SlideShare a Scribd company logo

SplunkLive! Zurich 2018: Getting Started & Hands On

Download as PPTX, PDF
Splunk
Splunk

This presentation introduces Splunk, an industry-leading platform for analyzing machine data. It provides an overview of Splunk capabilities including searching, dashboards, alerts and analytics. It then demonstrates how to install Splunk and import sample data, and provides examples of common searches over the data including filtering by status codes, visualizing results with charts, and performing field extractions. The presentation concludes with information on resources for learning more about Splunk.

1 of 66
SplunkLive! Dirk Beerbohm | Senior Sales Engineer
Set Up Before You Can Play Download the following at splunk.com ▶ Splunk Enterprise: • https://www.splunk.com/download ▶ Tutorial Data: • http://splk.it/2ey34P8 ▶ Search Tutorial • http://splk.it/2ePSYKB
Getting Started With Splunk Enterprise
© 2018 SPLUNK INC. 1. Splunk Overview 2. Using Splunk – Live Demonstration/Walk-Through • Installing & Onboarding Data • Searching • Field Extraction • Dashboards • Alerting • Analytics 3. Wrap-up/Q&A Agenda
Big Data Comes From Machines Volume | Velocity | Variety | Variability GPS, RFID, Hypervisor, Web Servers, Email, Messaging, Clickstreams, Mobile, Telephony, IVR, Databases, Sensors, Telematics, Storage, Servers, Security Devices, Desktops Splunk’s Mission: Make machine data accessible, usable, and valuable to everyone
What Does Machine Data Look Like? Order Processing Twitter Care IVR Middleware Error ORDER, 2018-01-21T14:04:12.484,10098213, 569281734,67.17.10.12,43CD1A7B8322,SA-2100 JAN 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213. Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException: weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port: ACMEDB-01:1521. Reason: Connection refused 01/21/18 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type 0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a- 13ae51a6d092, Trunk T451.16 01/21/18 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 CUSTID 10098213 01/21/18 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 {actor:{displayName: “Go Cowboys!!”,followersCount:1366,friendsCount:789,link: http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”}, objectType:“person”,preferredUsername:“Cowb0ysF@n80”,statusesCount:6072},body: “Can’t buy this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if you hate @ACME!!”,objectType:“activity”,postedTime:“2018-01-21T16:39:40.647-0600”} SOURCES
Machine Data Contains Critical Insights Order Processing Twitter Care IVR Middleware Error Customer ID Order ID ORDER, 2018-01-21T14:04:12.484,10098213, 569281734,67.17.10.12,43CD1A7B8322,SA-2100 JAN 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213. Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException: weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port: ACMEDB-01:1521. Reason: Connection refused 01/21/18 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type 0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a- 13ae51a6d092, Trunk T451.16 01/21/18 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 CUSTID 10098213 01/21/18 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 {actor:{displayName: “Go Cowboys!!”,followersCount:1366,friendsCount:789,link: http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”}, objectType:“person”,preferredUsername:“Cowb0ysF@n80”,statusesCount:6072},body: “Can’t buy this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if you hate @ACME!!”,objectType:“activity”,postedTime:“2018-01-21T16:39:40.647-0600”} Order ID Customer’s Twitter ID Customer ID Customer ID Time waiting on hold Customer’s Tweet Company’s Twitter ID Product ID SOURCES
Machine Data Contains Critical Insights SOURCES Order Processing Twitter Care IVR Middleware Error Customer ID Order ID ORDER, 2018-01-21T14:04:12.484,10098213, 569281734,67.17.10.12,43CD1A7B8322,SA-2100 JAN 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213. Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException: weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port: ACMEDB-01:1521. Reason: Connection refused 01/21/18 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type 0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a- 13ae51a6d092, Trunk T451.16 01/21/18 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 CUSTID 10098213 01/21/18 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 {actor:{displayName: “Go Cowboys!!”,followersCount:1366,friendsCount:789,link: http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”}, objectType:“person”,preferredUsername:“Cowb0ysF@n80”,statusesCount:6072},body: “Can’t buy this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if you hate @ACME!!”,objectType:“activity”,postedTime:“2018-01-21T16:39:40.647-0600”} Order ID Customer’s Twitter ID Customer ID Customer ID Time waiting on hold Customer’s Tweet Company’s Twitter ID Product ID
