Machine Data 101

© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Machine Data 101:
Turning Data Into Insight
Guy Weaver | Senior Sales Engineer
August 23, 2017 | Detroit, MI

© 2017 SPLUNK INC.
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.
Forward-Looking Statements

© 2017 SPLUNK INC.
▶ Workshop Setup
▶ Splunk Overview – what is Splunk?
▶ It’s all about the data – background on your data sources
▶ Searching and Reporting – getting the basics out of the way
▶ Apps and Add-ons – Fastest path to value from your data
▶ Apps – a place to store all your amazing work
▶ SPL Overview – Everything begins with a Search
▶ Build a Dashboard – Organize your information
▶ Resources – Next Steps to Success!
Agenda

© 2017 SPLUNK INC.
▶ Setup a splunk.com Account
▶ Install Splunk
▶ Setup an Instance of SplunkCloud (Optional)
▶ Upload data
▶ Install an Application
▶ Explore Data in Splunk
▶ Run a Search in Splunk
▶ Create an App
Bucket List
▶ Create a Dashboard
▶ Create a Report
▶ Learn some basic SPL
▶ Create a Manual Lookup
▶ Create and Automatic Lookup
▶ Create a Chart in Splunk
▶ Create a Geomap Chart
▶ Know where to go for more Splunk

© 2017 SPLUNK INC.
Workshop Setup

© 2017 SPLUNK INC.
Download Splunk or Sign Up For Splunk Cloud
www.splunk.com > Free Splunk > Splunk Enterprise or Splunk Cloud
1
2
3

© 2017 SPLUNK INC.
▶ Box > access_datasample_last4h.log
▶ Box > http_status.csv
Download Data Sample and Lookup
https://splunk.box.com/v/MD101Workshop

© 2017 SPLUNK INC.
Getting to know Splunk
And so we begin...

© 2017 SPLUNK INC.
Login to Splunk

© 2017 SPLUNK INC.
The Splunk Interface
Take some time to click
around for a few minutes...

© 2017 SPLUNK INC.
▶ Browser: http://localhost:8000
▶ Default username/password is admin/changeme
Index Data Sample
1
2

© 2017 SPLUNK INC.
Index Data Sample
3
2
1
4
5

© 2017 SPLUNK INC.
Index Data Sample
1
2

© 2017 SPLUNK INC.
Index Data Sample
1
2
You will need to refresh
the search after a few
moments for all events
to show up

© 2017 SPLUNK INC.
Splunk Cloud
And so we begin...

© 2017 SPLUNK INC.
▶ Visit: https://www.splunk.com/getsplunk/cloud_trial and sign-up!
Activating Your Splunk Cloud Instance

© 2017 SPLUNK INC.
https://prd-p-1abc234defgh.cloud.splunk.com
MDWUser,
Three Clicks Later... Ready to Start Splunking

© 2017 SPLUNK INC.
Optimizing Your Experience
Default User Settings

© 2017 SPLUNK INC.
Enhance Your Splunk Experience – User Settings

© 2017 SPLUNK INC.
Adjusting Your Global User Settings
Events will be displayed relative to your time zone
Context sensitive help at your fingertips
Searches are cleaned up and colorized
Line numbers are added to your searches for clarity

© 2017 SPLUNK INC.
Splunk Overview

© 2017 SPLUNK INC.
Industry Leading Platform For Machine Data
Custom
dashboards
Report and
analyze
Monitor
and alert
Developer
Platform
Ad hoc
search
On-Premises
Private Cloud
Public
Cloud
Storage
Online
Shopping Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Smartphones
and Devices
Servers
Messaging
GPS
Location
Packaged
Applications
Custom
Applications
Online
Services
DatabasesCall Detail
Records
Energy MetersFirewall
Intrusion
Prevention
Platform Support (Apps / API / SDKs)
Enterprise Scalability
Universal Indexing
Machine Data: Any Location, Type, Volume Answer Any Question
Any Amount, Any Location, Any Source
Schema
on-the-fly
Universal
indexing
No
back-end
RDBMS
No need
to filter
data

© 2017 SPLUNK INC.
Structured
RDBMS
SQL Search
Schema at Write Schema at Read
Traditional Splunk
Copyright © 2014 Splunk Inc.
Splunk Approach to Machine Data
24
ETL
Universal
Indexing
Volume Velocity Variety
Unstructured

