SlideShare a Scribd company logo

Getting Started with Splunk Enterprise - Demo

Splunk
Splunk

Splunk can be used to analyze log data from an online gaming company to help identify issues causing customer complaints. The demo shows how to ingest sample log data, perform searches to find error codes and pages, create alerts, and generate statistics and reports on the data. Dynamic field extraction, pivoting, and over 140 search commands allow transforming and analyzing the data in various ways. Results can be saved as dashboards and applications for ongoing monitoring and insights.

Technology
1 of 11
Getting Started with Splunk Page 1 of 11 Before Demo Things to do prior to demo: 1. Download latest version of Splunk from http://www.splunk.com/download 2. Download http://docs.splunk.com/images/Tutorial/tutorialdata.zip Notables The idea is to introduce the main features of Splunk iteratively as you do the demo, explaining what they are and how they work, not just simply point them out. [http://docs.splunk.com/images/e/e5/6.2tutorial_startsearching2.png] Also, please remember to sprinkle in Splunk’s typical value props as you demo: Real-Time architecture, agile statistics and reporting, schema on the fly, raw data stored – nothing filtered in the event, time-based series, etc. At a high level the customer has been receiving a lot of customer complaints when engaging in their online sales portal for video games. They would like visibility into what causes issues and be alerted when they do occur. Total demo time should be about 30 min or less. Demo 1. Install latest version of Splunk. 2. Start up the new installed instance of Splunk.  If not installing on a Windows based machine please mention it’s installed as a Service. Its start up status can be modified there.  On *nix platforms the following command can be run to ensure Splunk starts at boot time:  $SPLUNK_HOME/bin/splunk enable boot-start 3. Ingest Tutorial Data Click Path – Screen Action Say - Description Display Emulate thatyou download tutorialdata.zipandshow it’s contents. Docs Website where youcan getthisdata. Splunkprovidesanonlinetutorial for gettingdataintoSplunk. It includesa sample datafile thatcomesfromthe fictitious“ButterCupGames,Inc.”:A worldwide game companysellingit’s productsthroughit’sonline store. Thiszipfile iscollectionof webaccess logs,securitylogs,andvendorsales
Getting Started with Splunk Page 2 of 11 generatedfromwebsite infrastructure. Loginto newlyinstalledSplunk instance onyour laptop. There are twowaysto get to the appropriate menu. Afteryoulogin yousee the option “AddData” -> Settings -> Add Data OR -> Settings -> Data Input There are twomore optionsunderthe Settingsmenu. Yousee the “Add Data” image again,but underData youalso have “Data Inputs”. I’m goingto clickon “AddData” ClickUploadaftersayingthe following: Besidesuploading datayoualsosee youcan monitorfiles, use Windows ManagementInstrumentation(WMI), TCP/UDP,Scripts,and Modularinput for external datasources. Splunk’s Universal Forwarderallowsyouto securelyandefficientlyforwarddata fromremote server. We are goingto choose the uploadoption. SelectFile -> browse to tutorialdata -> www3 -> access.log OR Clickand Drag tutorialdata/www3/access.log to “Drop your data file here” ClickgreenNextbuttonattop of the screen. Once selected,Splunkwillshow me a sample of myeventsandmake a best guessonthe type of data, the timestamp,and determine if the data issingle line ormulti-line.Ican override Splunk’sbestguess,ordefine my ownsettingsforhow I wantthe data to be treated withthe user interface. Thisone time configuration providessupportfora varietyof out- of-box source typeswhilegivingyou the flexibilitytodefine anew source type basedonany customsourcesyou may have.