Industry Leading Platform For Machine Data Custom dashboards Report and analyze Monitor and alert Developer Platform Ad hoc search On-Premises Private Cloud Public Cloud Storage Online Shopping Cart Telecoms Desktops Security Web Services Networks Containers Web Clickstreams RFID Smartphones and Devices Servers Messaging GPS Location Packaged Applications Custom Applications Online Services DatabasesCall Detail Records Energy MetersFirewall Intrusion Prevention Platform Support (Apps / API / SDKs) Enterprise Scalability Universal Indexing Machine Data: Any Location, Type, Volume Answer Any Question Any Amount, Any Location, Any Source No back-end database Schema on-the-fly No need to filter data Quick time to value Agile reporting and analytics Real-time architecture
Installing and Using Splunk Live Demonstration & Walk-Through
Set Up Before You Can Play Get the following at splunk.com ▶ Splunk Enterprise: • https://www.splunk.com/download ▶ Tutorial Data: • http://splk.it/2ey34P8 ▶ Search Tutorial • http://splk.it/2ePSYKB
▶ IMPORT THE ZIP FILE, not individual files within it: http://www.splunkbook.com (sample data is located under ‘related links’ section – *same tutorialdata.zip from first page) ▶ Log in to Splunk – http://127.0.0.1:8000 username=admin password=changeme ▶ To add the file to Splunk: • Click Add Data • Click Upload files from my computer • Drag and drop your sample data zip file • Review and finish Getting Data Into Splunk We will import sample web e-commerce store events
▶ License expired (already had older version installed) • Close browser, empty cache, open browser. If that doesn’t work: • Stop Splunk • Uninstall all Splunk versions • Windows Control Panel->Uninstall programs->Splunk • OS X. Finder->Applications->Right click Splunk, Move to trash • Reinstall • Start Splunk ▶ Can’t start Splunk • Windows, Search Control panel ->Services->Splunk start • Linux; cd <SPLUNK dir>/splunk/bin;./splunk start Common Problems at This Point
Let’s Dive In
© 2018 SPLUNK INC. ▶ See Slide Note at right about adding in step-by-step instructions here. Dashboard
▶ buttercupgames ▶ buttercupgames 400 ▶ buttercupgames 400 OR 500 ▶ buttercupgames status=400 OR status=500 ▶ buttercupgames status=400 OR status=500 | timechart count by status limit=10 ▶ buttercupgames status=* ▶ buttercupgames status=* | timechart count by status limit=10 ▶ buttercupgames status=* AND status!=200 | timechart count by status limit=10 ▶ index=* sourcetype=access_combined_wcookie Searches Used
▶ index=* sourcetype=access_combined_wcookie | top limit=20 browser_type (field extraction necessary) ▶ buttercupgames status!=200 ▶ buttercupgames status!=200 | stats count by status | where count > 100 ▶ buttercupgames status=* | iplocation clientip ▶ buttercupgames status=* | iplocation clientip | geostats count by action Searches Used (Continued)
▶ SplunkLive! Presentations • http://splunklive.splunk.com/presentations.html ▶ Documentation • http://www.splunk.com/base/Documentation ▶ Technical Support • http://www.splunk.com/support ▶ Videos • http://www.splunk.com/videos ▶ Education • http://www.splunk.com/view/education/SP- CAAAAH9 ▶ Community • http://answers.splunk.com ▶ Splunk Book • http://splunkbook.com Time to Start SPLUNKING!!! Where do I go for help?
Thriving Community dev.splunk.com 75,000+ questions and answers 1,000+ apps Local user groups and SplunkLive! events
▶Save the Date 2018 October 1-4, 2018 ▶ 8,750+ Splunk Enthusiasts ▶ 300+ Sessions ▶ 100+ Customer Speakers Plus Splunk University: ▶ Three Days: September 29-October 1, 2018 ▶ Get Splunk Certified for FREE! ▶ Get CPE credits for CISSP, CAP, SSCP Walt Disney World Swan and Dolphin Resort in Orlando conf .splunk.com SAVE THE DATE!
Wrap-Up/Q&A
Thank You! Don't forget to rate this session on Pony Poll https://ponypoll.com/Zurich2018
▶ Splunk Usergroup Zürich ▶ Regular Splunk User get-togethers ▶ Frequent Splunk Ninja Presentations (D/E) ▶ Meetings throughout all major german speaking cities (not only Zurich) ▶ Amtssprache deutsch ▶ Not a sales thing ▶ Kick-off soon ▶ Join now: ▶ https://usergroups.splunk.com/group/splunk- user-group-zurich.html Splunk Usergroup Zurich http://bit.do/SPLUGZ
© 2018 SPLUNK INC. Don't forget to rate this session in the SplunkLive! mobile app Thank You
Appendix: Detailed Walk-Through
© 2018 SPLUNK INC. Download Splunk Enterprise for your OS and architecture.
© 2018 SPLUNK INC. Download tutorialdata.zip
© 2018 SPLUNK INC. With Firefox, Chrome or Safari – head to http://127.0.0.1:8000 User = admin Password = changeme
© 2018 SPLUNK INC. You’ve successfully installed Splunk and logged in! Let’s add the tutorialdata.zip via “Add Data.”
© 2018 SPLUNK INC. You can also “Add Data” from Settings at the top.
© 2018 SPLUNK INC. Click on upload.
© 2018 SPLUNK INC. Let’s drag tutorialdata.zip into “Drop your data file here.”
© 2018 SPLUNK INC. Click Next
© 2018 SPLUNK INC. Splunk can auto detect the source type. Let’s change host field to buttercup-web01, and then click Review.
© 2018 SPLUNK INC. Looks good, click Submit.
© 2018 SPLUNK INC. Let’s Start Searching our data.
