Power of SPLPower of SPL
Power of SPL
 
Supporting Enterprise System Rollouts with Splunk
Supporting Enterprise System Rollouts with SplunkSupporting Enterprise System Rollouts with Splunk
Supporting Enterprise System Rollouts with Splunk
 
Advanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout SessionAdvanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout Session
 
SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2
 
What's New in Splunk 6.3
What's New in Splunk 6.3What's New in Splunk 6.3
What's New in Splunk 6.3
 
SplunkSummit 2015 - Splunking the Endpoint
SplunkSummit 2015 - Splunking the EndpointSplunkSummit 2015 - Splunking the Endpoint
SplunkSummit 2015 - Splunking the Endpoint
 
Hands-On Security Breakout Session- ES Guided Tour
Hands-On Security Breakout Session- ES Guided TourHands-On Security Breakout Session- ES Guided Tour
Hands-On Security Breakout Session- ES Guided Tour
 
SplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search Optimization
 
Splunk live beginner training nyc
Splunk live beginner training nycSplunk live beginner training nyc
Splunk live beginner training nyc
 
SplunkLive! Customer Presentation – Availity
SplunkLive! Customer Presentation – AvailitySplunkLive! Customer Presentation – Availity
SplunkLive! Customer Presentation – Availity
 
Scale Splunk
Scale SplunkScale Splunk
Scale Splunk
 
SplunkLive! Paris 2016 - Plenary session
SplunkLive! Paris 2016 - Plenary sessionSplunkLive! Paris 2016 - Plenary session
SplunkLive! Paris 2016 - Plenary session
 
Getting Started With Splunk It Service Intelligence
Getting Started With Splunk It Service IntelligenceGetting Started With Splunk It Service Intelligence
Getting Started With Splunk It Service Intelligence
 
SplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security NinjitsuSplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security Ninjitsu
 
Webinar: Was ist neu in Splunk Enterprise 6.5
Webinar: Was ist neu in Splunk Enterprise 6.5Webinar: Was ist neu in Splunk Enterprise 6.5
Webinar: Was ist neu in Splunk Enterprise 6.5
 
Splunk for ITOps
Splunk for ITOpsSplunk for ITOps
Splunk for ITOps
 
SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop
 
SplunkLive Sydney Enterprise Security & User Behaviour Analytics
SplunkLive Sydney Enterprise Security & User Behaviour AnalyticsSplunkLive Sydney Enterprise Security & User Behaviour Analytics
SplunkLive Sydney Enterprise Security & User Behaviour Analytics
 
Field Extractions: Making Regex Your Buddy
Field Extractions: Making Regex Your BuddyField Extractions: Making Regex Your Buddy
Field Extractions: Making Regex Your Buddy
 

Similar to SplunkLive! Advanced Session

Getting Started with Splunk Break out Session
Getting Started with Splunk Break out SessionGetting Started with Splunk Break out Session
Getting Started with Splunk Break out Session
Georg Knon
 
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with SplunkSplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
Georg Knon
 
SplunkLive Oslo/Stockholm Beginner Workshop
SplunkLive Oslo/Stockholm Beginner WorkshopSplunkLive Oslo/Stockholm Beginner Workshop
SplunkLive Oslo/Stockholm Beginner Workshop
jenny_splunk
 

Similar to SplunkLive! Advanced Session (20)

Server and application monitoring webinars [Applications Manager] - Part 4
Server and application monitoring webinars [Applications Manager] - Part 4Server and application monitoring webinars [Applications Manager] - Part 4
Server and application monitoring webinars [Applications Manager] - Part 4
 
Salesforce Performance hacks - Client Side
Salesforce Performance hacks - Client SideSalesforce Performance hacks - Client Side
Salesforce Performance hacks - Client Side
 
Analysing and Troubleshooting Performance Issues in SAP BusinessObjects BI Re...
Analysing and Troubleshooting Performance Issues in SAP BusinessObjects BI Re...Analysing and Troubleshooting Performance Issues in SAP BusinessObjects BI Re...
Analysing and Troubleshooting Performance Issues in SAP BusinessObjects BI Re...
 
