SlideShare a Scribd company logo

Power of SPL

Splunk
Splunk

This session will unveil the power of the Splunk Search Processing Language (SPL). See how to use Splunk's simple search language for searching and filtering through data, charting statistics and predicting values, converging data sources and grouping transactions, and finally data science and exploration. We'll begin with basic search commands and build up to more powerful advanced tactics to help you harness your Splunk Fu!

1 of 54
Copyright © 2015 Splunk Inc. Power of Splunk Search Processing Language (SPL™) Brian Heffernan, CISSP heff@splunk.com
About Me • My name is Brian Heffernan and I have Splunked: • BBQ Smokers - predicted cook times • Nest Thermostats • Alerts when my wife turns on the heat • Children’s Browsing History • Splunking for 4+ years • Northeastern University2
Rules & Agendah Goal: Get Gooder!  Ask Questions- there will be prizes  Don’t take notes – I will provide slides  No texting and searching  No Sleeping – I will make fun of you. • Overview & Anatomy of a Search – Quick refresher on search language and structure • SPL Commands and Examples – Doing More with Less – Searching, charting, converging, transactions, anomalies, exploring • Custom Commands – Doing Less with More – Extend the capabilities of SPL • Q&A
SPL Overview
SPL Overview ● Over 140+ search commands ● Syntax was originally based upon the Unix pipeline and SQL and is optimized for time series data ● The scope of SPL includes data searching, filtering, modification, manipulation, enrichment, insertion and deletion ● Includes anomaly detection and machine learning 5
Why Create a New Query Language? ● Flexibility and effectiveness on small and big data ● Late-binding schema ● More/better methods of correlation ● Not just analyze, but visualize 6 Data BIG Data
new pipe = new line + space + pipe search and filter | munge | report | cleanup | rename sum(KB) AS "Total KB" dc(clientip) AS "Unique Customers" | eval KB=bytes/1024 sourcetype=access* | stats sum(KB) dc(clientip) SPL Basic Structure Bonus Points
SPL Examples
SPL Examples and Recipes ● Search and filter + creating/modifying fields ● Charting statistics and predicting values ● Converging data sources ● Identifying transactions and anomalies ● Data exploration & finding relationships between fields 9
SPL Examples and Recipes ● Search and filter + creating/modifying fields ● Charting statistics and predicting values ● Converging data sources ● Identifying transactions and anomalies ● Data exploration & finding relationships between fields 10
Search and Filter Examples ● Keyword search: sourcetype=access* http ● Filter: sourcetype=access* http host=webserver-02 ● Combined: sourcetype=access* http host=webserver-02 (503 OR 504) 11
Search and Filter Examples ● Keyword search: sourcetype=access* http ● Filter: sourcetype=access* http host=webserver-02 ● Combined: sourcetype=access* http host=webserver-02 (503 OR 504) 12
Search and Filter Examples ● Keyword search: sourcetype=access* http ● Filter: sourcetype=access* http host=webserver-02 ● Combined: sourcetype=access* http host=webserver-02 (status=503 OR status=504) 13
Eval – Modify or Create New Fields and Values Examples ● Calculation: sourcetype=access* |eval KB=bytes/1024 ● Evaluation: sourcetype=access* | eval http_response = if(status != 200, ”Error", ”OK”) ● Concatenation: sourcetype=access* | eval connection = device.“-“.clientip 14
Eval – Modify or Create New Fields and Values Examples ● Calculation: sourcetype=access* |eval KB=bytes/1024 ● Evaluation: sourcetype=access* | eval http_response = if(status != 200, ”Error", ”OK”) ● Concatenation: sourcetype=access* | eval connection = device.“-“.clientip 15
Eval – Modify or Create New Fields and Values Examples ● Calculation: sourcetype=access* |eval KB=bytes/1024 ● Evaluation: sourcetype=access* | eval http_response = if(status != 200, ”Error", ”OK”) ● Concatenation: sourcetype=access* | eval connection = clientip.“-”.device 16
Eval – Just Getting Started! Splunk Search Quick Reference Guide 17
SPL Examples and Recipes ● Search and filter + creating/modifying fields ● Charting statistics and predicting values ● Converging data sources ● Identifying transactions and anomalies ● Data exploration & finding relationships between fields 18
Stats, Chart, Timechart 19
Stats – Calculate Statistics Based on Field Values Examples ● Calculate stats and rename sourcetype=netapp:perf | stats avg(read_ops) AS “Read OPs” ● Multiple statistics sourcetype=netapp:perf | stats avg(read_ops) AS Read_OPs sparkline(avg(read_ops)) AS Read_Trend ● By another field Sourcetype=netapp:perf | stats avg(read_ops) AS Read_OPs sparkline(avg(read_ops)) AS Read_Trend by instance 20
Stats – Calculate Statistics Based on Field Values Examples 21 ● Calculate stats and rename sourcetype=netapp:perf | stats avg(read_ops) AS “Read OPs” ● Multiple statistics sourcetype=netapp:perf | stats avg(read_ops) AS Read_OPs sparkline(avg(read_ops)) AS Read_Trend ● By another field Sourcetype=netapp:perf | stats avg(read_ops) AS Read_OPs sparkline(avg(read_ops)) AS Read_Trend BY instance
Stats – Calculate Statistics Based on Field Values Examples 22 ● Calculate stats and rename sourcetype=netapp:perf | stats avg(read_ops) AS “Read OPs” ● Multiple statistics sourcetype=netapp:perf | stats avg(read_ops) AS Read_OPs sparkline(avg(read_ops)) AS Read_Trend ● By another field Sourcetype=netapp:perf | stats avg(read_ops) AS Read_OPs sparkline(avg(read_ops)) AS Read_Trend BY instance
Timechart – Visualize Statistics Over Time Examples ● Visualize stats over time sourcetype=netapp:perf | timechart avg(read_ops) ● Add a trendline sourcetype=netapp:perf | timechart avg(read_ops) AS read_ops | trendline sma5(read_ops) ● Add a prediction overlay sourcetype=netapp:perf | timechart avg(read_ops) AS read_ops | predict read_ops 23
Timechart – Visualize Statistics Over Time Examples 24 ● Visualize stats over time sourcetype=netapp:perf | timechart avg(read_ops) ● Add a trendline sourcetype=netapp:perf | timechart avg(read_ops) AS read_ops | trendline sma5(read_ops) ● Add a prediction overlay sourcetype=netapp:perf | timechart avg(read_ops) AS read_ops | predict read_ops
Timechart – Visualize Statistics Over Time Examples 25 ● Visualize stats over time sourcetype=netapp:perf | timechart avg(read_ops) ● Add a trendline sourcetype=netapp:perf | timechart avg(read_ops) AS read_ops | trendline sma5(read_ops) ● Add a prediction overlay sourcetype=netapp:perf | timechart avg(read_ops) AS read_ops | predict read_ops
Stats/Timechart – But Wait, There’s More! Splunk Search Quick Reference Guide 26
SPL Examples and Recipes ● Search and filter + creating/modifying fields ● Charting statistics and predicting values ● Converging data sources ● Identifying transactions and anomalies ● Data exploration & finding relationships between fields 27
28 Converging Data Sources Index Untapped Data: Any Source, Type, Volume Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom ApplicationsMessaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID On- Premises Private Cloud Public Cloud Ask Any Question Application Delivery Security, Compliance, and Fraud IT Operations Business Analytics Industrial Data and the Internet of Things
Converging Data Sources Examples ● Implicit join on time index=* http | timechart count BY sourcetype ● Enrich data with lookup sourcetype=access_combined status=503 | lookup customer_info uid | stats count BY customer_value ● Append results from another search … | appendcols [search earliest=-1h sourcetype=Kepware units=W row=A | stats stdev(Value) AS hr_stdev] … 29