© 2018 SPLUNK INC. We’re brought into a search with filters applied to search the data we just uploaded.
© 2018 SPLUNK INC. Let’s type “buttercupgames” in the search bar, and double-click into a bar on the histogram.
© 2018 SPLUNK INC. Notice the time picker changed with our drill into the histogram bar.
© 2018 SPLUNK INC. Given that this data is web access, let’s do a string search for 400, which is a “Bad Request” code. Notice that there are 188 events returned (number will vary for you).
© 2018 SPLUNK INC. Let’s also add 500 into the mix, and notice that my event count is higher now.
© 2018 SPLUNK INC. We can see the 400 and 500 status codes, but other status codes also show up in our results. That’s because the string search doesn’t explicitly search for status values – it’ll string match any event that contains “400” or “500.”
© 2018 SPLUNK INC. Let’s explicitly search for status codes equaling values we want to see returned.
© 2018 SPLUNK INC. Great, we’ve now returned all the events containing the two status codes we searched for. Click on “Top values by time,” which will build out a timechart for us.
© 2018 SPLUNK INC. Notice how our search query changed, there’s a | (pipe), and a timechart command added. The pipe followed by a command allows further operation on your filtered data set.
© 2018 SPLUNK INC. Let’s change our search to: buttercupgames status=* And – drill into one bar on the histogram.
© 2018 SPLUNK INC. Click on “top values by time” under the status field on the left, which will produce the timechart at right.
© 2018 SPLUNK INC. Let’s exclude 200 status codes by adding AND status!=200, and change Line to Column.
© 2018 SPLUNK INC. After changing from Line to Column, let’s Stack the results (middle stack under Stack Mode). Much better!
© 2018 SPLUNK INC. Let’s now save this to a dashboard, a place we can go to view this search without having to remember what we had just searched for. Click Save AS -> Dashboard Panel. Fill in, and click Save. Then, View dashboard.
© 2018 SPLUNK INC. Click on Search to get us back to our Search bar, and let’s key in: buttercupgames. Development wants to know what web browsers are being used to access the site, but no fields currently exist. No problem – let’s extract the browser field. Find an event that contains a value that you’re looking for, and click the “>” arrow just to the left of “Time.” The event will expand with a down arrow, and Extract Fields will be under Event Actions. Click Extract Fields.
© 2018 SPLUNK INC. Click Regular Expression (Splunk will build a regular expression to extract our fields), and click Next. Highlight the value of the field you’d like to create, and let’s name the field: browser_type Click Add Extraction.
© 2018 SPLUNK INC. Let’s verify that the extracted field contains values that are indeed types of browsers. Good, click Next to proceed. Now, open the permissions to “App,” which will allow users of the App the ability to leverage this extraction. Click Next.
© 2018 SPLUNK INC. Success! Let’s explore the fields just created in Search, by clicking the link.
© 2018 SPLUNK INC. You’ll now be taken to Search, with the filter set to the sourcetype that the field extraction has been applied to. Note – field extractions are coupled to a sourcetype. Click on “Top values.”
© 2018 SPLUNK INC. Notice how the search changed. And, instead of a bar graph, we want a pie chart, so drop down the “bar” option and change it to pie.
Let’s add this search to our dashboard, and then view the dashboard. Click Edit -> Edit Panels to drag the different panels to different positions.
© 2018 SPLUNK INC. Let’s go back to search, and search for buttercupgames AND status!=200 (we want to see events that aren’t successful). Add the stats and where clause above, to return when there are more than 100 unsuccessful status codes.
© 2018 SPLUNK INC. Let’s create an alert. Save As -> Alert. Fill out the Title, Scheduled, Earliest + Latest, and Cron Expression. Instead of 48, change to minutes a few ahead of your current time (i.e., if it’s 9:00 a.m., change to 05).
© 2018 SPLUNK INC. Add to Triggered Alerts and Save.
© 2018 SPLUNK INC. You should see an alert trigger once your scheduled search runs at the Cron expression you defined. * Note – it was mentioned that alerts wouldn’t work on a trial license. * Correction – alerts will work until the trial license expires.
© 2018 SPLUNK INC. Let’s go back to search and: buttercupgames status=* | iplocation clientip We want to look up the clientip values against the MaxMind database to pull in City, Country, State, Lat, Lon of the IPs.
© 2018 SPLUNK INC. Now, business is interested in seeing plots on a map of web users and what they’re doing with the website. Let’s append a geostats command that counts the events by the values of the action field. Pretty cool! This is definitely dashboard worthy Let’s add to dashboard.
© 2018 SPLUNK INC. Awesome! Now we have a single pane of glass that Operations, Development and Business all care about – from one data source! Talk about value!