Getting Started with Splunk Break out Session
Getting Started with Splunk Break out SessionGetting Started with Splunk Break out Session
Getting Started with Splunk Break out Session
 
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
SCRIMPS-STD: Test Automation Design Principles - and asking the right questions!
 
Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016
 
How to pinpoint and fix sources of performance problems in your SAP BusinessO...
How to pinpoint and fix sources of performance problems in your SAP BusinessO...How to pinpoint and fix sources of performance problems in your SAP BusinessO...
How to pinpoint and fix sources of performance problems in your SAP BusinessO...
 
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with SplunkSplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
 
Get More Out of Your PeopleSoft Applications Using Tools that You May Not Eve...
Get More Out of Your PeopleSoft Applications Using Tools that You May Not Eve...Get More Out of Your PeopleSoft Applications Using Tools that You May Not Eve...
Get More Out of Your PeopleSoft Applications Using Tools that You May Not Eve...
 
Visual Studio Profiler
Visual Studio ProfilerVisual Studio Profiler
Visual Studio Profiler
 
An Introduction to MongoDB Ops Manager
An Introduction to MongoDB Ops ManagerAn Introduction to MongoDB Ops Manager
An Introduction to MongoDB Ops Manager
 
Edgewater Consulting Mastering SharePoint Designer Workflows
Edgewater Consulting Mastering SharePoint Designer WorkflowsEdgewater Consulting Mastering SharePoint Designer Workflows
Edgewater Consulting Mastering SharePoint Designer Workflows
 
SplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with SplunkSplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with Splunk
 
Alfresco Business Reporting - Tech Talk Live 20130501
Alfresco Business Reporting - Tech Talk Live 20130501Alfresco Business Reporting - Tech Talk Live 20130501
Alfresco Business Reporting - Tech Talk Live 20130501
 
SplunkLive Oslo/Stockholm Beginner Workshop
SplunkLive Oslo/Stockholm Beginner WorkshopSplunkLive Oslo/Stockholm Beginner Workshop
SplunkLive Oslo/Stockholm Beginner Workshop
 
Sumo Logic QuickStart
Sumo Logic QuickStartSumo Logic QuickStart
Sumo Logic QuickStart
 
Developer Night - Opticon18
Developer Night - Opticon18Developer Night - Opticon18
Developer Night - Opticon18
 
Getting started with Splunk - Break out Session
Getting started with Splunk - Break out SessionGetting started with Splunk - Break out Session
Getting started with Splunk - Break out Session
 
Getting started with Splunk
Getting started with SplunkGetting started with Splunk
Getting started with Splunk
 
Sumo Logic QuickStart - May 2016
Sumo Logic QuickStart - May 2016Sumo Logic QuickStart - May 2016
Sumo Logic QuickStart - May 2016
 