© 2017 SPLUNK INC.
Ingests Data From Heterogeneous Data Sources
Agent-Less and Agent Approach for Flexibility and Optimization
Mounted File Systems
hostnamemount
syslog
TCP/UDP
Event Logs
Performance
Active
Directory
syslog hosts
and network devices
Unix, Linux and Windows hosts
Local File Monitoring
Splunk Forwarder
virtual
host
Windows
Scripted or Modular Inputs
shell scripts, API subscriptions
Mainframes*nix
Wire Data
Splunk App for Stream
DevOps, IoT,
Containers
HTTP Event Collector
shell
API
perf

© 2017 SPLUNK INC.
Structured View Into Unstructured Data
Product ID
Activity Log
Amount
Webserver ID
CPU threshold
Error event log
Event Log
Failed login
IP Addr
Table Datasets: Empower users with focused data views

© 2017 SPLUNK INC.
Enrich Raw Data to Make It More Meaningful
Create additional fields from
the raw data with a lookup
to an external data source LDAP, AD
Watch
Lists
CRM/ERP
CMDB
External Data Sources
Data goes in
Insight comes out

© 2017 SPLUNK INC.
Forwards Events to Third-Party Systems
Service Desk
Event Console
SIEM
Formatted
RAW

© 2017 SPLUNK INC.
▶ Alerts
• Create alerts based on any search
• Customize content and format of email alerts
• Trigger a script
• Custom Alert Actions
• Allows packaged integration
with third-party applications
• Enable custom workflows
• Developers can build, package
and publish alert actions
Actionable Alerting

© 2017 SPLUNK INC.
▶ Reports
• Visually represent the results
of a search
• Run on an ad hoc basis or save
the report to view later
• Share it with others on the team
or a different group
• Add reports to a new or
existing dashboard
Dynamic Reporting
Chart on any search
Choose
visualization
Save as a report

© 2017 SPLUNK INC.
Combine Reports to Create Dashboards
Use the built-in
dashboard editor
Or embed the reports into
external sites like a wiki

© 2017 SPLUNK INC.
It’s all about the data
Let’s participate in some data discovery.

© 2017 SPLUNK INC.
Sources of Data
HTTP Status Lookup Table
Access Log
access_datasample_last4h.log
http_status.csv

© 2017 SPLUNK INC.
▶ 141.146.8.66 - - [17/Nov/2016 12:17:52:155] "GET /oldlink?item_id=EST-7&JSESSIONID=SD5SL5FF3ADFF8 HTTP 1.1"
400 1271 "http://www.myflowershop.com/cart.do?action=addtocart&itemId=EST-7&product_id=FI-FW-02" "Googlebot/2.1
( http://www.googlebot.com/bot.html) " 899
Unstructured Data - Access Log
access_datasample_last4h.log
JSESSIONID SD5SL5FF3ADFF8
_raw
141.146.8.66 - - [17/Nov/2016 12:17:52:155] "GET /oldlink?item_id=EST-
7&JSESSIONID=SD5SL5FF3ADFF8 HTTP 1.1" 400 1271
"http://www.myflowershop.com/cart.do?action=addtocart&itemId=EST-
7&product_id=FI-FW-02" "Googlebot/2.1 ( http://www.googlebot.com/bot.html)
" 899
_time 2016-11-17T12:17:52.155-0500
action addtocart
bytes 1271
category_id
clientip 141.146.8.66
cookie
date_hour 12
date_mday 17
date_minute 17
date_month november
date_second 52
date_wday thursday
date_year 2016
date_zone local
eventtype
file oldlink
host gweaver-mbp
ident -
index main
itemId EST-7
item_id EST-7
linecount 1
method GET
other 899
product_id FI-FW-02
punct ..._-_-_[//_:::]_"_/?=-&=__."___"://../.?=&=-&=--"
referer
http://www.myflowershop.com/cart.do?action=addtocart&itemId=EST-
7&product_id=FI-FW-02
referer_domain http://www.myflowershop.com
req_time 17/Nov/2016 12:17:52:155
root
source access_datasample_last4h.log
sourcetype access_combined
splunk_server gweaver-mbp
splunk_server_group
status 400
timeendpos 42
timestartpos 18
uri /oldlink?item_id=EST-7&JSESSIONID=SD5SL5FF3ADFF8
uri_domain
uri_path /oldlink
uri_query item_id=EST-7&JSESSIONID=SD5SL5FF3ADFF8
user -
useragent Googlebot/2.1 ( http://www.googlebot.com/bot.html)
version 1.1