Recommended

Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
sixdub
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
Derek King
 
Keep your Hadoop cluster at its best!
Keep your Hadoop cluster at its best!Keep your Hadoop cluster at its best!
Keep your Hadoop cluster at its best!
Sheetal Dolas
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
( Ethical hacking tools ) Information grathring
( Ethical hacking tools ) Information grathring( Ethical hacking tools ) Information grathring
( Ethical hacking tools ) Information grathring
Gouasmia Zakaria
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
Cisco OpenSOC
Cisco OpenSOCCisco OpenSOC
Cisco OpenSOC
James Sirota
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
chrissanders88
 

Recommended

Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
sixdub
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
Derek King
 
Keep your Hadoop cluster at its best!
Keep your Hadoop cluster at its best!Keep your Hadoop cluster at its best!
Keep your Hadoop cluster at its best!
Sheetal Dolas
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
( Ethical hacking tools ) Information grathring
( Ethical hacking tools ) Information grathring( Ethical hacking tools ) Information grathring
( Ethical hacking tools ) Information grathring
Gouasmia Zakaria
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
Cisco OpenSOC
Cisco OpenSOCCisco OpenSOC
Cisco OpenSOC
James Sirota
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
chrissanders88
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Andrew Morris
 
SplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security NinjitsuSplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security Ninjitsu
Splunk
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
drewz lin
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
Christopher Gerritz
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
Shannon Cuthbertson
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
NoNameCon
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
EC-Council
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-On
Splunk
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
Splend
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
Bangladesh Network Operators Group
 
Managing your black friday logs - Code Europe
Managing your black friday logs - Code EuropeManaging your black friday logs - Code Europe
Managing your black friday logs - Code Europe
David Pilato
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)
Jared Atkinson
 
Dc project plan
Dc project planDc project plan
Dc project plan
Splunk
 
Getting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - DemoGetting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - Demo
Splunk
 
Live data collection_from_windows_system
Live data collection_from_windows_systemLive data collection_from_windows_system
Live data collection_from_windows_system
Maceni Muse
 
Conf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuConf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsu
Splunk
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Georg Knon
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
APNIC
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Christopher Gerritz
 
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
SplunkLive! Munich 2018: Getting Started with Splunk EnterpriseSplunkLive! Munich 2018: Getting Started with Splunk Enterprise
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
Splunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Splunk
 

More Related Content

What's hot

Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Andrew Morris
 
SplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security NinjitsuSplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security Ninjitsu
Splunk
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
drewz lin
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
Christopher Gerritz
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
Shannon Cuthbertson
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
NoNameCon
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
EC-Council
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-On
Splunk
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
Splend
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
Bangladesh Network Operators Group
 
Managing your black friday logs - Code Europe
Managing your black friday logs - Code EuropeManaging your black friday logs - Code Europe
Managing your black friday logs - Code Europe
David Pilato
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)
Jared Atkinson
 
Dc project plan
Dc project planDc project plan
Dc project plan
Splunk
 
Getting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - DemoGetting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - Demo
Splunk
 
Live data collection_from_windows_system
Live data collection_from_windows_systemLive data collection_from_windows_system
Live data collection_from_windows_system
Maceni Muse
 
Conf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuConf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsu
Splunk
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Georg Knon
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
APNIC
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Christopher Gerritz
 

What's hot (20)

Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
 
SplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security NinjitsuSplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security Ninjitsu
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-On
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
Managing your black friday logs - Code Europe
Managing your black friday logs - Code EuropeManaging your black friday logs - Code Europe
Managing your black friday logs - Code Europe
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)
 
Dc project plan
Dc project planDc project plan
Dc project plan
 
Getting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - DemoGetting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - Demo
 
Live data collection_from_windows_system
Live data collection_from_windows_systemLive data collection_from_windows_system
Live data collection_from_windows_system
 
Conf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuConf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsu
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
 

Similar to SplunkLive! Zurich 2018: Getting Started & Hands On

SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
SplunkLive! Munich 2018: Getting Started with Splunk EnterpriseSplunkLive! Munich 2018: Getting Started with Splunk Enterprise
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
Splunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Splunk
 
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Harry McLaren
 
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout SessionGetting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout Session
Splunk
 
SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging
SplunkSummit 2015 - HTTP Event Collector, Simplified Developer LoggingSplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging
SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging
Splunk
 
