SlideShare a Scribd company logo

Splunk live! ninjas_break-out

Splunk
Splunk

SplunkLive! San Francisco

Technology
1 of 43
Splunk Ninjas: New Features, Pivot and Search Dojo
2 Safe Harbor Statement During the course of this presentation,we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described orto includeany suchfeatureor functionalityina futurerelease.
3 Agenda What’s new in 6.1 – New features and capabilities Data Models and Pivot – Analyze data without using search commands Harness the power of search – The 5 search commands that can solve most problems
4 Introducing Splunk Enterprise 6.1 ENABLING THE MISSION-CRITICAL ENTERPRISE ENHANCED INTERACTIVE ANALYTICS EMBEDDING OPERATIONAL INTELLIGENCE
5 Introducing Splunk Enterprise 6.1 ENABLING THE MISSION-CRITICAL ENTERPRISE ENHANCED INTERACTIVE ANALYTICS EMBEDDING OPERATIONAL INTELLIGENCE
6 Mission-critical Availability New Clustering Features • Location aware replication • Search Head Affinity MISSION CRITICAL ENTERPRISE REPLICATION Portland Datacenter New York Datacenter
7 Load and Preview Structured Data Data Preview with Structured Inputs • Easily onboard structured data • Preview the fields before indexing • Configure from the GUI Adjust configurations in the UI • Delimiters, Headers, Time Stamp Preview results before committing MISSION CRITICAL ENTERPRISE
8 MISSION CRITICAL ENTERPRISE Integrated Mainframe Insights New Forwarder • Collect data from mainframes • Correlate with the rest of the stack
13 Introducing Splunk Enterprise 6.1 ENABLING THE MISSION-CRITICAL ENTERPRISE ENHANCED INTERACTIVE ANALYTICS EMBEDDING OPERATIONAL INTELLIGENCE
14 More Actionable Alerting Customized Alerts • Add tokens to the alerts from the search results • Select preferred format and delivery of results Customize Recipients Customize Message Select Delivery Method EMBEDDING OPERATIONAL INTELLIGENCE
15 Visualization in Splunk iframe Visualization in non-Splunk UI Add Splunk Insights to Business Apps Embedded Reporting • Embed scheduled reports into web applications • Share with users who don’t have access to Splunk • 1-line copy/paste to embed in external application EMBEDDING OPERATIONAL INTELLIGENCE
16 Splunk Mobile App EMBEDDING OPERATIONAL INTELLIGENCE • Access dashboards and reports • Annotate dashboards and share with others • Receive push notifications Native Mobile Experience
17 Download the Overview App http://apps.splunk.com/app/1773
Data Models and Pivot
19 Model, Report, and Accelerate Build complex reports without the search language Provides more meaningful representation of underlying raw machine data Pivot Data Model Acceleration technology delivers up to 1000x faster analytics over Splunk 5 Analytics Store
20 Creating a Data Model Basic Steps 1. Have a use for a Data Model 2. Write a base search 3. Select the fields to include
27 Data Model Acceleration • Automatically collected and maintained • Stored on the indexers • Must share the Data Model • Cost is additional disk space Makes reporting crazy fast
28 Pivot • Drag-and-drop interface • No need to understand underlying data • Click to visualize Select fields from data model Time window All chart types available in the chart toolbox Save report to share Build Reports without SPL
Harness the Power of Search
36 search and filter | munge | report | cleanup Search Processing Language sourcetype=access* | eval KB=bytes/1024 | stats sum(MB) dc(clientip) | rename sum(MB) AS "Total MB" dc(clientip) AS "Unique Customers"
37 Five Commands that will Solve Most Data Questions eval - Modify or Create New Fields and Values stats - Calculate Statistics Based on Field Values eventstats - Add Summary Statistics to Search Results streamstats - Cumulative Statistics for Each Event transaction - Group Related Events Spanning Time
39 eval - Modify or Create New Fields and Values Examples • Calculation: sourcetype=access* |eval KB=bytes/1024 • Evaluation: sourcetype=access* | eval http_response = if(status == 200, "OK", "Error”) • Concatenation: sourcetype=access* | eval connection = clientip.":".port
40 Examples • Calculation: sourcetype=access* |eval KB=bytes/1024 • Evaluation: sourcetype=access* | eval http_response = if(status == 200, "OK", "Error”) • Concatenation: sourcetype=access* | eval connection = clientip.":".port eval - Modify or Create New Fields and Values
41 Examples • Calculation: sourcetype=access* |eval KB=bytes/1024 • Evaluation: sourcetype=access* | eval http_response = if(status == 200, "OK", "Error”) • Concatenation: sourcetype=access* | eval connection = clientip.":".port eval - Modify or Create New Fields and Values
43 stats – Calculate Statistics Based on Field Values Examples • Calculate stats and rename sourcetype=access* | eval KB=bytes/1024 | stats sum(KB) AS “Total KB” • Multiple statistics sourcetype=access* | eval KB=bytes/1024 | stats sum(KB) avg(KB) • By another field sourcetype=access* | eval KB=bytes/1024 | stats sum(KB) avg(KB) by clientip
44 stats – Calculate Statistics Based on Field Values Examples • Calculate stats and rename sourcetype=access* | eval KB=bytes/1024 | stats sum(KB) as “Total KB” • Multiple statistics sourcetype=access* | eval KB=bytes/1024 | stats sum(KB) avg(KB) • By another field sourcetype=access* | eval KB=bytes/1024 | stats sum(KB) avg(KB) by clientip
45 stats – Calculate Statistics Based on Field Values Examples • Calculate statistics sourcetype=access* | eval KB=bytes/1024 | stats sum(KB) AS "Total KB” • Multiple statistics sourcetype=access* | eval KB=bytes/1024 | stats avg(KB) sum(KB) • By another field sourcetype=access* | eval KB=bytes/1024 | stats sum(KB) avg(KB) by clientip
47 eventstats – Add Summary Statistics to Search Results Examples • Overlay Average sourcetype=access* | eventstats avg(bytes) AS avg_bytes | timechart latest(avg_bytes) avg(bytes) • Moving Average sourcetype=access* | eventstats avg(bytes) AS avg_bytes by date_hour | timechart latest(avg_bytes) avg(bytes) • By created field sourcetype=access* | eval http_response = if(status == 200, "OK", "Error”) | eventstats avg(bytes) AS avg_bytes by http_response | timechart latest(avg_bytes) avg(bytes) by http_response