Getting Started with Splunk Page 3 of 11 ClickBack on the Web Browser. Click and drag tutorialdata.zip into“Drop your data file here”. ClickgreenNextbuttonattop of the screen You can eveningestcompressedfiles. So I letsuploadthe tutorialdata.zipfile to “bulk”uploadall of this data. ClickReviewtop of the screen aftersaying-> Here you can setadditional input parametersforthisdata. Sourcetype:TellsSplunkwhatkindof data youhave,allowingSplunk categorize yourdata soyou can searchit easily. Host: Name of machine whichthe data originated Index:A logical container/destination for yourdata. → Apps→ Searching& Reporting Withdata ingested we can immediatelybegintoSearchourdata and gainmeaningful insight. 4. Search Basics Letssay you are a Web Site Administrator. Yourecentlyreceivedusercomplaintsthatthatwebpagesare failingandnot returningcontentwhenitshould. Let’suse Splunktosearchthisdata,to not onlydetermine problems thathappened but factorsassociatedwithorcontributingtoit. Search Bar -> * Do thisbefore yousay -> At topof the screenyouhave a Search Bar, similartowhat youwoulduse if searchingthe Internet. I can simply type whatI’d like tosearchfor. Notice thatwhenyoudo searchit’s across all yourdata, structured, unstructured,andverylikely heterogeneous. Search Bar -> buttercupgames (returns36,819 events) SimilartoGoogle,Ican use whole words,suchas typinginthe word “buttercupgames”. Pleasenotice that as youtype Splunkdisplays“Matching terms”justbelow the searchbar. Splunkalsodisplaysdifferentwaysto use searchto return events. Splunk’s goal is to enable ourcustomerstouse
Getting Started with Splunk Page 4 of 11 manyof the skillstheyalreadyhave whensearching,makingiteasytodo while providingquicktime tovalue. Executingthe search for “buttercupgames”returnsevents containingthatword. Splunk returns eventscontainingthatterm, highlightingthe terminthe events returned. Search Bar -> buttercupgames 403 (returns282 events) Letssay a customermade a valid requestbutbuttercupgames web service simplyfailedtorespond,the webserverwouldrespondwitha403 code. Expandour search for403. Whensearchingfortwo termsthe ANDis implied. Search Bar -> buttercupgames 403 OR 404 (returns1013 events) Maybe a webpage resource was missing,thatwouldbe encodedasa 404, so we can lookfor either403 OR 404 Search Bar -> buttercupgames 40* (returns5268 events) Insteadof OR maybe we use a wildcard,searchfor40*. Notice that returnstermsstartingwith“40”, dramatically increasingourresultset. You can see terms408, 404, 406, etc. highlighted.
Getting Started with Splunk Page 5 of 11 5. Time Picker Search Bar -> buttercupgames 403 → Time Drop Down All eventsinSplunkare time-based. Keyingoff time isanotherwayto enable efficientsearching. Splunk providesaTime-Picker, givingyou flexibilitytosearchreal-time data, relative time ranges,suchasprevious businessweek,last30 minutes,orall time. You can alsodefine specific time or date ranges. Highlightthe histogram Belowthe searchbar isa histogram displayingthe frequencyof events. Thiscan be veryhelpful if I’mlooking for gapsor spikesincertaintypesof events. Ialsohave the optionof zoominginonthe histogramor focusingall the waydownto milliseconds. 6. Extracted Fields Expandon the first event. The real secretsauce to Splunkisit’s abilitytorecognize andextract informationcontainwithinthe events. Splunkwill automaticallypull outany key/value pairs,IPaddresses,time and date fields,aswell ascommon formatssuch as comma,tab delimited fieldsinacsv file. Splunkdoesthis while retainingthe entire raw event. Clickon the value of status – Add to search By clickingonany givenvalue youcan Addit or Exclude itfroma search, or evenstarta new searchbasedonthat value. Addingitto our existing searchyou’ll notice akey-value pair addedto our search. Now,insteadof justsearchingfora giventerminany eventyoucan furtherrefine your searchto eventswho’sgiven extractedfieldcontainsaspecific value.
Getting Started with Splunk Page 6 of 11 Highlightlefthandpane On the left,Ican see ALL the fields that were dynamicallyextractedand are available tome forsearchingand reportingpurposes. Splunkalso showsthe numberof unique valuesit foundforeverygivenfielditfound. -> Smart Mode You can alsoadjustSplunk’s “discoverymode”forfielddata extractionduringsearches. 7. Dynamic Field Extraction a Expand an Event, click on Event Actions -> Extract Fields b Extract the field after status code, should be the response size.  It will miss some, no worries, just highlight the values missed in events and add to extraction. 8. Alerts -> Save As -> Alert Now,if a serverrefusestorespondsto a usersrequest,status=403, Splunk can detectthat and alertusto it. ClickReal Time, Provide a Title,then clickNext I can choose to constantlymonitorfor thisinreal-time orto schedule this alertbasedon a varietyof frequencies.