Lookup – Converging Data Sources Examples 30 ● Implicit join on time index=* http | timechart count by sourcetype ● Enrich data with lookup sourcetype=access_combined status=503 | lookup customer_info uid | stats count by customer_value ● Append results from another search … | appendcols [search earliest=-1h sourcetype=Kepware units=W row=A | stats stdev(Value) AS hr_stdev] …
Appendcols – Converging Data Sources Examples 31 ● Implicit join on time index=* http | timechart count BY sourcetype ● Enrich data with lookup sourcetype=access_combined status=503 | lookup customer_info uid | stats count BY customer_value ● Append results from another search … | appendcols [search earliest=-1h sourcetype=Kepware units=W row=A | stats stdev(Value) AS hr_stdev] …
SPL Examples and Recipes ● Search and filter + creating/modifying fields ● Charting statistics and predicting values ● Converging data sources ● Identifying transactions and anomalies ● Data exploration & finding relationships between fields 32
Transaction – Group Related Events Spanning Time Examples ● Group by session ID sourcetype=access* | transaction JSESSIONID ● Calculate session durations sourcetype=access* | transaction JSESSIONID | stats min(duration) max(duration) avg(duration) ● Stats is better sourcetype=access* | stats min(_time) AS earliest max(_time) AS latest by JSESSIONID | eval duration=latest-earliest | stats min(duration) max(duration) avg(duration) 33
Transaction – Group Related Events Spanning Time Examples 34 ● Group by session ID sourcetype=access* | transaction JSESSIONID ● Calculate session durations sourcetype=access* | transaction JSESSIONID | stats min(duration) max(duration) avg(duration) ● Stats is better sourcetype=access* | stats min(_time) AS earliest max(_time) AS latest by JSESSIONID | eval duration=latest-earliest | stats min(duration) max(duration) avg(duration)
Transaction – Group Related Events Spanning Time Examples 35 ● Group by session ID sourcetype=access* | transaction JSESSIONID ● Calculate session durations sourcetype=access* | transaction JSESSIONID | stats min(duration) max(duration) avg(duration) ● Stats is better sourcetype=access* | stats min(_time) AS earliest max(_time) AS latest by JSESSIONID | eval duration=latest-earliest | stats min(duration) max(duration) avg(duration)
Anomaly Detection – Find anomalies in your data Examples 36 ● Find anomalies | inputlookup car_data.csv | anomalydetection ● Summarize anomalies | inputlookup car_data.csv | anomalydetection action=summary ● Use IQR and remove outliers | inputlookup car_data.csv | anomalydetection method=iqr action=remove
SPL Examples and Recipes ● Search and filter + creating/modifying fields ● Charting statistics and predicting values ● Converging data sources ● Identifying transactions and anomalies ● Data exploration & finding relationships between fields 37
Data Exploration | analyzefields | anomalies | arules | associate | cluster | contingency | correlate | fieldsummary 38
Cluster – Exploring Your Data Examples ● Find most/least common events * | cluster showcount=t t=.1 | table _raw cluster_count ● Display Summary of Fields. sourcetype=access_combined | fields – date* source* time* | fieldsummary maxvals=5 ● Show patterns of co-occurring fields. sourcetype=access_combined | fields – date* source* time* | correlate ● View field relationships sourcetype=access_combined | contingency uri status ● Find predictors of fields sourcetype=access_combined | analyzefields classfield=status 39
Cluster – Exploring Your Data Examples ● Find most/least common events * | cluster showcount=t t=.1 | table _raw cluster_count ● Display Summary of Fields. sourcetype=access_combined | fields – date* source* time* | fieldsummary maxvals=5 ● Show patterns of co-occurring fields. sourcetype=access_combined | fields – date* source* time* | correlate ● View field relationships sourcetype=access_combined | contingency uri status ● Find predictors of fields sourcetype=access_combined | analyzefields classfield=status 40
Correlate – Exploring Your Data Examples ● Find most/least common events * | cluster showcount=t t=.1 | table _raw cluster_count ● Display Summary of Fields. sourcetype=access_combined | fields – date* source* time* | fieldsummary maxvals=5 ● Show patterns of co-occurring fields. sourcetype=access_combined | fields – date* source* time* | correlate ● View field relationships sourcetype=access_combined | contingency uri status ● Find predictors of fields sourcetype=access_combined | analyzefields classfield=status 41
Contingency – Exploring Your Data Examples ● Find most/least common events * | cluster showcount=t t=.1 | table _raw cluster_count ● Display Summary of Fields. sourcetype=access_combined | fields – date* source* time* | fieldsummary maxvals=5 ● Show patterns of co-occurring fields. sourcetype=access_combined | fields – date* source* time* | correlate ● View field relationships sourcetype=access_combined | contingency uri status ● Find predictors of fields sourcetype=access_combined | analyzefields classfield=status 42
Analyzefields – Exploring Your Data Examples ● Find most/least common events * | cluster showcount=t t=.1 | table _raw cluster_count ● Display Summary of Fields. sourcetype=access_combined | fields – date* source* time* | fieldsummary maxvals=5 ● Show patterns of co-occurring fields. sourcetype=access_combined | fields – date* source* time* | correlate ● View field relationships sourcetype=access_combined | contingency uri status ● Find predictors of fields sourcetype=access_combined | analyzefields classfield=status 43
Custom Commands
Custom Commands ● What is a Custom Command? – “| haversine origin="47.62,-122.34" outputField=dist lat lon” ● Why do we use Custom Commands? – Run other/external algorithms on your Splunk data – Save time munging data (see Timewrap!) – Because you can! ● Create your own or download as Apps – Haversine (Distance between two GPS coordinates) – Timewrap (Enhanced Time overlay) – Levenshtein (Fuzzy string compare) – R Project (Utilize R!) 45
Custom Commands to the rescue! 46
Custom Commands – Haversine Examples ● Download and install App Haversine ● Read documentation then use in SPL! sourcetype=access* | iplocation clientip | search City=A* | haversine origin="47.62,-122.34" units=mi outputField=dist lat lon | table clientip, City, dist, lat, lon 47
Custom Commands – Haversine Examples ● Download and install App Haversine ● Read documentation then use in SPL! sourcetype=access* | iplocation clientip | search City=A* | haversine origin="47.62,-122.34" units=mi outputField=dist lat lon | table clientip, City, dist, lat, lon 48
Tools  Add Splunk Search to Chrome: It is a cool way to search for a .conf or a Splunk command directly from the Chrome search bar. Install the Chrome Extension, and then add the following commands under the Chrome/Settings/Manage Search Engines 1- Add "Bookmark Search": https://chrome.google.com/webstore/detail/bookmark-search/hhmokalkpaiacdofbcddkogifepbaijk?utm_source=gmail 2-Add the following Search Engines Splunk Apps SA: https://splunkbase.splunk.com/apps/#/order/relevance/search/%s Splunk Conf SC: http://docs.splunk.com/Documentation/Splunk/latest/admin/%sconf Splunk Search Commands SS: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/%s Splunk Docs SD: http://docs.splunk.com/Special:SplunkSearch/docs?q=%s
Machine Learning Toolkit and Showcase Examples ● Predict Numeric Fields ● Predict Categorical Fields ● Detect Numerical Outliers ● Detect Categorical Outliers ● Forecast Time Series ● Cluster Events 51
Splunk 6.x Dashboard Examples
For More Information ● Additional information can be found in: – Search Manual – Blogs – Answers – Operational Intelligence Cookbook – Exploring Splunk 53
Thank you!