More from Splunk

SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
 

More from Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Recently uploaded

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

SplunkLive! Advanced Session

  • 1. Copyright © 2013 Splunk Inc. Name: Title: Email: Technical Workshops Advanced User Training
  • 2. Agenda Assumptions SAs, TAs, Field Aliasing, CIM, Eventtypes, Tags Dashboard Customization Made Easy High Availability and Clustering Report Acceleration Lookups Support and Community 2
  • 4. You Are in This Session Because…. 4 • You have developed advanced searches with Splunk to manipulate and present data • You have mastered sourcetyping and extracting fields • You have built reports beyond | timechart count • You have created dashboards of some kind • You have http://www.splunk.com/base/Documentation bookmarked
  • 5. SAs, TAs, Field Aliasing, CIM, Eventtypes and Tags
  • 6. What Are We Talking About Here? 6 • Terminology • Field Aliasing  ability to add hierarchy of fields for easy transaction analysis. • CIM – Common Information Model  mapping to consistent field across different sources of data • SA – Supporting Add-ons  contains underlying support modules and tools • TA – Technology Add-on  contains field extractions and mapping to CIM • Eventtypes – An event type is a user-defined field that simplifies search by letting you categorize events • Tags – Grouping of event data groups with related field values.
  • 7. How Can I Learn More??? 7 Searching and Reporting with Splunk - http://www.splunk.com/view/SP-CAAAGCB Advanced Admin - http://www.splunk.com/view/SP- CAAAGNF
  • 9. Splunk Dashboard Customization? 9 • Splunk Live Advance App – Tips/Tricks Covered: • App Menu Customization  Adding menu’s for your custom created searches/reports/dashboards.. • Adding a Time Selector  Add a time selector dropdown for your Simple XML dashboard. • Converting Simple XML to Advance XML Quickly create an Advance XML dashboard using a Simple XML dashboard as the source. • Adding Dashboard Editor to Advance XML  Add the useful Dashboard editor to your Advance XML dashboards, for quick editing. • Add a custom chart module – Donut Chart  Quickly add a custom chart, leveraging a custom chart module from Highcharts.com
  • 10. *Disclaimer 10 • The App and Splunk Web customizations that we will show in this presentation are by no means comprehensive • Please see the Developer Manual for more detail http://www.splunk.com/base/Documentation/latest/Developer/
  • 12. Other User Control Methods 12 Edit Permissions by App in the App Manager Remove options for users in the AccountBar <module name="AccountBar" layoutPanel="appHeader"> <param name="mode">lite</param> </module>
  • 13. Other Customization Options 13 • App Icon – create your own icon to show on Home screen – $SPLUNK_HOME/etc/apps/your_app_name/appserver/static/appIcon.png • Custom Cascading Style Sheets (CSS) - background colors, fonts, logos, buttons, navigation, menus, etc – Default: $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/css/skins/defaul t/default.css – Create your application.css in $SPLUNK_HOME/etc/app/your_app_name/appserver/static – See Splunk Apps (Splunk for *NIX, Splunk for Windows, etc) for examples
  • 14. Where Do I Go From Here? 14 Developing Apps with Splunk - http://www.splunk.com/view/SP-CAAAGCD
  • 16. Index Replication or clustering •New in 5.0, Splunk indexers can be configuredto replicateindexed data amongstthemselvesin a group of servers •Data replicationallows for rapid failure recovery •Fully configurablereplicationallows you to balancespeed of recovery and overall disk usage
  • 17. Why Use Index Replication? • When you need highly availableaccess to your data – during maintenance, planneddowntimes, etc. • When you want to ensure high data fidelity – add another layer of protection beyond backups • When you need rapid failure (hardware or software) recovery – if you don’t want to resort to tape when hard disks die • Collateralbenefit: multiplesearch peers means faster searches!
  • 18. Replication cluster Index Replication Distributed Search Peer to peer index data replication Peer nodes Master node Index replication search head
  • 19. Index Replication Server Types •Master node: Splunk instancewhich controls and manages a replication cluster – there can only be one master •Peer node: Similar to an indexer in any multi-server Splunk install, indexes data from inputs/forwarders PLUS it replicates data to other peer nodes as indicated by the master •Search head: Works as any Splunk search head, but is a required component of any replication cluster
  • 20. Enabling Index Replication •EnablingIndex Replication automatically sets up the following: – Distributed search link is created across the whole replication cluster: master, search head, and peers – Aconfigurable replication port is created on all peers to send and receive replicated data to other peers – Aheartbeat is established between the peers and the master – default timeout 60 seconds
  • 21. Where Do I Go From Here? 21 Advanced Admin - http://www.splunk.com/view/SP-CAAAGNF