Getting Started with Splunk Page 7 of 11 Splunkprovidesflexiblenotification options,allowingyouto assign severity tothe Alert, toautomatically distribute anemail (orSMStext) and include outputinline orasan attachment. You can even domore advancedactionslike runa script native tothe OS Splunkrunsfor such thingsas mitigationorremediation.
Getting Started with Splunk Page 8 of 11 9. Statistics and Reporting Search Bar -> buttercupgames status=403 → Statisticstab Splunkmakesgatheringstatisticsand reportinga snap. Let’sclickon the “Statistics”tab underneaththe search bar. -> Quick Reports You are presentedwiththreedifferent options. QuickReportsletsyouclick on anyfieldfora listof quickreports. -> uri_path To findoutthose webpages associatedwiththe serverfailingto respondtoa request,clickon uri_path. Here Splunkprovidesyou withdifferentreportingoptions:Top Values,TopValuesbyTime,etc. -> uri_path -> Top values ClickingonTopValuesIget a break downof the total numberof events associatedwiththe serverfailingto respond,brokendownperuri_pathor webpage. ->Bar -> Pie Reportingisagile,youcaneasily modifythe reportingvisualization. Maybe we wanta pie chart insteadof a bar chart,no problem. -> Save As -> Dashboard Panel  Fill inDashboardtitle  Enable “SharedinApp”for DashboardPermissions  Panel Title “FailuresbyWeb Page”  ClickSave
Getting Started with Splunk Page 9 of 11  ClickViewDashboard Search -> Search Bar -> buttercupgames Clickon Statisticstab, choose Pivot. ClickOK. Splunkalsoallowsyoutobuildtables and visualizationsusingmultiple fields and metricswithoutwritingsearches. Pivotautomaticallygeneratesdata modelsbasedonyourdata, allowing youto pivotaroundyour data to extractstatisticsandreports. -> + (Nextto time filter), status, then match = 403 We can selectthe status attribute, thenenterina value of 403 SplitRows -> + -> uri_path, Add to Table We can splitthe numberof server refusedresponsesbyuri_path. Clickon Horizontal Bar Chart on reporting panel. We can leave the datain tabularform or simply choose another visualization. -> Save As -> Dashboard Panel -> Existing.
Getting Started with Splunk Page 10 of 11 Make sure the previous Dashboard“ServerFailures” appears. Provide aModel Title and ID. ClickSave -> View Dashboard. 10. Command Language Search -> Search Bar -> buttercupgames| stats count by status Save As -> Report There are nearly140 search commandsthat can be appliedto data. Whensearchingdata you isolatedeventsyouare interestedin, thenapplySplunk’scommandsto transformdata, furtherreduce data sets,generate statisticsorperform analyticsonthe data. To dothiswe applya pipe character(|) thenissue the desiredcommand. I.e.If we wantedto geta countof all statuscodesfoundinour data, we can use the stats command,countall eventswithstatusvalues,thensplit the count by individual statusvalues. Letssave that as a report: Search Bar -> buttercupgames | stats count by status | where status=403 OR status=404 Save As -> Dashboard Maybe we’re onlyinterestedin403’s and 404’s? Noproblemletsjustuse a WHERE commandto isolate those. Cool. Let’smake thispart of a dashboard.
Getting Started with Splunk Page 11 of 11 Search Bar -> buttercupgames | stats count, sparkline by uri_path | where status=403 OR status=404 In additiontocountingyoucan see trendinginformationbyaddinga sparkline commandtostats. Heck, letsevenbreakitdownbywebpage too. We’ll addthatour dashboard. Search Bar -> buttercupgames NOT status=200| timechart count by uri_path What if we want to see anyresponse that wasn’tOK, basicallyanynon200 code,and we like tosee an actual time distributionof those. The timechartfunctionhandlesthatquite nicely. Because Splunk’s reportingis agile youcan easilychange the visualizationonthe fly. Maybe want stack our valuesfora givenday. Totallycool! Letssave that to our dashboard. Search Bar -> buttercupgames NOT status=200 | iplocation clientip | geostats count Want to see where yourclientsare locatedencounteringthese browser requestsproblems,justuse the iplocationandgeostatscommands. Definitelywanttoaddthat to my dashboard! These are justa few waysto applythe over140 commandsavailable in Splunk. 11. Splunk Applications https://splunkbase.splunk.com The collectionsof these savedreports, dashboards,alerts,inputsettings,etc. iswhat Splunkreferstoas an Application. There are over600 readilyavailable applicationsonthe splunkbase website–meantto provide youinstantvalue byproviding prebuilddashboards,alerts,and reportsfor yourdatasources.