Recommended

Power of SPL
Power of SPLPower of SPL
Power of SPL
Tian Chen
 
SplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCSSplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCSSplunk
 
Hunk: Splunk Analytics for Hadoop
Hunk: Splunk Analytics for HadoopHunk: Splunk Analytics for Hadoop
Hunk: Splunk Analytics for HadoopGeorg Knon
 
Splunk Search Optimization
Splunk Search OptimizationSplunk Search Optimization
Splunk Search Optimization
Splunk
 
Hunk - Unlocking The Power of Big Data Breakout Session
Hunk - Unlocking The Power of Big Data Breakout SessionHunk - Unlocking The Power of Big Data Breakout Session
Hunk - Unlocking The Power of Big Data Breakout Session
Splunk
 
SplunkLive! Hunk Technical Deep Dive
SplunkLive! Hunk Technical Deep DiveSplunkLive! Hunk Technical Deep Dive
SplunkLive! Hunk Technical Deep DiveSplunk
 
SplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with SplunkSplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with Splunk
Splunk
 
Hunk - Unlocking the Power of Big Data
Hunk - Unlocking the Power of Big DataHunk - Unlocking the Power of Big Data
Hunk - Unlocking the Power of Big Data
Splunk
 

Recommended

Power of SPL
Power of SPLPower of SPL
Power of SPL
Tian Chen
 
SplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCSSplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCSSplunk
 
Hunk: Splunk Analytics for Hadoop
Hunk: Splunk Analytics for HadoopHunk: Splunk Analytics for Hadoop
Hunk: Splunk Analytics for HadoopGeorg Knon
 
Splunk Search Optimization
Splunk Search OptimizationSplunk Search Optimization
Splunk Search Optimization
Splunk
 
Hunk - Unlocking The Power of Big Data Breakout Session
Hunk - Unlocking The Power of Big Data Breakout SessionHunk - Unlocking The Power of Big Data Breakout Session
Hunk - Unlocking The Power of Big Data Breakout Session
Splunk
 
SplunkLive! Hunk Technical Deep Dive
SplunkLive! Hunk Technical Deep DiveSplunkLive! Hunk Technical Deep Dive
SplunkLive! Hunk Technical Deep DiveSplunk
 
SplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with SplunkSplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with Splunk
Splunk
 
Hunk - Unlocking the Power of Big Data
Hunk - Unlocking the Power of Big DataHunk - Unlocking the Power of Big Data
Hunk - Unlocking the Power of Big Data
Splunk
 
Splunk Ninjas: New features, pivot, and search dojo
Splunk Ninjas: New features, pivot, and search dojoSplunk Ninjas: New features, pivot, and search dojo
Splunk Ninjas: New features, pivot, and search dojo
Splunk
 
Splunk Dynamic lookup
Splunk Dynamic lookupSplunk Dynamic lookup
Splunk Dynamic lookupSplunk
 
SplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunk
 
SplunkLive! Hunk Technical Overview
SplunkLive! Hunk Technical OverviewSplunkLive! Hunk Technical Overview
SplunkLive! Hunk Technical OverviewSplunk
 
December 2013 HUG: Hunk - Splunk over Hadoop
December 2013 HUG: Hunk - Splunk over HadoopDecember 2013 HUG: Hunk - Splunk over Hadoop
December 2013 HUG: Hunk - Splunk over Hadoop
Yahoo Developer Network
 
SplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with Splunk
Splunk
 
Enabling Exploratory Analytics of Data in Shared-service Hadoop Clusters
Enabling Exploratory Analytics of Data in Shared-service Hadoop ClustersEnabling Exploratory Analytics of Data in Shared-service Hadoop Clusters
Enabling Exploratory Analytics of Data in Shared-service Hadoop ClustersDataWorks Summit
 
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDBSplunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDBMongoDB
 