© 2017 SPLUNK INC.
http_status.csv
status status_description status_type
403 Forbidden Client Error
404 Not Found Client Error
405 Method Not Allowed Client Error
406 Not Acceptable Client Error
407 Proxy Authentication Required Client Error
408 Request Timeout Client Error
409 Conflict Client Error
410 Gone Client Error
411 Length Required Client Error
412 Precondition Failed Client Error
413 Request Entity Too Large Client Error
414 Request-URI Too Long Client Error
415 Unsupported Media Type Client Error
416 Requested Range Not Satisfiable Client Error
417 Expectation Failed Client Error
500 Internal Server Error Server Error
501 Not Implemented Server Error
502 Bad Gateway Server Error
503 Service Unavailable Server Error
504 Gateway Timeout Server Error
505 HTTP Version Not Supported Server Error
status status_description status_type
100 Continue Informational
101 Switching Protocols Informational
200 OK Successful
201 Created Successful
202 Accepted Successful
203 Non-Authoritative Information Successful
204 No Content Successful
205 Reset Content Successful
206 Partial Content Successful
300 Multiple Choices Redirection
301 Moved Permanently Redirection
302 Found Redirection
303 See Other Redirection
304 Not Modified Redirection
305 Use Proxy Redirection
307 Temporary Redirect Redirection
400 Bad Request Client Error
401 Unauthorized Client Error
402 Payment Required Client Error

© 2017 SPLUNK INC.
Search & Reporting
Let’s explore some data together

© 2017 SPLUNK INC.
Go to the Search & Reporting App

© 2017 SPLUNK INC.
The Default App Interface
How many
events were
indexed?
How old
are the
events?
Are events
still coming
in?

© 2017 SPLUNK INC.
Data Summary – Hosts
Two different hosts are sending their data into your Splunk
instance.
Data from
appserver and
fileserver hosts
Total counts of
events The last time
events were
received
Guess what this little
graphic means?

© 2017 SPLUNK INC.
Data Summary – Sources
Sources let you know the specific location or other
information about where the event originates.
Original source
location of logs
Event counts
continue to
grow.

© 2017 SPLUNK INC.
Data Summary – Sourcetypes
Sourcetypes provide categories and context, and are used to
extract fields, enrich data and so much more.
Categorize data
using sourcetypes!

© 2017 SPLUNK INC.
Searching in your app
Add a wildcard to the search bar and
hit return to see indexed events

© 2017 SPLUNK INC.
The Search Results Interface
Take some time and explore
all of the available options in
the Splunk search results
Key=“Value” fields are
automatically extracted from
raw events. We call this,
“schema on the fly”
Which fields will Splunk
automatically extract from
the events?
App Bar
Splunk Bar
Search Bar
Events Bar
Fields Sidebar
Search Action Buttons
Timeline
Search Results Tabs
Save As Menu
Time Range Picker
Search Mode Selector

© 2017 SPLUNK INC.
Exploring Fields
What values do you see
when you select the
sourcetype field?
Take some time to explore
the various field options on
the left

© 2017 SPLUNK INC.
Numeric Field Reports
Numeric
Fields
#
Select “Average over time” to generate a timechart

© 2017 SPLUNK INC.
Visualizing Data
Chart Types
Splunk Search Language (SPL)
Select Column Chart

© 2017 SPLUNK INC.
Statistical and Charting Functions
http://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/CommonStatsFunctions
Add additional functions to transform results
Use, “AS” to rename the result fields
Remember , “CAPITALIZE”

© 2017 SPLUNK INC.
Formatting Visualizations
Stacked
http://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/CommonStatsFunctions
Format

© 2017 SPLUNK INC.
ASCII Field Reports
ASCII
Fields
a

© 2017 SPLUNK INC.
splunkbase.com

© 2017 SPLUNK INC.
Splunkbase.com
52
The Splunk platform imports and indexes virtually any machine data and provides
powerful search and analysis features that deliver immediate value to your
business. We also offer hundreds of apps and add-ons that can enhance and
extend the Splunk platform with ready-to-use functions ranging from optimized
data collection to monitoring security, IT management and more.

© 2017 SPLUNK INC.
Splunkbase.com – 6.x Dashboard Examples
53
The Splunk 6.x Dashboard app delivers examples that give you a hands-on
way to learn the basic concepts and tools needed to rapidly create rich
dashboards using Simple XML. This new app incorporates learn-by-doing
Simple XML examples, including extensions to Simple XML for further
customization of layout, interactivity, and visualizations.