Recommended

Splunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | EdurekaSplunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | Edureka
Edureka!
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
PrasadThorat23
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM Workshop
Splunk
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
Splunk
 
Splunk overview
Splunk overviewSplunk overview
Splunk overview
Daniel Hernandez
 
Getting started with Splunk
Getting started with SplunkGetting started with Splunk
Getting started with Splunk
Splunk
 
Splunk 6.4 Administration.pdf
Splunk 6.4 Administration.pdfSplunk 6.4 Administration.pdf
Splunk 6.4 Administration.pdf
nitinscribd
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT Operations
Splunk
 

Recommended

Splunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | EdurekaSplunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | Edureka
Edureka!
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
PrasadThorat23
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM Workshop
Splunk
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
Splunk
 
Splunk overview
Splunk overviewSplunk overview
Splunk overview
Daniel Hernandez
 
Getting started with Splunk
Getting started with SplunkGetting started with Splunk
Getting started with Splunk
Splunk
 
Splunk 6.4 Administration.pdf
Splunk 6.4 Administration.pdfSplunk 6.4 Administration.pdf
Splunk 6.4 Administration.pdf
nitinscribd
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT Operations
Splunk
 
Splunk 101
Splunk 101Splunk 101
Splunk 101
Splunk
 
Security Automation & Orchestration
Security Automation & OrchestrationSecurity Automation & Orchestration
Security Automation & Orchestration
Splunk
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
Kangaroot
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics
nullowaspmumbai
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEM
John Hubbard
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
Splunk
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
Elasticsearch
 
Splunk Distributed Management Console
Splunk Distributed Management Console Splunk Distributed Management Console
Splunk Distributed Management Console
Splunk
 
Splunk Cloud
Splunk CloudSplunk Cloud
Splunk Cloud
Splunk
 
Splunk
SplunkSplunk
Splunk
Douglas Bernardini
 
Splunk HTTP Event Collector
Splunk HTTP Event CollectorSplunk HTTP Event Collector
Splunk HTTP Event Collector
Splunk
 
Splunk Architecture overview
Splunk Architecture overviewSplunk Architecture overview
Splunk Architecture overview
Alex Fok
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
Splunk
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Elastic stack Presentation
Elastic stack PresentationElastic stack Presentation
Elastic stack Presentation
Amr Alaa Yassen
 
SplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunkLive! Splunk for Security
SplunkLive! Splunk for Security
Splunk
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
AlienVault
 
Getting started with Splunk
Getting started with SplunkGetting started with Splunk
Getting started with Splunk
Sanjib Dhar
 
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout SessionGetting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout Session
Splunk
 

More Related Content

What's hot

Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
 
SplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunkLive! Splunk for Security
SplunkLive! Splunk for Security
Splunk
 

What's hot (20)

Splunk 101
Splunk 101Splunk 101
Splunk 101
 
Security Automation & Orchestration
Security Automation & OrchestrationSecurity Automation & Orchestration
Security Automation & Orchestration
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEM
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
 
Splunk Distributed Management Console
Splunk Distributed Management Console Splunk Distributed Management Console
Splunk Distributed Management Console
 