Using Postgres and Citus for Lightning Fast Analytics, also ft. Rollups | Liv...
Using Postgres and Citus for Lightning Fast Analytics, also ft. Rollups | Liv...Using Postgres and Citus for Lightning Fast Analytics, also ft. Rollups | Liv...
Using Postgres and Citus for Lightning Fast Analytics, also ft. Rollups | Liv...
Citus Data
 
SplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojoSplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojo
Splunk
 
Data analysis using hive ql & tableau
Data analysis using hive ql & tableauData analysis using hive ql & tableau
Data analysis using hive ql & tableau
pkale1708
 
Elasticsearch Atlanta Meetup 3/15/16
Elasticsearch Atlanta Meetup 3/15/16Elasticsearch Atlanta Meetup 3/15/16
Elasticsearch Atlanta Meetup 3/15/16
Roy Russo
 
Power of SPL
Power of SPLPower of SPL
Power of SPL
Splunk
 
Power of SPL Breakout Session
Power of SPL Breakout SessionPower of SPL Breakout Session
Power of SPL Breakout Session
Splunk
 
Power of SPL Breakout Session
Power of SPL Breakout SessionPower of SPL Breakout Session
Power of SPL Breakout Session
Splunk
 
Power of SPL Breakout Session
Power of SPL Breakout SessionPower of SPL Breakout Session
Power of SPL Breakout Session
Splunk
 
Nationwide Splunk Ninjas!
Nationwide Splunk Ninjas!Nationwide Splunk Ninjas!
Nationwide Splunk Ninjas!
Splunk
 
Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...
Splunk
 
Power of Splunk Search Processing Language (SPL)
Power of Splunk Search Processing Language (SPL)Power of Splunk Search Processing Language (SPL)
Power of Splunk Search Processing Language (SPL)
Splunk
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search Dojo
Splunk
 
Data catalog
Data catalogData catalog
Data catalog
iamtodor
 
Power of SPL - Search Processing Language
Power of SPL - Search Processing LanguagePower of SPL - Search Processing Language
Power of SPL - Search Processing Language
Splunk
 

More Related Content

What's hot

Splunk Ninjas: New features, pivot, and search dojo
Splunk Ninjas: New features, pivot, and search dojoSplunk Ninjas: New features, pivot, and search dojo
Splunk Ninjas: New features, pivot, and search dojo
Splunk
 
Splunk Dynamic lookup
Splunk Dynamic lookupSplunk Dynamic lookup
Splunk Dynamic lookupSplunk
 
SplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunk
 
SplunkLive! Hunk Technical Overview
SplunkLive! Hunk Technical OverviewSplunkLive! Hunk Technical Overview
SplunkLive! Hunk Technical OverviewSplunk
 
December 2013 HUG: Hunk - Splunk over Hadoop
December 2013 HUG: Hunk - Splunk over HadoopDecember 2013 HUG: Hunk - Splunk over Hadoop
December 2013 HUG: Hunk - Splunk over Hadoop
Yahoo Developer Network
 
SplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with Splunk
Splunk
 
Enabling Exploratory Analytics of Data in Shared-service Hadoop Clusters
Enabling Exploratory Analytics of Data in Shared-service Hadoop ClustersEnabling Exploratory Analytics of Data in Shared-service Hadoop Clusters
Enabling Exploratory Analytics of Data in Shared-service Hadoop ClustersDataWorks Summit
 
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDBSplunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDBMongoDB
 
Using Postgres and Citus for Lightning Fast Analytics, also ft. Rollups | Liv...
Using Postgres and Citus for Lightning Fast Analytics, also ft. Rollups | Liv...Using Postgres and Citus for Lightning Fast Analytics, also ft. Rollups | Liv...
Using Postgres and Citus for Lightning Fast Analytics, also ft. Rollups | Liv...
Citus Data
 
SplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojoSplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojo
Splunk
 
Data analysis using hive ql & tableau
Data analysis using hive ql & tableauData analysis using hive ql & tableau
Data analysis using hive ql & tableau
pkale1708
 
Elasticsearch Atlanta Meetup 3/15/16
Elasticsearch Atlanta Meetup 3/15/16Elasticsearch Atlanta Meetup 3/15/16
Elasticsearch Atlanta Meetup 3/15/16
Roy Russo
 

What's hot (12)

Splunk Ninjas: New features, pivot, and search dojo
Splunk Ninjas: New features, pivot, and search dojoSplunk Ninjas: New features, pivot, and search dojo
Splunk Ninjas: New features, pivot, and search dojo
 
Splunk Dynamic lookup
Splunk Dynamic lookupSplunk Dynamic lookup
Splunk Dynamic lookup
 
SplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk Enterprise
 
SplunkLive! Hunk Technical Overview
SplunkLive! Hunk Technical OverviewSplunkLive! Hunk Technical Overview
SplunkLive! Hunk Technical Overview
 
December 2013 HUG: Hunk - Splunk over Hadoop
December 2013 HUG: Hunk - Splunk over HadoopDecember 2013 HUG: Hunk - Splunk over Hadoop
December 2013 HUG: Hunk - Splunk over Hadoop
 
SplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with Splunk
 
Enabling Exploratory Analytics of Data in Shared-service Hadoop Clusters
Enabling Exploratory Analytics of Data in Shared-service Hadoop ClustersEnabling Exploratory Analytics of Data in Shared-service Hadoop Clusters
Enabling Exploratory Analytics of Data in Shared-service Hadoop Clusters
 
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDBSplunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
 
Using Postgres and Citus for Lightning Fast Analytics, also ft. Rollups | Liv...
Using Postgres and Citus for Lightning Fast Analytics, also ft. Rollups | Liv...Using Postgres and Citus for Lightning Fast Analytics, also ft. Rollups | Liv...
Using Postgres and Citus for Lightning Fast Analytics, also ft. Rollups | Liv...
 
SplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojoSplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojo
 
Data analysis using hive ql & tableau
Data analysis using hive ql & tableauData analysis using hive ql & tableau
Data analysis using hive ql & tableau
 
Elasticsearch Atlanta Meetup 3/15/16
Elasticsearch Atlanta Meetup 3/15/16Elasticsearch Atlanta Meetup 3/15/16
Elasticsearch Atlanta Meetup 3/15/16
 

Similar to Power of SPL

Power of SPL
Power of SPLPower of SPL
Power of SPL
Splunk
 
Power of SPL Breakout Session
Power of SPL Breakout SessionPower of SPL Breakout Session
Power of SPL Breakout Session
Splunk
 
Power of SPL Breakout Session
Power of SPL Breakout SessionPower of SPL Breakout Session
Power of SPL Breakout Session
Splunk
 
Power of SPL Breakout Session
Power of SPL Breakout SessionPower of SPL Breakout Session
Power of SPL Breakout Session
Splunk
 
Nationwide Splunk Ninjas!
Nationwide Splunk Ninjas!Nationwide Splunk Ninjas!
Nationwide Splunk Ninjas!
Splunk
 
Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...
Splunk
 
Power of Splunk Search Processing Language (SPL)
Power of Splunk Search Processing Language (SPL)Power of Splunk Search Processing Language (SPL)
Power of Splunk Search Processing Language (SPL)
Splunk
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search Dojo
Splunk
 
Data catalog
Data catalogData catalog
Data catalog
iamtodor
 
Power of SPL - Search Processing Language
Power of SPL - Search Processing LanguagePower of SPL - Search Processing Language
Power of SPL - Search Processing Language
Splunk
 
Conf2014_SplunkSearchOptimization
Conf2014_SplunkSearchOptimizationConf2014_SplunkSearchOptimization
Conf2014_SplunkSearchOptimization
Splunk
 
SplunkLive Oslo/Stockholm Beginner Workshop
SplunkLive Oslo/Stockholm Beginner WorkshopSplunkLive Oslo/Stockholm Beginner Workshop
SplunkLive Oslo/Stockholm Beginner Workshopjenny_splunk
 
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk
 
Data mining guest lecture (CSE6331 University of Texas, Arlington) 2004
Data mining guest lecture (CSE6331 University of Texas, Arlington) 2004Data mining guest lecture (CSE6331 University of Texas, Arlington) 2004
Data mining guest lecture (CSE6331 University of Texas, Arlington) 2004
Alan Walker
 
Splunk Ninjas Breakout Session
Splunk Ninjas Breakout SessionSplunk Ninjas Breakout Session
Splunk Ninjas Breakout Session
Splunk
 
Rethinking Online SPARQL Querying to Support Incremental Result Visualization
Rethinking Online SPARQL Querying to Support Incremental Result VisualizationRethinking Online SPARQL Querying to Support Incremental Result Visualization
Rethinking Online SPARQL Querying to Support Incremental Result Visualization
Olaf Hartig
 
Predicting query performance and explaining results to assist Linked Data con...
Predicting query performance and explaining results to assist Linked Data con...Predicting query performance and explaining results to assist Linked Data con...
Predicting query performance and explaining results to assist Linked Data con...
Rakebul Hasan
 
Search Intelligence & MarkLogic Search API
Search Intelligence & MarkLogic Search APISearch Intelligence & MarkLogic Search API
Search Intelligence & MarkLogic Search API
WillThompson78
 

Similar to Power of SPL (20)

Power of SPL
Power of SPLPower of SPL
Power of SPL
 
Power of SPL Breakout Session
Power of SPL Breakout SessionPower of SPL Breakout Session
Power of SPL Breakout Session
 
Power of SPL Breakout Session
Power of SPL Breakout SessionPower of SPL Breakout Session
Power of SPL Breakout Session
 
Power of SPL Breakout Session
Power of SPL Breakout SessionPower of SPL Breakout Session
Power of SPL Breakout Session
 
Nationwide Splunk Ninjas!
Nationwide Splunk Ninjas!Nationwide Splunk Ninjas!
Nationwide Splunk Ninjas!
 
Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...
 
Power of Splunk Search Processing Language (SPL)
Power of Splunk Search Processing Language (SPL)Power of Splunk Search Processing Language (SPL)
Power of Splunk Search Processing Language (SPL)
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search Dojo
 
Data catalog
Data catalogData catalog
Data catalog
 
Power of SPL - Search Processing Language
Power of SPL - Search Processing LanguagePower of SPL - Search Processing Language
Power of SPL - Search Processing Language
 
Conf2014_SplunkSearchOptimization
Conf2014_SplunkSearchOptimizationConf2014_SplunkSearchOptimization
Conf2014_SplunkSearchOptimization
 
SplunkLive Oslo/Stockholm Beginner Workshop
SplunkLive Oslo/Stockholm Beginner WorkshopSplunkLive Oslo/Stockholm Beginner Workshop
SplunkLive Oslo/Stockholm Beginner Workshop
 
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search Dojo
 
Data mining guest lecture (CSE6331 University of Texas, Arlington) 2004
Data mining guest lecture (CSE6331 University of Texas, Arlington) 2004Data mining guest lecture (CSE6331 University of Texas, Arlington) 2004
Data mining guest lecture (CSE6331 University of Texas, Arlington) 2004
 
Splunk Ninjas Breakout Session
Splunk Ninjas Breakout SessionSplunk Ninjas Breakout Session
Splunk Ninjas Breakout Session
 
data mining
data miningdata mining
data mining
 
Part1
Part1Part1
Part1
 
Rethinking Online SPARQL Querying to Support Incremental Result Visualization
Rethinking Online SPARQL Querying to Support Incremental Result VisualizationRethinking Online SPARQL Querying to Support Incremental Result Visualization
Rethinking Online SPARQL Querying to Support Incremental Result Visualization
 
Predicting query performance and explaining results to assist Linked Data con...
Predicting query performance and explaining results to assist Linked Data con...Predicting query performance and explaining results to assist Linked Data con...
Predicting query performance and explaining results to assist Linked Data con...
 