© 2017 SPLUNK INC.
▶ Assistants: Guide model building,
testing & deployment for common
objectives
▶ Showcases: Interactive examples for
typical IT, security, business, IoT use
cases
▶ SPL ML Commands: New commands
to fit, test and operationalize models
▶ Python for Scientific Computing
Library: 300+ open source algorithms
available for use
Splunk Machine Learning Toolkit
Build custom analytics for any use case

© 2017 SPLUNK INC.
Installing Your First App

© 2017 SPLUNK INC.
Browse more apps on splunkbase.com

© 2017 SPLUNK INC.
Install Splunk 6.x Dashboard Examples

© 2017 SPLUNK INC.
Check out the App you installed

© 2017 SPLUNK INC.
Creating Your First App
Creating your MDW101 App

© 2017 SPLUNK INC.
Creating Your First App
• Apps are a collection of dashboards, panels and UI elements
• Powered by saved searches and packaged for specific
technologies or use cases.
• Provide useful and relevant information to many different roles.
• Help you stay organized
I am not an App
developer!!!!

© 2017 SPLUNK INC.
App Management Page
Select the “Create App” button

© 2017 SPLUNK INC.
Fill Out the App Form and Select Save
All of your saved objects are here:
$SPLUNK_HOME/etc/apps/MDW101
Apps are folders
where all of my
saved objects are
stored!

© 2017 SPLUNK INC.
Go to the Machine Data Workshop 101 App
That was
easy!

© 2017 SPLUNK INC.
The Machine Data 101 Workshop App
Why do we want you to stay within this
Machine Data 101 Workshop app today?

© 2017 SPLUNK INC.
Your First Dashboard
Pointing and Clicking

© 2017 SPLUNK INC.
Today You Will Be Building This

© 2017 SPLUNK INC.
SPL Overview
Search Processing Language

© 2017 SPLUNK INC.
SPL Overview
▶Over 140+ search commands
▶Syntax was originally based upon the Unix pipeline and SQL
and is optimized for time series data
▶The scope of SPL includes data searching, filtering,
modification, manipulation, enrichment, insertion and
deletion
68

© 2017 SPLUNK INC.
How Search Works

© 2017 SPLUNK INC.
SPL Examples

© 2017 SPLUNK INC.
search and filter

© 2017 SPLUNK INC.
Search and Filter
Examples
● Keyword search:
sourcetype=access* 200
73

© 2017 SPLUNK INC.
Search and Filter
Examples
● Keyword search:
● Filter:
sourcetype=access*
status=200
74

© 2017 SPLUNK INC.
Search and Filter
Examples
● Keyword search:
● Filter:
sourcetype=access*
status=200
● Combined:
sourcetype=access* GET
action=purchase
75

© 2017 SPLUNK INC.
Eval – Modify or Create New Fields and
ValuesExamples
● Calculation:
sourcetype=access*
77

© 2017 SPLUNK INC.
ValuesExamples
● Calculation:
sourcetype=access*
● Evaluation:
sourcetype=access*
| eval http_response =
if(status != 200, "Error", "OK")
78

© 2017 SPLUNK INC.
ValuesExamples
● Calculation:
sourcetype=access*
|eval KB=bytes/1024
● Evaluation:
sourcetype=access*
| eval http_response =
if(status != 200, ”Error", ”OK”)
● Concatenation:
sourcetype=access*
| eval connection =
clientip.”:”.port
79

© 2017 SPLUNK INC.
Eval – Just Getting Started!
Splunk Search Quick Reference Guide
80

© 2017 SPLUNK INC.
Stats, Chart, Timechart
82

© 2017 SPLUNK INC.
Stats – Calculate Statistics Based on Field
ValuesExamples
● Calculate stats
sourcetype=access*
| stats count
83

© 2017 SPLUNK INC.
Values
Examples
84
● Calculate stats
sourcetype=access*
| stats count
● Group by field
sourcetype=access*
| stats count by action

© 2017 SPLUNK INC.
Values
Examples
85
● Calculate stats and rename
sourcetype=access*
| stats count
● Group by field
sourcetype=access*
| stats count by action
● By multiple functions
sourcetype=access*
| stats avg(bytes) AS AVG_Bytes
sparkline(avg(bytes)) AS
Trend_Bytes by action
Hey! That looks
cool let’s save this
report…..