Splunk Cloud
Splunk CloudSplunk Cloud
Splunk Cloud
 
Splunk
SplunkSplunk
Splunk
 
Splunk HTTP Event Collector
Splunk HTTP Event CollectorSplunk HTTP Event Collector
Splunk HTTP Event Collector
 
Splunk Architecture overview
Splunk Architecture overviewSplunk Architecture overview
Splunk Architecture overview
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
 
Elastic stack Presentation
Elastic stack PresentationElastic stack Presentation
Elastic stack Presentation
 
SplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunkLive! Splunk for Security
SplunkLive! Splunk for Security
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 

Similar to Getting Started with Splunk Enterprise - Demo

SplunkLive! Washington DC May 2013 - Search Language Beginner
SplunkLive! Washington DC May 2013 - Search Language BeginnerSplunkLive! Washington DC May 2013 - Search Language Beginner
SplunkLive! Washington DC May 2013 - Search Language Beginner
Splunk
 

Similar to Getting Started with Splunk Enterprise - Demo (20)

Getting started with Splunk
Getting started with SplunkGetting started with Splunk
Getting started with Splunk
 
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout SessionGetting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout Session
 
Splunk 6.5.0-pivot tutorial (7)
Splunk 6.5.0-pivot tutorial (7)Splunk 6.5.0-pivot tutorial (7)
Splunk 6.5.0-pivot tutorial (7)
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
SplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security NinjitsuSplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security Ninjitsu
 
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
SplunkLive! Frankfurt 2018 - Intro to Security Analytics MethodsSplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
 
SplunkLive! Tampa: Splunk for Security - Hands-On Session
SplunkLive! Tampa: Splunk for Security - Hands-On SessionSplunkLive! Tampa: Splunk for Security - Hands-On Session
SplunkLive! Tampa: Splunk for Security - Hands-On Session
 
Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout Session
 
SplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics MethodsSplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics Methods
 
SplunkLive! Washington DC May 2013 - Search Language Beginner
SplunkLive! Washington DC May 2013 - Search Language BeginnerSplunkLive! Washington DC May 2013 - Search Language Beginner
SplunkLive! Washington DC May 2013 - Search Language Beginner
 
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics MethodsSplunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
 
Getting Started Getting Started With Splunk Enterprise
Getting Started Getting Started With Splunk EnterpriseGetting Started Getting Started With Splunk Enterprise
Getting Started Getting Started With Splunk Enterprise
 
Splunk
SplunkSplunk
Splunk
 
Splunk conf2014 - Onboarding Data Into Splunk
Splunk conf2014 - Onboarding Data Into SplunkSplunk conf2014 - Onboarding Data Into Splunk
Splunk conf2014 - Onboarding Data Into Splunk
 
Snowflake_free_trial_LabGuide.pdf
Snowflake_free_trial_LabGuide.pdfSnowflake_free_trial_LabGuide.pdf
Snowflake_free_trial_LabGuide.pdf
 
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search Dojo
 
BestInFlowCompetitionTutorials03May2023
BestInFlowCompetitionTutorials03May2023BestInFlowCompetitionTutorials03May2023
BestInFlowCompetitionTutorials03May2023
 

More from Splunk

More from Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 
Inside SecOps at bet365
Inside SecOps at bet365 Inside SecOps at bet365
Inside SecOps at bet365
 

Recently uploaded

Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Recently uploaded (20)