Search Intelligence & MarkLogic Search API
Search Intelligence & MarkLogic Search APISearch Intelligence & MarkLogic Search API
Search Intelligence & MarkLogic Search API
 

More from Splunk

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
Splunk
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
Splunk
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
Splunk
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
Splunk
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
Splunk
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
Splunk
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
Splunk
 

More from Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Recently uploaded

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 

Power of SPL

  • 1. Copyright © 2015 Splunk Inc. Power of Splunk Search Processing Language (SPL™) Brian Heffernan, CISSP heff@splunk.com
  • 2. About Me • My name is Brian Heffernan and I have Splunked: • BBQ Smokers - predicted cook times • Nest Thermostats • Alerts when my wife turns on the heat • Children’s Browsing History • Splunking for 4+ years • Northeastern University2
  • 3. Rules & Agendah Goal: Get Gooder!  Ask Questions- there will be prizes  Don’t take notes – I will provide slides  No texting and searching  No Sleeping – I will make fun of you. • Overview & Anatomy of a Search – Quick refresher on search language and structure • SPL Commands and Examples – Doing More with Less – Searching, charting, converging, transactions, anomalies, exploring • Custom Commands – Doing Less with More – Extend the capabilities of SPL • Q&A
  • 5. SPL Overview ● Over 140+ search commands ● Syntax was originally based upon the Unix pipeline and SQL and is optimized for time series data ● The scope of SPL includes data searching, filtering, modification, manipulation, enrichment, insertion and deletion ● Includes anomaly detection and machine learning 5
  • 6. Why Create a New Query Language? ● Flexibility and effectiveness on small and big data ● Late-binding schema ● More/better methods of correlation ● Not just analyze, but visualize 6 Data BIG Data
  • 7. new pipe = new line + space + pipe search and filter | munge | report | cleanup | rename sum(KB) AS "Total KB" dc(clientip) AS "Unique Customers" | eval KB=bytes/1024 sourcetype=access* | stats sum(KB) dc(clientip) SPL Basic Structure Bonus Points
  • 9. SPL Examples and Recipes ● Search and filter + creating/modifying fields ● Charting statistics and predicting values ● Converging data sources ● Identifying transactions and anomalies ● Data exploration & finding relationships between fields 9
  • 10. SPL Examples and Recipes ● Search and filter + creating/modifying fields ● Charting statistics and predicting values ● Converging data sources ● Identifying transactions and anomalies ● Data exploration & finding relationships between fields 10
  • 11. Search and Filter Examples ● Keyword search: sourcetype=access* http ● Filter: sourcetype=access* http host=webserver-02 ● Combined: sourcetype=access* http host=webserver-02 (503 OR 504) 11
  • 12. Search and Filter Examples ● Keyword search: sourcetype=access* http ● Filter: sourcetype=access* http host=webserver-02 ● Combined: sourcetype=access* http host=webserver-02 (503 OR 504) 12
  • 13. Search and Filter Examples ● Keyword search: sourcetype=access* http ● Filter: sourcetype=access* http host=webserver-02 ● Combined: sourcetype=access* http host=webserver-02 (status=503 OR status=504) 13
  • 14. Eval – Modify or Create New Fields and Values Examples ● Calculation: sourcetype=access* |eval KB=bytes/1024 ● Evaluation: sourcetype=access* | eval http_response = if(status != 200, ”Error", ”OK”) ● Concatenation: sourcetype=access* | eval connection = device.“-“.clientip 14
  • 15. Eval – Modify or Create New Fields and Values Examples ● Calculation: sourcetype=access* |eval KB=bytes/1024 ● Evaluation: sourcetype=access* | eval http_response = if(status != 200, ”Error", ”OK”) ● Concatenation: sourcetype=access* | eval connection = device.“-“.clientip 15
  • 16. Eval – Modify or Create New Fields and Values Examples ● Calculation: sourcetype=access* |eval KB=bytes/1024 ● Evaluation: sourcetype=access* | eval http_response = if(status != 200, ”Error", ”OK”) ● Concatenation: sourcetype=access* | eval connection = clientip.“-”.device 16
  • 17. Eval – Just Getting Started! Splunk Search Quick Reference Guide 17
  • 18. SPL Examples and Recipes ● Search and filter + creating/modifying fields ● Charting statistics and predicting values ● Converging data sources ● Identifying transactions and anomalies ● Data exploration & finding relationships between fields 18
  • 20. Stats – Calculate Statistics Based on Field Values Examples ● Calculate stats and rename sourcetype=netapp:perf | stats avg(read_ops) AS “Read OPs” ● Multiple statistics sourcetype=netapp:perf | stats avg(read_ops) AS Read_OPs sparkline(avg(read_ops)) AS Read_Trend ● By another field Sourcetype=netapp:perf | stats avg(read_ops) AS Read_OPs sparkline(avg(read_ops)) AS Read_Trend by instance 20
  • 21. Stats – Calculate Statistics Based on Field Values Examples 21 ● Calculate stats and rename sourcetype=netapp:perf | stats avg(read_ops) AS “Read OPs” ● Multiple statistics sourcetype=netapp:perf | stats avg(read_ops) AS Read_OPs sparkline(avg(read_ops)) AS Read_Trend ● By another field Sourcetype=netapp:perf | stats avg(read_ops) AS Read_OPs sparkline(avg(read_ops)) AS Read_Trend BY instance
  • 22. Stats – Calculate Statistics Based on Field Values Examples 22 ● Calculate stats and rename sourcetype=netapp:perf | stats avg(read_ops) AS “Read OPs” ● Multiple statistics sourcetype=netapp:perf | stats avg(read_ops) AS Read_OPs sparkline(avg(read_ops)) AS Read_Trend ● By another field Sourcetype=netapp:perf | stats avg(read_ops) AS Read_OPs sparkline(avg(read_ops)) AS Read_Trend BY instance
  • 23. Timechart – Visualize Statistics Over Time Examples ● Visualize stats over time sourcetype=netapp:perf | timechart avg(read_ops) ● Add a trendline sourcetype=netapp:perf | timechart avg(read_ops) AS read_ops | trendline sma5(read_ops) ● Add a prediction overlay sourcetype=netapp:perf | timechart avg(read_ops) AS read_ops | predict read_ops 23
  • 24. Timechart – Visualize Statistics Over Time Examples 24 ● Visualize stats over time sourcetype=netapp:perf | timechart avg(read_ops) ● Add a trendline sourcetype=netapp:perf | timechart avg(read_ops) AS read_ops | trendline sma5(read_ops) ● Add a prediction overlay sourcetype=netapp:perf | timechart avg(read_ops) AS read_ops | predict read_ops
  • 25. Timechart – Visualize Statistics Over Time Examples 25 ● Visualize stats over time sourcetype=netapp:perf | timechart avg(read_ops) ● Add a trendline sourcetype=netapp:perf | timechart avg(read_ops) AS read_ops | trendline sma5(read_ops) ● Add a prediction overlay sourcetype=netapp:perf | timechart avg(read_ops) AS read_ops | predict read_ops
  • 26. Stats/Timechart – But Wait, There’s More! Splunk Search Quick Reference Guide 26
  • 27. SPL Examples and Recipes ● Search and filter + creating/modifying fields ● Charting statistics and predicting values ● Converging data sources ● Identifying transactions and anomalies ● Data exploration & finding relationships between fields 27
  • 28. 28 Converging Data Sources Index Untapped Data: Any Source, Type, Volume Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom ApplicationsMessaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID On- Premises Private Cloud Public Cloud Ask Any Question Application Delivery Security, Compliance, and Fraud IT Operations Business Analytics Industrial Data and the Internet of Things
  • 29. Converging Data Sources Examples ● Implicit join on time index=* http | timechart count BY sourcetype ● Enrich data with lookup sourcetype=access_combined status=503 | lookup customer_info uid | stats count BY customer_value ● Append results from another search … | appendcols [search earliest=-1h sourcetype=Kepware units=W row=A | stats stdev(Value) AS hr_stdev] … 29