48 Examples • Overlay Average sourcetype=access* | eventstats avg(bytes) AS avg_bytes | timechart latest(avg_bytes) avg(bytes) • Moving Average sourcetype=access* | eventstats avg(bytes) AS avg_bytes by date_hour | timechart latest(avg_bytes) avg(bytes) • By created field sourcetype=access* | eval http_response = if(status == 200, "OK", "Error”) | eventstats avg(bytes) AS avg_bytes by http_response | timechart latest(avg_bytes) avg(bytes) by http_response eventstats – Add Summary Statistics to Search Results
49 Examples • Overlay Average sourcetype=access* | eventstats avg(bytes) AS avg_bytes | timechart latest(avg_bytes) avg(bytes) • Moving Average sourcetype=access* | eventstats avg(bytes) AS avg_bytes by date_hour | timechart latest(avg_bytes) avg(bytes) • By created field sourcetype=access* | eval http_response = if(status == 200, "OK", "Error”) | eventstats avg(bytes) AS avg_bytes by http_response | timechart latest(avg_bytes) avg(bytes) by http_response eventstats – Add Summary Statistics to Search Results
51 streamstats – Cumulative Statistics for Each Event Examples • Cumulative Sum sourcetype=access* | reverse | streamstats sum(bytes) as bytes_total | timechart max(bytes_total) • Cumulative Sum by Field sourcetype=access* | reverse | streamstats sum(bytes) as bytes_total by status | timechart max(bytes_total) by status • Moving Average sourcetype=access* | timechart avg(bytes) as avg_bytes | streamstats avg(avg_bytes) AS moving_avg_bytes window=10 | timechart latest(moving_avg_bytes) latest(avg_bytes)
52 Examples • Cumulative Sum sourcetype=access* | timechart sum(bytes) as bytes | streamstats sum(bytes) as cumulative_bytes | timechart max(cumulative_bytes) • Cumulative Sum by Field sourcetype=access* | reverse | streamstats sum(bytes) as bytes_total by status | timechart max(bytes_total) by status • Moving Average sourcetype=access* | timechart avg(bytes) as avg_bytes | streamstats avg(avg_bytes) AS moving_avg_bytes window=10 | timechart latest(moving_avg_bytes) latest(avg_bytes) streamstats – Cumulative Statistics for Each Event
53 Examples • Cumulative Sum sourcetype=access* | timechart sum(bytes) as bytes | streamstats sum(bytes) as cumulative_bytes | timechart max(cumulative_bytes) • Cumulative Sum by Field sourcetype=access* | reverse | streamstats sum(bytes) as bytes_total by status | timechart max(bytes_total) by status • Moving Average sourcetype=access* | timechart avg(bytes) as avg_bytes | streamstats avg(avg_bytes) AS moving_avg_bytes window=10 | timechart latest(moving_avg_bytes) latest(avg_bytes) streamstats – Cumulative Statistics for Each Event
55 transaction – Group Related Events Spanning Time Examples • Group by Session ID sourcetype=access* | transaction JSESSIONID • Calculate Session Durations sourcetype=access* | transaction JSESSIONID | stats min(duration) max(duration) avg(duration) • Stats is Better sourcetype=access* | stats min(_time) AS earliest max(_time) AS latest by JSESSIONID | eval duration=latest-earliest | stats min(duration) max(duration) avg(duration)
56 Examples • Group by Session ID sourcetype=access* | transaction JSESSIONID • Calculate Session Durations sourcetype=access* | transaction JSESSIONID | stats min(duration) max(duration) avg(duration) • Stats is Better sourcetype=access* | stats min(_time) AS earliest max(_time) AS latest by JSESSIONID | eval duration=latest-earliest | stats min(duration) max(duration) avg(duration) transaction – Group Related Events Spanning Time
57 Examples • Group by Session ID sourcetype=access* | transaction JSESSIONID • Calculate Session Durations sourcetype=access* | transaction JSESSIONID | stats min(duration) max(duration) avg(duration) • Stats is Better sourcetype=access* | stats min(_time) AS earliest max(_time) AS latest by JSESSIONID | eval duration=latest-earliest | stats min(duration) max(duration) avg(duration) transaction – Group Related Events Spanning Time
58 Learn Them Well and Become a Ninja eval - Modify or Create New Fields and Values stats - Calculate Statistics Based on Field Values eventstats - Add Summary Statistics to Search Results streamstats - Cumulative Statistics for Each Event transaction - Group Related Events Spanning Time See many more examples and neat tricks at docs.splunk.com and answers.splunk.com
Questions?
Bonus Command
61 cluster – Find Common and/or Rare Events Examples • Find the most common events * | cluster showcount=t t=0.1 | table cluster_count, _raw | sort - cluster_count • Select a field to cluster on sourcetype=access* | cluster field=bc_uri showcount=t | table cluster_count bc_uri _raw | sort -cluster_count • Most or least common errors index=_internal source=*splunkd.log* log_level!=info | cluster showcount=t | table cluster_count _raw | sort -cluster_count
62 cluster – Find Common and/or Rare Events Examples • Find the most common events * | cluster showcount=t t=0.1 | table cluster_count, _raw | sort - cluster_count • Select a field to cluster on sourcetype=access* | cluster field=bc_uri showcount=t | table cluster_count bc_uri _raw | sort -cluster_count • Most or least common errors index=_internal source=*splunkd.log* log_level!=info | cluster showcount=t | table cluster_count _raw | sort -cluster_count
63 cluster – Find Common and/or Rare Events Examples • Find the most common events * | cluster showcount=t t=0.1 | table cluster_count, _raw | sort - cluster_count • Select a field to cluster on sourcetype=access* | cluster field=bc_uri showcount=t | table cluster_count bc_uri _raw | sort -cluster_count • Most or least common errors index=_internal source=*splunkd.log* log_level!=info | cluster showcount=t | table cluster_count _raw | sort -cluster_count
Thank You