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 

Getting Started with Splunk Enterprise - Demo

  • 1. Getting Started with Splunk Page 1 of 11 Before Demo Things to do prior to demo: 1. Download latest version of Splunk from http://www.splunk.com/download 2. Download http://docs.splunk.com/images/Tutorial/tutorialdata.zip Notables The idea is to introduce the main features of Splunk iteratively as you do the demo, explaining what they are and how they work, not just simply point them out. [http://docs.splunk.com/images/e/e5/6.2tutorial_startsearching2.png] Also, please remember to sprinkle in Splunk’s typical value props as you demo: Real-Time architecture, agile statistics and reporting, schema on the fly, raw data stored – nothing filtered in the event, time-based series, etc. At a high level the customer has been receiving a lot of customer complaints when engaging in their online sales portal for video games. They would like visibility into what causes issues and be alerted when they do occur. Total demo time should be about 30 min or less. Demo 1. Install latest version of Splunk. 2. Start up the new installed instance of Splunk.  If not installing on a Windows based machine please mention it’s installed as a Service. Its start up status can be modified there.  On *nix platforms the following command can be run to ensure Splunk starts at boot time:  $SPLUNK_HOME/bin/splunk enable boot-start 3. Ingest Tutorial Data Click Path – Screen Action Say - Description Display Emulate thatyou download tutorialdata.zipandshow it’s contents. Docs Website where youcan getthisdata. Splunkprovidesanonlinetutorial for gettingdataintoSplunk. It includesa sample datafile thatcomesfromthe fictitious“ButterCupGames,Inc.”:A worldwide game companysellingit’s productsthroughit’sonline store. Thiszipfile iscollectionof webaccess logs,securitylogs,andvendorsales
  • 2. Getting Started with Splunk Page 2 of 11 generatedfromwebsite infrastructure. Loginto newlyinstalledSplunk instance onyour laptop. There are twowaysto get to the appropriate menu. Afteryoulogin yousee the option “AddData” -> Settings -> Add Data OR -> Settings -> Data Input There are twomore optionsunderthe Settingsmenu. Yousee the “Add Data” image again,but underData youalso have “Data Inputs”. I’m goingto clickon “AddData” ClickUploadaftersayingthe following: Besidesuploading datayoualsosee youcan monitorfiles, use Windows ManagementInstrumentation(WMI), TCP/UDP,Scripts,and Modularinput for external datasources. Splunk’s Universal Forwarderallowsyouto securelyandefficientlyforwarddata fromremote server. We are goingto choose the uploadoption. SelectFile -> browse to tutorialdata -> www3 -> access.log OR Clickand Drag tutorialdata/www3/access.log to “Drop your data file here” ClickgreenNextbuttonattop of the screen. Once selected,Splunkwillshow me a sample of myeventsandmake a best guessonthe type of data, the timestamp,and determine if the data issingle line ormulti-line.Ican override Splunk’sbestguess,ordefine my ownsettingsforhow I wantthe data to be treated withthe user interface. Thisone time configuration providessupportfora varietyof out- of-box source typeswhilegivingyou the flexibilitytodefine anew source type basedonany customsourcesyou may have.
  • 3. Getting Started with Splunk Page 3 of 11 ClickBack on the Web Browser. Click and drag tutorialdata.zip into“Drop your data file here”. ClickgreenNextbuttonattop of the screen You can eveningestcompressedfiles. So I letsuploadthe tutorialdata.zipfile to “bulk”uploadall of this data. ClickReviewtop of the screen aftersaying-> Here you can setadditional input parametersforthisdata. Sourcetype:TellsSplunkwhatkindof data youhave,allowingSplunk categorize yourdata soyou can searchit easily. Host: Name of machine whichthe data originated Index:A logical container/destination for yourdata. → Apps→ Searching& Reporting Withdata ingested we can immediatelybegintoSearchourdata and gainmeaningful insight. 