  • 30. Lookup – Converging Data Sources Examples 30 ● Implicit join on time index=* http | timechart count by sourcetype ● Enrich data with lookup sourcetype=access_combined status=503 | lookup customer_info uid | stats count by customer_value ● Append results from another search … | appendcols [search earliest=-1h sourcetype=Kepware units=W row=A | stats stdev(Value) AS hr_stdev] …
  • 31. Appendcols – Converging Data Sources Examples 31 ● Implicit join on time index=* http | timechart count BY sourcetype ● Enrich data with lookup sourcetype=access_combined status=503 | lookup customer_info uid | stats count BY customer_value ● Append results from another search … | appendcols [search earliest=-1h sourcetype=Kepware units=W row=A | stats stdev(Value) AS hr_stdev] …
  • 32. SPL Examples and Recipes ● Search and filter + creating/modifying fields ● Charting statistics and predicting values ● Converging data sources ● Identifying transactions and anomalies ● Data exploration & finding relationships between fields 32
  • 33. Transaction – Group Related Events Spanning Time Examples ● Group by session ID sourcetype=access* | transaction JSESSIONID ● Calculate session durations sourcetype=access* | transaction JSESSIONID | stats min(duration) max(duration) avg(duration) ● Stats is better sourcetype=access* | stats min(_time) AS earliest max(_time) AS latest by JSESSIONID | eval duration=latest-earliest | stats min(duration) max(duration) avg(duration) 33
  • 34. Transaction – Group Related Events Spanning Time Examples 34 ● Group by session ID sourcetype=access* | transaction JSESSIONID ● Calculate session durations sourcetype=access* | transaction JSESSIONID | stats min(duration) max(duration) avg(duration) ● Stats is better sourcetype=access* | stats min(_time) AS earliest max(_time) AS latest by JSESSIONID | eval duration=latest-earliest | stats min(duration) max(duration) avg(duration)
  • 35. Transaction – Group Related Events Spanning Time Examples 35 ● Group by session ID sourcetype=access* | transaction JSESSIONID ● Calculate session durations sourcetype=access* | transaction JSESSIONID | stats min(duration) max(duration) avg(duration) ● Stats is better sourcetype=access* | stats min(_time) AS earliest max(_time) AS latest by JSESSIONID | eval duration=latest-earliest | stats min(duration) max(duration) avg(duration)
  • 36. Anomaly Detection – Find anomalies in your data Examples 36 ● Find anomalies | inputlookup car_data.csv | anomalydetection ● Summarize anomalies | inputlookup car_data.csv | anomalydetection action=summary ● Use IQR and remove outliers | inputlookup car_data.csv | anomalydetection method=iqr action=remove
  • 37. SPL Examples and Recipes ● Search and filter + creating/modifying fields ● Charting statistics and predicting values ● Converging data sources ● Identifying transactions and anomalies ● Data exploration & finding relationships between fields 37
  • 38. Data Exploration | analyzefields | anomalies | arules | associate | cluster | contingency | correlate | fieldsummary 38
  • 39. Cluster – Exploring Your Data Examples ● Find most/least common events * | cluster showcount=t t=.1 | table _raw cluster_count ● Display Summary of Fields. sourcetype=access_combined | fields – date* source* time* | fieldsummary maxvals=5 ● Show patterns of co-occurring fields. sourcetype=access_combined | fields – date* source* time* | correlate ● View field relationships sourcetype=access_combined | contingency uri status ● Find predictors of fields sourcetype=access_combined | analyzefields classfield=status 39
  • 40. Cluster – Exploring Your Data Examples ● Find most/least common events * | cluster showcount=t t=.1 | table _raw cluster_count ● Display Summary of Fields. sourcetype=access_combined | fields – date* source* time* | fieldsummary maxvals=5 ● Show patterns of co-occurring fields. sourcetype=access_combined | fields – date* source* time* | correlate ● View field relationships sourcetype=access_combined | contingency uri status ● Find predictors of fields sourcetype=access_combined | analyzefields classfield=status 40
  • 41. Correlate – Exploring Your Data Examples ● Find most/least common events * | cluster showcount=t t=.1 | table _raw cluster_count ● Display Summary of Fields. sourcetype=access_combined | fields – date* source* time* | fieldsummary maxvals=5 ● Show patterns of co-occurring fields. sourcetype=access_combined | fields – date* source* time* | correlate ● View field relationships sourcetype=access_combined | contingency uri status ● Find predictors of fields sourcetype=access_combined | analyzefields classfield=status 41
  • 42. Contingency – Exploring Your Data Examples ● Find most/least common events * | cluster showcount=t t=.1 | table _raw cluster_count ● Display Summary of Fields. sourcetype=access_combined | fields – date* source* time* | fieldsummary maxvals=5 ● Show patterns of co-occurring fields. sourcetype=access_combined | fields – date* source* time* | correlate ● View field relationships sourcetype=access_combined | contingency uri status ● Find predictors of fields sourcetype=access_combined | analyzefields classfield=status 42
  • 43. Analyzefields – Exploring Your Data Examples ● Find most/least common events * | cluster showcount=t t=.1 | table _raw cluster_count ● Display Summary of Fields. sourcetype=access_combined | fields – date* source* time* | fieldsummary maxvals=5 ● Show patterns of co-occurring fields. sourcetype=access_combined | fields – date* source* time* | correlate ● View field relationships sourcetype=access_combined | contingency uri status ● Find predictors of fields sourcetype=access_combined | analyzefields classfield=status 43
  • 45. Custom Commands ● What is a Custom Command? – “| haversine origin="47.62,-122.34" outputField=dist lat lon” ● Why do we use Custom Commands? – Run other/external algorithms on your Splunk data – Save time munging data (see Timewrap!) – Because you can! ● Create your own or download as Apps – Haversine (Distance between two GPS coordinates) – Timewrap (Enhanced Time overlay) – Levenshtein (Fuzzy string compare) – R Project (Utilize R!) 45
  • 46. Custom Commands to the rescue! 46
  • 47. Custom Commands – Haversine Examples ● Download and install App Haversine ● Read documentation then use in SPL! sourcetype=access* | iplocation clientip | search City=A* | haversine origin="47.62,-122.34" units=mi outputField=dist lat lon | table clientip, City, dist, lat, lon 47
  • 48. Custom Commands – Haversine Examples ● Download and install App Haversine ● Read documentation then use in SPL! sourcetype=access* | iplocation clientip | search City=A* | haversine origin="47.62,-122.34" units=mi outputField=dist lat lon | table clientip, City, dist, lat, lon 48
  • 49. Tools  Add Splunk Search to Chrome: It is a cool way to search for a .conf or a Splunk command directly from the Chrome search bar. Install the Chrome Extension, and then add the following commands under the Chrome/Settings/Manage Search Engines 1- Add "Bookmark Search": https://chrome.google.com/webstore/detail/bookmark-search/hhmokalkpaiacdofbcddkogifepbaijk?utm_source=gmail 2-Add the following Search Engines Splunk Apps SA: https://splunkbase.splunk.com/apps/#/order/relevance/search/%s Splunk Conf SC: http://docs.splunk.com/Documentation/Splunk/latest/admin/%sconf Splunk Search Commands SS: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/%s Splunk Docs SD: http://docs.splunk.com/Special:SplunkSearch/docs?q=%s
  • 50.
  • 51. Machine Learning Toolkit and Showcase Examples ● Predict Numeric Fields ● Predict Categorical Fields ● Detect Numerical Outliers ● Detect Categorical Outliers ● Forecast Time Series ● Cluster Events 51
  • 53. For More Information ● Additional information can be found in: – Search Manual – Blogs – Answers – Operational Intelligence Cookbook – Exploring Splunk 53