© 2017 SPLUNK INC.
Save Search as a Report and Dashboard too

© 2017 SPLUNK INC.
MDW Workshop

© 2017 SPLUNK INC.
Timechart – Visualize Statistics Over Time
Examples
● Visualize stats over time
sourcetype=access*
| timechart avg(bytes)
88

© 2017 SPLUNK INC.
Examples
89
sourcetype=access*
| timechart avg(bytes)
● Add a trendline
sourcetype=access*
| timechart avg(bytes) as
bytes | trendline sma5(bytes)
Hey! That looks
cool too! Add it to
your dashboard

© 2017 SPLUNK INC.
Examples
92
sourcetype=netapp:perf
| timechart avg(read_ops)
● Add a trendline
sourcetype=access*
bytes | trendline sma5(bytes)
● Add a prediction overlay
sourcetype=access*
bytes | predict bytes

© 2017 SPLUNK INC.
Transaction – Group Related Events
Spanning TimeExamples
● Group by session ID
sourcetype=access*
| transaction JSESSIONID
94

© 2017 SPLUNK INC.
Transaction – Group Related Events Spanning
Time
Examples
95
sourcetype=access*
● Calculate session durations
sourcetype=access*
| stats min(duration) max(duration)
avg(duration)

© 2017 SPLUNK INC.
Stats – Group Related Events Spanning Time
Examples
96
sourcetype=access*
● Calculate session durations
sourcetype=access*
avg(duration)
● Stats command
sourcetype=access*
| stats min(_time) AS earliest
max(_time)
AS latest by JSESSIONID
| eval duration=latest-earliest
avg(duration)

© 2017 SPLUNK INC.
▶ Add meaning/context/specificity to raw data
▶ Labels describing team, category, platform, geography
▶ Applied to field-value combination
▶ Multiple tags can be applied for each field-value
▶ Case sensitive
Tags

© 2017 SPLUNK INC.
Search events with tag in any field
Search events with tag in a specific field
Search events with tag using wildcards
Find the Web Servers
▶ Tags in Action
tag=webserver
tag::host=webserver
tag=web*
Tag the host
as webserver
Tag the sourcetype
as web
1
2
3
4
5
SHOW
Back to
Slides

© 2017 SPLUNK INC.
▶ Normalize field labels to simplify search and correlation
▶ Apply multiple aliases to a single field
• Example: Username | cs_username | User à user
• Example: c_ip | client | client_ip à clientip
▶ Processed after field extractions + before lookups
▶ Can apply to lookups
▶ Aliases appear alongside original fields
Field Aliases

© 2017 SPLUNK INC.
Create field alias of clientip = customer
Search events in last 15 minutes, find
customer field
Field alias (customer) and original field
(clientip) are both displayed
Search using an Intuitive Field Name
Field Alias in Action
sourcetype=access_combined
1
2
3

© 2017 SPLUNK INC.
▶ Shortcut for performing
repetitive/long/complex
transformations using eval
command
▶ Based on extracted or discovered
fields only
▶ Do not apply to lookup or
generated fields
Calculated Fields
1
2
3
3

© 2017 SPLUNK INC.
▶ Augment raw events with additional fields
• Provide context or supporting details
▶ Translate field values to more descriptive data
• Example: add text descriptions for error codes, IDs
• Example: add contact details to user names or IDs
• Example: add descriptions to HTTP status codes
▶ File-based or scripted lookups
Lookups

© 2017 SPLUNK INC.
Lookups to Enrich Raw Data
CRM/
ERP
External Data Sources
Data goes in
Create additional fields
from the raw data with
a lookup to an external
data source
Insight comes out
Watch
Lists
LDAP
AD
CMDB

© 2017 SPLUNK INC.
Get the lookup from the Splunk Wiki (save to .csv file)
http://wiki.splunk.com/Http_status.csv
Lookup table files > Add new
• Name: http_status.csv
• Detination filename: http_status.csv
Verify lookup was created successfully
1. Create HTTP Status Table
1
2
3
| inputlookup http_status.csv

© 2017 SPLUNK INC.
Lookup definitions > Add new
• Name: http_status
• Type: File-based
• Lookup file: http_status.csv
Invoke the lookup manually
2. Add Lookup Definition
sourcetype=access_combined | lookup http_status
status OUTPUT status_description
1
2

© 2017 SPLUNK INC.
Automatic lookups > Add new
• Name: http_status (cannot have spaces)
• Lookup table: http_status
• Apply to: sourcetype = access_combined
• Lookup input field: status
• Lookup output field: status_description
Verify lookup is invoked automatically
3. Configure Automatic Lookup
1
2

© 2017 SPLUNK INC.
Geostats with iplocation enrichment
sourcetype=access*
| iplocation clientip
| geostats count by category_id
Hey! That looks
cool too! Add it to
your dashboard

© 2017 SPLUNK INC.
Answers
• Answers
• User Groups
• Splunkbase
• Blogs
• Developers
• Documentation
• Education
• SplunkLive!
• .conf2017
• Schwag Store
• SplunkTrust

Thank You

Machine Data 101

More Related Content

What's hot

Similar to Machine Data 101

More from Splunk

Recently uploaded

Machine Data 101