4. Search Basics Letssay you are a Web Site Administrator. Yourecentlyreceivedusercomplaintsthatthatwebpagesare failingandnot returningcontentwhenitshould. Let’suse Splunktosearchthisdata,to not onlydetermine problems thathappened but factorsassociatedwithorcontributingtoit. Search Bar -> * Do thisbefore yousay -> At topof the screenyouhave a Search Bar, similartowhat youwoulduse if searchingthe Internet. I can simply type whatI’d like tosearchfor. Notice thatwhenyoudo searchit’s across all yourdata, structured, unstructured,andverylikely heterogeneous. Search Bar -> buttercupgames (returns36,819 events) SimilartoGoogle,Ican use whole words,suchas typinginthe word “buttercupgames”. Pleasenotice that as youtype Splunkdisplays“Matching terms”justbelow the searchbar. Splunkalsodisplaysdifferentwaysto use searchto return events. Splunk’s goal is to enable ourcustomerstouse
  • 4. Getting Started with Splunk Page 4 of 11 manyof the skillstheyalreadyhave whensearching,makingiteasytodo while providingquicktime tovalue. Executingthe search for “buttercupgames”returnsevents containingthatword. Splunk returns eventscontainingthatterm, highlightingthe terminthe events returned. Search Bar -> buttercupgames 403 (returns282 events) Letssay a customermade a valid requestbutbuttercupgames web service simplyfailedtorespond,the webserverwouldrespondwitha403 code. Expandour search for403. Whensearchingfortwo termsthe ANDis implied. Search Bar -> buttercupgames 403 OR 404 (returns1013 events) Maybe a webpage resource was missing,thatwouldbe encodedasa 404, so we can lookfor either403 OR 404 Search Bar -> buttercupgames 40* (returns5268 events) Insteadof OR maybe we use a wildcard,searchfor40*. Notice that returnstermsstartingwith“40”, dramatically increasingourresultset. You can see terms408, 404, 406, etc. highlighted.
  • 5. Getting Started with Splunk Page 5 of 11 5. Time Picker Search Bar -> buttercupgames 403 → Time Drop Down All eventsinSplunkare time-based. Keyingoff time isanotherwayto enable efficientsearching. Splunk providesaTime-Picker, givingyou flexibilitytosearchreal-time data, relative time ranges,suchasprevious businessweek,last30 minutes,orall time. You can alsodefine specific time or date ranges. Highlightthe histogram Belowthe searchbar isa histogram displayingthe frequencyof events. Thiscan be veryhelpful if I’mlooking for gapsor spikesincertaintypesof events. Ialsohave the optionof zoominginonthe histogramor focusingall the waydownto milliseconds. 6. Extracted Fields Expandon the first event. The real secretsauce to Splunkisit’s abilitytorecognize andextract informationcontainwithinthe events. Splunkwill automaticallypull outany key/value pairs,IPaddresses,time and date fields,aswell ascommon formatssuch as comma,tab delimited fieldsinacsv file. Splunkdoesthis while retainingthe entire raw event. Clickon the value of status – Add to search By clickingonany givenvalue youcan Addit or Exclude itfroma search, or evenstarta new searchbasedonthat value. Addingitto our existing searchyou’ll notice akey-value pair addedto our search. Now,insteadof justsearchingfora giventerminany eventyoucan furtherrefine your searchto eventswho’sgiven extractedfieldcontainsaspecific value.
  • 6. Getting Started with Splunk Page 6 of 11 Highlightlefthandpane On the left,Ican see ALL the fields that were dynamicallyextractedand are available tome forsearchingand reportingpurposes. Splunkalso showsthe numberof unique valuesit foundforeverygivenfielditfound. -> Smart Mode You can alsoadjustSplunk’s “discoverymode”forfielddata extractionduringsearches. 7. Dynamic Field Extraction a Expand an Event, click on Event Actions -> Extract Fields b Extract the field after status code, should be the response size.  It will miss some, no worries, just highlight the values missed in events and add to extraction. 8. Alerts -> Save As -> Alert Now,if a serverrefusestorespondsto a usersrequest,status=403, Splunk can detectthat and alertusto it. ClickReal Time, Provide a Title,then clickNext I can choose to constantlymonitorfor thisinreal-time orto schedule this alertbasedon a varietyof frequencies.
  • 7. Getting Started with Splunk Page 7 of 11 Splunkprovidesflexiblenotification options,allowingyouto assign severity tothe Alert, toautomatically distribute anemail (orSMStext) and include outputinline orasan attachment. You can even domore advancedactionslike runa script native tothe OS Splunkrunsfor such thingsas mitigationorremediation.
