Getting Started Getting Started With Splunk Enterprise

Copyright © 2017 Splunk Inc.
Getting Started with
Splunk Enterprise
Tomas Baublys
Senior Sales Engineer
tbaublys@splunk.com

3 3
Make machine data accessible,
usable and valuable to everyone.
3

4
COLLECT DATA
FROM ANYWHERE
SEARCH
AND ANALYZE
EVERYTHING
GAIN REAL-TIME
OPERATIONAL
INTELLIGENCE
The Power of Splunk
4

5
What is machine data?
Challenges: Volume | Velocity | Variety | Variability
GPS,
RFID,
Hypervisor,
Web Servers,
Email, Messaging,
Clickstreams, Mobile,
Telephony, IVR, Databases,
Sensors, Telematics, Storage,
Servers, Security Devices, Desktops
5
Splunk’s Mission:
Making machine data accessible,
usable and valuable to everyone.

6
Machine data is not only “machine” data

7
What Does Machine Data Look Like?
Sources
Order Processing
Twitter
Care IVR
Middleware
Error

8
Machine Data Contains Critical Insights
Customer ID Order ID
Customer’s Tweet
Time Waiting On
Hold
Twitter ID
Product ID
Company’s Twitter ID
Customer ID
Order ID
Customer ID
Sources
Order Processing
Twitter
Care IVR
Middleware
Error

9
Splunk Unlocks Critical Insights
Order ID
Customer’s Tweet
Time Waiting On
Hold
Product ID
Company’s Twitter ID
Order ID
Customer
ID
Twitter ID
Customer ID
Customer ID
Sources
Order Processing
Twitter
Care IVR
Middleware
Error

10
THE Industry Leading Platform For Machine Data
Machine Data: Any Location, Type, Volume
Online
Services Web
Services
Servers
Security GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
ApplicationsMessaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
RFID
On-
Premises
Private
Cloud
Public
Cloud
Platform Support (Apps / API / SDKs)
Enterprise Scalability
Universal Indexing
Answer Any Question
Developer
Platform
Report
and
analyze
Custom
dashboards
Monitor
and alert
Ad hoc
search
Universal
Machine Data
Platform
No backend database
Schema-on-the-fly
No need to filter data
Quick time to value
Agile reporting and analytics
Real-time architecture

11
Time to start SPLUNKING!!!
SplunkLive! Presentations
– http://splunklive.splunk.com/presentations.html
Documentation
– http://www.splunk.com/base/Documentation
Technical Support
– http://www.splunk.com/support
Videos
– http://www.splunk.com/videos
Education
– http://education.splunk.com
Community
– http://answers.splunk.com
Splunk Book
– http://splunkbook.com
Where do I go
for help?

12
dev.splunk.com
40,000+ Q & A – answers.splunk.com
1,200+ apps
splunkbase.splunk.com
Thriving Splunk Community
12
usergroups.splunk.com

Wrap-up/Q&A
1

Appendix: Detailed Walkthrough

15
Download Splunk Enterprise for your OS and Architecture.

16
Unpack and start
tar zxvf splunk-6.5.2-
67571ef4b87d-darwin-64.tgz
splunk/bin/splunk start --
accept-license

17
Download turotialdata.zip http://docs.splunk.com/images/Tutorial/tutorialdata.zip
http://www.splunk.com/goto/book

18
Text
With Firefox, Chrome, or Safari – head to http://127.0.0.1:8000 . User=admin password=changeme

19
You’ve successfully installed Splunk, and logged in! Let’s add the tutorialdata.zip via “Add Data”

20
You can also “Add Data” from Settings at the top.

22
Let’s drag tutorialdata.zip into “Drop your data file here”.

24
Splunk can auto detect the sourcetype. Lets change host field to buttercup-web01, and then click Review.

26
Let’s Start Searching our data.

27
We’re brought into a search with filters applied to search the data we just uploaded.

28
Let’s type “buttercupgames” in the search bar, and double click into a bar on the histogram.

29
Notice the time picker changed with our drill into the histogram bar.

30
Given that this data is web access, lets do a string search for 400, which is a “Bad Request” code.
Notice that there’s 188 events returned. (number will vary for you).

31
Lets also add 300 into the mix, and notice that my event count is higher now.

32
We can see the 400 status codes, but not 300’s. That’s because the string search of 300 doesn’t explicitly
search for status code of 300 – it’ll string match any event that contains “300”.

33
Lets explicitly search for status codes equaling values we want to see returned.

34
Great, we’re now returned all the events containing the two status codes we searched for.
Click on “Top values by time”, which will build out a timechart for us.

35
Notice how our search query changed, there’s a | (pipe), and a timechart command added.
The pipe followed by a command allows further operation on your filtered data set.