Anz summit 2015 http event collector - sydney
Anz summit 2015 http event collector - sydneyAnz summit 2015 http event collector - sydney
Anz summit 2015 http event collector - sydney
Splunk
 
Machine Data Is EVERYWHERE: Use It for Testing
Machine Data Is EVERYWHERE: Use It for TestingMachine Data Is EVERYWHERE: Use It for Testing
Machine Data Is EVERYWHERE: Use It for Testing
TechWell
 
SplunkLive! Paris 2018: Plenary Session
SplunkLive! Paris 2018: Plenary SessionSplunkLive! Paris 2018: Plenary Session
SplunkLive! Paris 2018: Plenary Session
Splunk
 
Pivotal - Advanced Analytics for Telecommunications
Pivotal - Advanced Analytics for Telecommunications Pivotal - Advanced Analytics for Telecommunications
Pivotal - Advanced Analytics for Telecommunications
Hortonworks
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding
Splunk
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding
Splunk
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havoc
Tiago Henriques
 
#startathon2.0 - Spark Core
#startathon2.0 - Spark Core#startathon2.0 - Spark Core
#startathon2.0 - Spark Core
sl2square
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Shannon Cuthbertson
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Splunk
 
Getting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionGetting Started with Splunk Breakout Session
Getting Started with Splunk Breakout Session
Splunk
 
MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNSEC 2018 - Observations from the APNIC Community Honeynet Project MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNCERT
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Splunk
 
Move out from AppEngine, and Python PaaS alternatives
Move out from AppEngine, and Python PaaS alternativesMove out from AppEngine, and Python PaaS alternatives
Move out from AppEngine, and Python PaaS alternatives
tzang ms
 
SnorGen User Guide 2.0
SnorGen User Guide 2.0SnorGen User Guide 2.0
SnorGen User Guide 2.0
Sungho Yoon
 

Similar to SplunkLive! Zurich 2018: Getting Started & Hands On (20)

SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
SplunkLive! Munich 2018: Getting Started with Splunk EnterpriseSplunkLive! Munich 2018: Getting Started with Splunk Enterprise
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
 
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout SessionGetting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout Session
 
SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging
SplunkSummit 2015 - HTTP Event Collector, Simplified Developer LoggingSplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging
SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging
 
Anz summit 2015 http event collector - sydney
Anz summit 2015 http event collector - sydneyAnz summit 2015 http event collector - sydney
Anz summit 2015 http event collector - sydney
 
Machine Data Is EVERYWHERE: Use It for Testing
Machine Data Is EVERYWHERE: Use It for TestingMachine Data Is EVERYWHERE: Use It for Testing
Machine Data Is EVERYWHERE: Use It for Testing
 
SplunkLive! Paris 2018: Plenary Session
SplunkLive! Paris 2018: Plenary SessionSplunkLive! Paris 2018: Plenary Session
SplunkLive! Paris 2018: Plenary Session
 
Pivotal - Advanced Analytics for Telecommunications
Pivotal - Advanced Analytics for Telecommunications Pivotal - Advanced Analytics for Telecommunications
Pivotal - Advanced Analytics for Telecommunications
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havoc
 
#startathon2.0 - Spark Core
#startathon2.0 - Spark Core#startathon2.0 - Spark Core
#startathon2.0 - Spark Core
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Getting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionGetting Started with Splunk Breakout Session
Getting Started with Splunk Breakout Session
 
MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNSEC 2018 - Observations from the APNIC Community Honeynet Project MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNSEC 2018 - Observations from the APNIC Community Honeynet Project
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Move out from AppEngine, and Python PaaS alternatives
Move out from AppEngine, and Python PaaS alternativesMove out from AppEngine, and Python PaaS alternatives
Move out from AppEngine, and Python PaaS alternatives
 
SnorGen User Guide 2.0
SnorGen User Guide 2.0SnorGen User Guide 2.0
SnorGen User Guide 2.0
 

More from Splunk

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
Splunk
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
Splunk
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
Splunk
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
Splunk
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
Splunk
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
Splunk
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
Splunk
 

More from Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Recently uploaded

GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 

Recently uploaded (20)

GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 

SplunkLive! Zurich 2018: Getting Started & Hands On

  • 1. SplunkLive! Dirk Beerbohm | Senior Sales Engineer
  • 2. Set Up Before You Can Play Download the following at splunk.com ▶ Splunk Enterprise: • https://www.splunk.com/download ▶ Tutorial Data: • http://splk.it/2ey34P8 ▶ Search Tutorial • http://splk.it/2ePSYKB
  • 4. © 2018 SPLUNK INC. 1. Splunk Overview 2. Using Splunk – Live Demonstration/Walk-Through • Installing & Onboarding Data • Searching • Field Extraction • Dashboards • Alerting • Analytics 3. Wrap-up/Q&A Agenda
  • 5. Big Data Comes From Machines Volume | Velocity | Variety | Variability GPS, RFID, Hypervisor, Web Servers, Email, Messaging, Clickstreams, Mobile, Telephony, IVR, Databases, Sensors, Telematics, Storage, Servers, Security Devices, Desktops Splunk’s Mission: Make machine data accessible, usable, and valuable to everyone
  • 6. What Does Machine Data Look Like? Order Processing Twitter Care IVR Middleware Error ORDER, 2018-01-21T14:04:12.484,10098213, 569281734,67.17.10.12,43CD1A7B8322,SA-2100 JAN 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213. Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException: weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port: ACMEDB-01:1521. Reason: Connection refused 01/21/18 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type 0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a- 13ae51a6d092, Trunk T451.16 01/21/18 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 CUSTID 10098213 01/21/18 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 {actor:{displayName: “Go Cowboys!!”,followersCount:1366,friendsCount:789,link: http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”}, objectType:“person”,preferredUsername:“Cowb0ysF@n80”,statusesCount:6072},body: “Can’t buy this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if you hate @ACME!!”,objectType:“activity”,postedTime:“2018-01-21T16:39:40.647-0600”} SOURCES
  • 7. Machine Data Contains Critical Insights Order Processing Twitter Care IVR Middleware Error Customer ID Order ID ORDER, 2018-01-21T14:04:12.484,10098213, 569281734,67.17.10.12,43CD1A7B8322,SA-2100 JAN 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213. Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException: weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port: ACMEDB-01:1521. Reason: Connection refused 01/21/18 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type 0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a- 13ae51a6d092, Trunk T451.16 01/21/18 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 CUSTID 10098213 01/21/18 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 {actor:{displayName: “Go Cowboys!!”,followersCount:1366,friendsCount:789,link: http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”}, objectType:“person”,preferredUsername:“Cowb0ysF@n80”,statusesCount:6072},body: “Can’t buy this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if you hate @ACME!!”,objectType:“activity”,postedTime:“2018-01-21T16:39:40.647-0600”} Order ID Customer’s Twitter ID Customer ID Customer ID Time waiting on hold Customer’s Tweet Company’s Twitter ID Product ID SOURCES
  • 8. Machine Data Contains Critical Insights SOURCES Order Processing Twitter Care IVR Middleware Error Customer ID Order ID ORDER, 2018-01-21T14:04:12.484,10098213, 569281734,67.17.10.12,43CD1A7B8322,SA-2100 JAN 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213. Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException: weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port: ACMEDB-01:1521. Reason: Connection refused 01/21/18 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type 0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a- 13ae51a6d092, Trunk T451.16 01/21/18 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 CUSTID 10098213 01/21/18 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 {actor:{displayName: “Go Cowboys!!”,followersCount:1366,friendsCount:789,link: http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”}, objectType:“person”,preferredUsername:“Cowb0ysF@n80”,statusesCount:6072},body: “Can’t buy this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if you hate @ACME!!”,objectType:“activity”,postedTime:“2018-01-21T16:39:40.647-0600”} Order ID Customer’s Twitter ID Customer ID Customer ID Time waiting on hold Customer’s Tweet Company’s Twitter ID Product ID
  • 9. Industry Leading Platform For Machine Data Custom dashboards Report and analyze Monitor and alert Developer Platform Ad hoc search On-Premises Private Cloud Public Cloud Storage Online Shopping Cart Telecoms Desktops Security Web Services Networks Containers Web Clickstreams RFID Smartphones and Devices Servers Messaging GPS Location Packaged Applications Custom Applications Online Services DatabasesCall Detail Records Energy MetersFirewall Intrusion Prevention Platform Support (Apps / API / SDKs) Enterprise Scalability Universal Indexing Machine Data: Any Location, Type, Volume Answer Any Question Any Amount, Any Location, Any Source No back-end database Schema on-the-fly No need to filter data Quick time to value Agile reporting and analytics Real-time architecture