  • 8. Getting Started with Splunk Page 8 of 11 9. Statistics and Reporting Search Bar -> buttercupgames status=403 → Statisticstab Splunkmakesgatheringstatisticsand reportinga snap. Let’sclickon the “Statistics”tab underneaththe search bar. -> Quick Reports You are presentedwiththreedifferent options. QuickReportsletsyouclick on anyfieldfora listof quickreports. -> uri_path To findoutthose webpages associatedwiththe serverfailingto respondtoa request,clickon uri_path. Here Splunkprovidesyou withdifferentreportingoptions:Top Values,TopValuesbyTime,etc. -> uri_path -> Top values ClickingonTopValuesIget a break downof the total numberof events associatedwiththe serverfailingto respond,brokendownperuri_pathor webpage. ->Bar -> Pie Reportingisagile,youcaneasily modifythe reportingvisualization. Maybe we wanta pie chart insteadof a bar chart,no problem. -> Save As -> Dashboard Panel  Fill inDashboardtitle  Enable “SharedinApp”for DashboardPermissions  Panel Title “FailuresbyWeb Page”  ClickSave
  • 9. Getting Started with Splunk Page 9 of 11  ClickViewDashboard Search -> Search Bar -> buttercupgames Clickon Statisticstab, choose Pivot. ClickOK. Splunkalsoallowsyoutobuildtables and visualizationsusingmultiple fields and metricswithoutwritingsearches. Pivotautomaticallygeneratesdata modelsbasedonyourdata, allowing youto pivotaroundyour data to extractstatisticsandreports. -> + (Nextto time filter), status, then match = 403 We can selectthe status attribute, thenenterina value of 403 SplitRows -> + -> uri_path, Add to Table We can splitthe numberof server refusedresponsesbyuri_path. Clickon Horizontal Bar Chart on reporting panel. We can leave the datain tabularform or simply choose another visualization. -> Save As -> Dashboard Panel -> Existing.
  • 10. Getting Started with Splunk Page 10 of 11 Make sure the previous Dashboard“ServerFailures” appears. Provide aModel Title and ID. ClickSave -> View Dashboard. 10. Command Language Search -> Search Bar -> buttercupgames| stats count by status Save As -> Report There are nearly140 search commandsthat can be appliedto data. Whensearchingdata you isolatedeventsyouare interestedin, thenapplySplunk’scommandsto transformdata, furtherreduce data sets,generate statisticsorperform analyticsonthe data. To dothiswe applya pipe character(|) thenissue the desiredcommand. I.e.If we wantedto geta countof all statuscodesfoundinour data, we can use the stats command,countall eventswithstatusvalues,thensplit the count by individual statusvalues. Letssave that as a report: Search Bar -> buttercupgames | stats count by status | where status=403 OR status=404 Save As -> Dashboard Maybe we’re onlyinterestedin403’s and 404’s? Noproblemletsjustuse a WHERE commandto isolate those. Cool. Let’smake thispart of a dashboard.
  • 11. Getting Started with Splunk Page 11 of 11 Search Bar -> buttercupgames | stats count, sparkline by uri_path | where status=403 OR status=404 In additiontocountingyoucan see trendinginformationbyaddinga sparkline commandtostats. Heck, letsevenbreakitdownbywebpage too. We’ll addthatour dashboard. Search Bar -> buttercupgames NOT status=200| timechart count by uri_path What if we want to see anyresponse that wasn’tOK, basicallyanynon200 code,and we like tosee an actual time distributionof those. The timechartfunctionhandlesthatquite nicely. Because Splunk’s reportingis agile youcan easilychange the visualizationonthe fly. Maybe want stack our valuesfora givenday. Totallycool! Letssave that to our dashboard. Search Bar -> buttercupgames NOT status=200 | iplocation clientip | geostats count Want to see where yourclientsare locatedencounteringthese browser requestsproblems,justuse the iplocationandgeostatscommands. Definitelywanttoaddthat to my dashboard! These are justa few waysto applythe over140 commandsavailable in Splunk. 11. Splunk Applications https://splunkbase.splunk.com The collectionsof these savedreports, dashboards,alerts,inputsettings,etc. iswhat Splunkreferstoas an Application. There are over600 readilyavailable applicationsonthe splunkbase website–meantto provide youinstantvalue byproviding prebuilddashboards,alerts,and reportsfor yourdatasources.