36
Let’s change our search to: buttercupgames status=*
And – drill into one bar on the histogram.

37
Click on “top values by time” under the status field on the left, which will produce the timechart above.

38
Let’s exclude 200 status codes by adding AND status!=200, and change Line to Column.

39
After changing from Line to Column, lets Stack the results (middle stack under Stack Mode). Much better!

40
Lets now save this to a dashboard, a place we can go to view this search without having to remember
what we had just searched for. Click Save AS -> Dashboard Panel. Fill in, and click Save. Then View dashboard.

41
Click on Search to get us back to our search bar, and lets key in: buttercupgames.
Development wants to know what web browsers are being used to access the site, but no fields currently
exist. No problem – lets extract the browser field.
Find an event that contains a value that you’re looking for, and click the “>” arrow just to the left of “Time”.
The event will expand with a down arrow, and Extract Fields will be under Event Actions. Click Extract Fields.

42
Click Regular Expression (Splunk will build a regular expression to extract our fields), and click next.
Highlight the value of the field you’d like to create, and lets name the field: browser_type
Click Add Extraction.

43
Let’s verify that the extracted field contains values that are indeed types of browsers.
Good, click next to proceed.
Now, open the permissions to “App” which will allow users of the App the ability to leverage this extraction.
Click Next.

44
Success, Let’s explore the fields just created in search, by clicking the link.

45
You’ll now be taken to search, with the filter set to the sourcetype that the field extraction has been applied
to. Note – field extractions are coupled to a sourcetype.
Click on “Top values”.

46
Notice how the search changed. And, instead of a bar graph, we want a pie chart, so drop down the “bar”
option and change it to Pie.

47
Lets add this search to our dashboard, and then view the dashboard.
Click Edit -> Edit Panels to drag the different panels to different positions.

48
Let’s go back to search, and search for buttercupgames AND status!=200 (we want to see events that aren’t successful. Add
the stats and where clause above, to return when there’s more than 100 unsuccessful status codes.

49
Let’s create an alert. Save As -> Alert. Fill out the Title, Scheduled, Earliest + Latest, and Cron Expression
(Instead of 48, change to minutes a few ahead of your current time. Ie. If it’s 9:00am, change to 05.

50
Add to Triggered Alerts, and Save.

51
You should see an alert trigger once your scheduled search runs at the cron expression you defined.
*Note – it was mentioned that alerts wouldn’t work on a trial license. *Correction – alerts will work until the
trial license expires.

52
Let’s go back to search and: buttercupgames status=* | iplocation clientip
We want to lookup the clientip values against the MaxMind database to pull in City, Country, State, Lat, Lon
of the IPs.

53
Now, business is interested in seeing plots on a map of web users and what they’re doing with the website.
Lets append a geostats command that counts the events by the values of the action field. Pretty cool! This is
definitely dashboard worthy! Lets add to dashboard.

54
Awesome! Now we have a single pane of glass that Operations, Development, and Business all care about –
from one data source! Talk about value!

Installing & Using Splunk
(Live Demonstration &
Walkthrough)

57
Set up Before You Can Play
Get the following at splunk.com
Download Splunk Enterprise
https://www.splunk.com/download
Dowload the Tutorial Data
http://splk.it/2ey34P8
Dowload the lookup file
http://splk.it/2fCgpXw
Download the Search Tutorial
http://splk.it/2ePSYKB

58
IMPORT THE ZIP FILE, not individual files within it:
http://www.splunkbook.com
(sample data is located under ‘related links’ section)
Log into Splunk – http://127.0.0.1:8000 username=admin
password=changeme
To add the file to Splunk:
– Click Add Data
– Click Upload files from my computer.
– Drag and drop you sample data zip file.
– Review and Finish.
Getting Data into Splunk
We will import
sample web
ecommerce store
events

59
Common problems at this point
License expired (already had older version installed)
– Close browser, empty cache, open browser. If that doesn’t work:
– Stop Splunk.
– Uninstall all Splunk versions
 Windows Control Panel->Uninstall programs->Splunk
 OS X. Finder->Applications->Right click Splunk, Move to trash
– Reinstall
– Start Splunk
Can’t start Splunk
– Windows, Search Control panel ->Services->Splunk start
– Linux; cd <SPLUNK dir>/splunk/bin;./splunk start

Let’s get our hands dirty!

Getting Started Getting Started With Splunk Enterprise

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Getting Started Getting Started With Splunk Enterprise

Similar to Getting Started Getting Started With Splunk Enterprise (20)

More from Splunk

More from Splunk (20)

Recently uploaded

Recently uploaded (20)

Getting Started Getting Started With Splunk Enterprise

Editor's Notes