  • 23. Report Acceleration Overview • Reports that cover a large volume of data can: – Takelong timeto complete – Consumea greatdeal ofsystem resources • You can ‘accelerate’a qualifying report when you: – Saveit – Createa dashboardpanel basedonit – Edita qualifying saved search • Common use cases include: - Moreefficientlyrun reportsfor large datasetsover longtimeranges ▸Showthenumberofpageviewsandvisitorsforeachofyour web sitesoverthepast30 days,brokenoutbysite - Buildarolling report thatshows aggregatedstatisticsover longperiods of time ▸Displaya runningcountofdownloadsforaspecificfileonawebsite ▸Calculatetheaverageamountspentperpurchaseoverayear
  • 24. Report Acceleration Overview (cont’d) •To acceleratethe search, Splunk creates an accelerationsummary •Accelerationsummaries – Efficientlyreport on large volumes of data – Qualify future searches against the summary •To acceleratea report, Search Mode must be set to Smart or Fast – Neither theTimeline nor the Fields sidebar display •By default, only power users can acceleratereports •If you delete all the searches that use a summary, the summary is deleted •If an accelerationsummary is created from a shared search, other reports that can use it, will use it
  • 25. Populating Search Requirements •Qualifyingsearches – Search must include a reporting command ▸Forexample: chart, timechart, stats, top, and rare – Any command before the reporting command must be a streaming command, that is a command that applies a transformation to each event returned by the search ▸Forexample: eval, fields,multikv, rex,rename, and replace
  • 26. Search Examples •Qualifyingsearch examples: sourcetype=access_* action=purchase status=200 | stats sum(price) as revenue by productId | eval revenue="$" + revenue sourcetype=* | stats count by sourcetype •Non-qualifying search examples sourcetype=access_* action=purchase status=404 [Noreportingcommand] sourcetype=access_* | transaction startswith="view" endswith="purchase" | stats avg(duration) [Transactionisnotastreamingcommand]
  • 27. Run as a normal search Creating Acceleration Summaries Power role? # of events returned > 100,000? Qualified search? Select acceleration and summary range Build acceleration summary YES NO Summary too large* [See docs] NO YES Acceleration summary YES Run normal search Launchs earch Run normal search NO YES NO
  • 28. Cases Where Splunk Will Not Build a Summary •There are cases where Splunk allows you to "accelerate" a search, but a summarywon't be created •Splunk knows what's most efficient and generally won't generate a summary if: – There are fewer than 100K events in the summary range - it’s faster executing the search without a summary – Summary size is projected to too large - it’s faster executing the search because the main index is smaller •If a summary is defined and not created for the above reasons, Splunk continuesto check periodically, then automatically creates a summary once it meets the requirements
  • 29. Where Do I Go From Here? 29 Searching and Reporting with Splunk - http://www.splunk.com/view/SP-CAAAGCB
  • 31. Use a Lookup Table 31 • In props.conf [access_combined] LOOKUP-prod = prod_id_lookup product_id OUTPUT product_name, price, tdf_price, call_flwrs_price • In transforms.conf [prod_id_lookup] filename = prod_lookup.csv • In lookup directory, prod_lookup.csv product_id,product_name,price,tdf_price,call_ flwrs_price RP-LI-02,Chocolate Dreams Confections,379,299,319
  • 33. Support Through the Splunk Community 33 Splunkbase
  • 34. Where to Go for Help 34 • Documentation – http://www.splunk.com/base/Documentation • Technical Support – http://www.splunk.com/support • Videos – http://www.splunk.com/videos • Education – http://www.splunk.com/goto/education • Professional Services

Editor's Notes

  1. Once you have been awed by the power of Splunk to search on any data in your world (and others), you generally want organize things in a way that will get relevant information into the hands of the right people. Whether this is creating a place for those pesky developers to look at their logs, providing the security team with a trail of evidence, or impressing your boss with pie charts.
  2. Once you have been awed by the power of Splunk to search on any data in your world (and others), you generally want organize things in a way that will get relevant information into the hands of the right people. Whether this is creating a place for those pesky developers to look at their logs, providing the security team with a trail of evidence, or impressing your boss with pie charts.
  3. The second option must be done in Advanced XML. We’ll cover that later.
  4. Others: Customize login screen, event display, add HTML with a ServerSideInclude, put in an external website with IFrameInclude module.
  5. We say Power user here, but the user must have the schedule_search privilege to create an acceleration summary.Users with schedule_search capability can accelerate reports, ie power users by default
  6. *greater than 10% of total bucket size
  7. We see the field product_id in our event but would like to map this to the actual product name for reporting purposes and to make the results more readable.