  • 10. Installing and Using Splunk Live Demonstration & Walk-Through
  • 11. Set Up Before You Can Play Get the following at splunk.com ▶ Splunk Enterprise: • https://www.splunk.com/download ▶ Tutorial Data: • http://splk.it/2ey34P8 ▶ Search Tutorial • http://splk.it/2ePSYKB
  • 12. ▶ IMPORT THE ZIP FILE, not individual files within it: http://www.splunkbook.com (sample data is located under ‘related links’ section – *same tutorialdata.zip from first page) ▶ Log in to Splunk – http://127.0.0.1:8000 username=admin password=changeme ▶ To add the file to Splunk: • Click Add Data • Click Upload files from my computer • Drag and drop your sample data zip file • Review and finish Getting Data Into Splunk We will import sample web e-commerce store events
  • 13. ▶ License expired (already had older version installed) • Close browser, empty cache, open browser. If that doesn’t work: • Stop Splunk • Uninstall all Splunk versions • Windows Control Panel->Uninstall programs->Splunk • OS X. Finder->Applications->Right click Splunk, Move to trash • Reinstall • Start Splunk ▶ Can’t start Splunk • Windows, Search Control panel ->Services->Splunk start • Linux; cd <SPLUNK dir>/splunk/bin;./splunk start Common Problems at This Point
  • 15. © 2018 SPLUNK INC. ▶ See Slide Note at right about adding in step-by-step instructions here. Dashboard
  • 16. ▶ buttercupgames ▶ buttercupgames 400 ▶ buttercupgames 400 OR 500 ▶ buttercupgames status=400 OR status=500 ▶ buttercupgames status=400 OR status=500 | timechart count by status limit=10 ▶ buttercupgames status=* ▶ buttercupgames status=* | timechart count by status limit=10 ▶ buttercupgames status=* AND status!=200 | timechart count by status limit=10 ▶ index=* sourcetype=access_combined_wcookie Searches Used
  • 17.
  • 18. ▶ index=* sourcetype=access_combined_wcookie | top limit=20 browser_type (field extraction necessary) ▶ buttercupgames status!=200 ▶ buttercupgames status!=200 | stats count by status | where count > 100 ▶ buttercupgames status=* | iplocation clientip ▶ buttercupgames status=* | iplocation clientip | geostats count by action Searches Used (Continued)
  • 19. ▶ SplunkLive! Presentations • http://splunklive.splunk.com/presentations.html ▶ Documentation • http://www.splunk.com/base/Documentation ▶ Technical Support • http://www.splunk.com/support ▶ Videos • http://www.splunk.com/videos ▶ Education • http://www.splunk.com/view/education/SP- CAAAAH9 ▶ Community • http://answers.splunk.com ▶ Splunk Book • http://splunkbook.com Time to Start SPLUNKING!!! Where do I go for help?
  • 20. Thriving Community dev.splunk.com 75,000+ questions and answers 1,000+ apps Local user groups and SplunkLive! events
  • 21. ▶Save the Date 2018 October 1-4, 2018 ▶ 8,750+ Splunk Enthusiasts ▶ 300+ Sessions ▶ 100+ Customer Speakers Plus Splunk University: ▶ Three Days: September 29-October 1, 2018 ▶ Get Splunk Certified for FREE! ▶ Get CPE credits for CISSP, CAP, SSCP Walt Disney World Swan and Dolphin Resort in Orlando conf .splunk.com SAVE THE DATE!
  • 23. Thank You! Don't forget to rate this session on Pony Poll https://ponypoll.com/Zurich2018
  • 24. ▶ Splunk Usergroup Zürich ▶ Regular Splunk User get-togethers ▶ Frequent Splunk Ninja Presentations (D/E) ▶ Meetings throughout all major german speaking cities (not only Zurich) ▶ Amtssprache deutsch ▶ Not a sales thing ▶ Kick-off soon ▶ Join now: ▶ https://usergroups.splunk.com/group/splunk- user-group-zurich.html Splunk Usergroup Zurich http://bit.do/SPLUGZ
  • 25. © 2018 SPLUNK INC. Don't forget to rate this session in the SplunkLive! mobile app Thank You
  • 27.
  • 28. © 2018 SPLUNK INC. Download Splunk Enterprise for your OS and architecture.
  • 29. © 2018 SPLUNK INC. Download tutorialdata.zip
  • 30. © 2018 SPLUNK INC. With Firefox, Chrome or Safari – head to http://127.0.0.1:8000 User = admin Password = changeme
  • 31. © 2018 SPLUNK INC. You’ve successfully installed Splunk and logged in! Let’s add the tutorialdata.zip via “Add Data.”
  • 32. © 2018 SPLUNK INC. You can also “Add Data” from Settings at the top.
  • 33. © 2018 SPLUNK INC. Click on upload.
  • 34. © 2018 SPLUNK INC. Let’s drag tutorialdata.zip into “Drop your data file here.”
  • 35. © 2018 SPLUNK INC. Click Next
  • 36. © 2018 SPLUNK INC. Splunk can auto detect the source type. Let’s change host field to buttercup-web01, and then click Review.
  • 37. © 2018 SPLUNK INC. Looks good, click Submit.
  • 38. © 2018 SPLUNK INC. Let’s Start Searching our data.
  • 39. © 2018 SPLUNK INC. We’re brought into a search with filters applied to search the data we just uploaded.
  • 40. © 2018 SPLUNK INC. Let’s type “buttercupgames” in the search bar, and double-click into a bar on the histogram.
  • 41. © 2018 SPLUNK INC. Notice the time picker changed with our drill into the histogram bar.