Editor's Notes

  1. This presentation has some animations and content to help tell stories as you go. Feel free to change ANY of this to your own liking! I found it is best to pre-load all of the demo dashboards with the search examples instead of clicking on each picture (link to the search) from the slides and moving between the PowerPoint presentation and a Splunk demo instance too frequently. I would definitely practice your flow once or twice before a presentation. There is A LOT of content to get through in 1 hour. The slides with search examples can be unhidden if needed. Here is what you need for this presentation: You should have the following installed: 6.3 Overview App - https://splunkbase.splunk.com/app/2828/ OI Demo 3.1 – Get it from box: https://splunk.box.com/s/vlt3qve9hmil8gsgxjouizjceu8h33uf Optional: Splunk Search Reference Guide handouts Mini buttercups or other prizes to give out for answering questions during the presentation
  2. Add your own About Me info, if you want to include.
  3. “There are tons of EVAL commands to help you shape or manipulate your data the way you want it.” Optional <Click on image to go to show and scroll through online quick reference quide>
  4. Next we’ll talk about Splunk’s charting and statistical commands. Notes: Stats Timechart Trendline Predict Add streamstats and eventstats or keep simple?
  5. There are 3 commands that are the basis of calculating statistics and visualizing results. Essentially chart is just stats visualized and timechart is stats by _time visualized. These SPL commands are extremely powerful and easy to use. “Let’s go through some examples – additionally we’ll make it more interesting and pull apart some searches and visualizations from one of the demo’s you saw on stage” <Go to IT Ops Visibility, click on Storage indicator> 1. Use Read/Write OPs by instance for STATS, bonus w/ sparkline 2. Use Read/Write OPs for TIMECHART
  6. Walk through predict basic options “The timechart command plus other SPL commands make it very easy to visualize your data any way you want.”
  7. “Again, don’t forget about the quick reference guide. There are many more statistical functions you can use with these commands on your data.”
  8. “The contingency command is used to look for relationships of between two fields. Basically for these two fields, how many different value combinations are there and what are they / most common” sourcetype=access_combined | contingency uri status
  9. Depending on remaining time can show 1 or more custom command examples. “We’ve gone over a variety of Splunk search commands.. but what happens when we can’t find a command that fits our needs OR want to use a complex algorithm someone already OR even create your own?? Enter Custom Commands.” Additional Text: Splunk's search language includes a wide variety of commands that you can use to get what you want out of your data and even to display the results in different ways. You have commands to correlate events and calculate statistics on your results, evaluate fields and reorder results, reformat and enrich your data, build charts, and more. Still, Splunk enables you to expand the search language to customize these commands to better meet your needs or to write your own search commands for custom processing or calculations.
  10. <This slide can be optional, again feel free to use your own story> Customer Story: “Awhile back I was working on a project where I was Splunking live aircraft data. I was doing a demonstration with both my manager and customers where I was showing real-time movement of aircraft. In the middle of the presentation the customer asked me if they could see the real-time distance between any two aircraft or the even the airport. While I had lat/lon as fields, I knew I couldn’t write a accurate distance algorithm in a timely manner. I quickly searched “distance” in splunkbase just for the heck of it and whaddya know, there as custom command for it called Haversine. I asked if the audience would give me 5 minutes – downloaded the app and plugged in my lat/lon fields for two different planes, just like a regular search command.” Click #2: “This was my manager’s reaction” Click #3: “And this was what was going through the customer’s head”
  11. Let’s see Haversine in action. <Pull up search>
  12. *Note – Coordinates of origin in this Haversine example is currently “Seattle”
  13. If you want to learn more about Data Science, Exploration and Machine Learning, download the Machine Learning App! You’ll use new SPL commands like “fit” and “apply” to train models on data in Splunk. New SPL commands: fit, apply, summary, listmodels, and deletemodel * Predict Numeric Fields (Linear Regression): e.g. predict median house values. * Predict Categorical Fields (Logistic Regression): e.g. predict customer churn. * Detect Numeric Outliers (distribution statistics): e.g. detect outliers in IT Ops data. * Detect Categorical Outliers (probabilistic measures): e.g. detect outliers in diabetes patient records. * Forecast Time Series: e.g. forecast data center growth and capacity planning. * Cluster Events (K-means, DBSCAN, Spectral Clustering, BIRCH).
  14. References: Little about each
  15. TBD