  • 42. © 2018 SPLUNK INC. Given that this data is web access, let’s do a string search for 400, which is a “Bad Request” code. Notice that there are 188 events returned (number will vary for you).
  • 43. © 2018 SPLUNK INC. Let’s also add 500 into the mix, and notice that my event count is higher now.
  • 44. © 2018 SPLUNK INC. We can see the 400 and 500 status codes, but other status codes also show up in our results. That’s because the string search doesn’t explicitly search for status values – it’ll string match any event that contains “400” or “500.”
  • 45. © 2018 SPLUNK INC. Let’s explicitly search for status codes equaling values we want to see returned.
  • 46. © 2018 SPLUNK INC. Great, we’ve now returned all the events containing the two status codes we searched for. Click on “Top values by time,” which will build out a timechart for us.
  • 47. © 2018 SPLUNK INC. Notice how our search query changed, there’s a | (pipe), and a timechart command added. The pipe followed by a command allows further operation on your filtered data set.
  • 48. © 2018 SPLUNK INC. Let’s change our search to: buttercupgames status=* And – drill into one bar on the histogram.
  • 49. © 2018 SPLUNK INC. Click on “top values by time” under the status field on the left, which will produce the timechart at right.
  • 50. © 2018 SPLUNK INC. Let’s exclude 200 status codes by adding AND status!=200, and change Line to Column.
  • 51. © 2018 SPLUNK INC. After changing from Line to Column, let’s Stack the results (middle stack under Stack Mode). Much better!
  • 52. © 2018 SPLUNK INC. Let’s now save this to a dashboard, a place we can go to view this search without having to remember what we had just searched for. Click Save AS -> Dashboard Panel. Fill in, and click Save. Then, View dashboard.
  • 53. © 2018 SPLUNK INC. Click on Search to get us back to our Search bar, and let’s key in: buttercupgames. Development wants to know what web browsers are being used to access the site, but no fields currently exist. No problem – let’s extract the browser field. Find an event that contains a value that you’re looking for, and click the “>” arrow just to the left of “Time.” The event will expand with a down arrow, and Extract Fields will be under Event Actions. Click Extract Fields.
  • 54. © 2018 SPLUNK INC. Click Regular Expression (Splunk will build a regular expression to extract our fields), and click Next. Highlight the value of the field you’d like to create, and let’s name the field: browser_type Click Add Extraction.
  • 55. © 2018 SPLUNK INC. Let’s verify that the extracted field contains values that are indeed types of browsers. Good, click Next to proceed. Now, open the permissions to “App,” which will allow users of the App the ability to leverage this extraction. Click Next.
  • 56. © 2018 SPLUNK INC. Success! Let’s explore the fields just created in Search, by clicking the link.
  • 57. © 2018 SPLUNK INC. You’ll now be taken to Search, with the filter set to the sourcetype that the field extraction has been applied to. Note – field extractions are coupled to a sourcetype. Click on “Top values.”
  • 58. © 2018 SPLUNK INC. Notice how the search changed. And, instead of a bar graph, we want a pie chart, so drop down the “bar” option and change it to pie.
  • 59. Let’s add this search to our dashboard, and then view the dashboard. Click Edit -> Edit Panels to drag the different panels to different positions.
  • 60. © 2018 SPLUNK INC. Let’s go back to search, and search for buttercupgames AND status!=200 (we want to see events that aren’t successful). Add the stats and where clause above, to return when there are more than 100 unsuccessful status codes.
  • 61. © 2018 SPLUNK INC. Let’s create an alert. Save As -> Alert. Fill out the Title, Scheduled, Earliest + Latest, and Cron Expression. Instead of 48, change to minutes a few ahead of your current time (i.e., if it’s 9:00 a.m., change to 05).
  • 62. © 2018 SPLUNK INC. Add to Triggered Alerts and Save.
  • 63. © 2018 SPLUNK INC. You should see an alert trigger once your scheduled search runs at the Cron expression you defined. * Note – it was mentioned that alerts wouldn’t work on a trial license. * Correction – alerts will work until the trial license expires.
  • 64. © 2018 SPLUNK INC. Let’s go back to search and: buttercupgames status=* | iplocation clientip We want to look up the clientip values against the MaxMind database to pull in City, Country, State, Lat, Lon of the IPs.
  • 65. © 2018 SPLUNK INC. Now, business is interested in seeing plots on a map of web users and what they’re doing with the website. Let’s append a geostats command that counts the events by the values of the action field. Pretty cool! This is definitely dashboard worthy Let’s add to dashboard.
  • 66. © 2018 SPLUNK INC. Awesome! Now we have a single pane of glass that Operations, Development and Business all care about – from one data source! Talk about value!