Recommended

SplunkLive! Detroit April 2013 - Domino's Pizza
SplunkLive! Detroit April 2013 - Domino's PizzaSplunkLive! Detroit April 2013 - Domino's Pizza
SplunkLive! Detroit April 2013 - Domino's PizzaSplunk
 
Splunk Ninjas Breakout Session
Splunk Ninjas Breakout SessionSplunk Ninjas Breakout Session
Splunk Ninjas Breakout SessionSplunk
 
Splunk Ninjas: New features, pivot, and search dojo
Splunk Ninjas: New features, pivot, and search dojoSplunk Ninjas: New features, pivot, and search dojo
Splunk Ninjas: New features, pivot, and search dojoSplunk
 
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk
 
Data Models Breakout Session
Data Models Breakout SessionData Models Breakout Session
Data Models Breakout SessionSplunk
 
SplunkLive! Data Models 101
SplunkLive! Data Models 101SplunkLive! Data Models 101
SplunkLive! Data Models 101Splunk
 
Nationwide Splunk Ninjas!
Nationwide Splunk Ninjas!Nationwide Splunk Ninjas!
Nationwide Splunk Ninjas!Splunk
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk
 

Recommended

SplunkLive! Detroit April 2013 - Domino's Pizza
SplunkLive! Detroit April 2013 - Domino's PizzaSplunkLive! Detroit April 2013 - Domino's Pizza
SplunkLive! Detroit April 2013 - Domino's PizzaSplunk
 
Splunk Ninjas Breakout Session
Splunk Ninjas Breakout SessionSplunk Ninjas Breakout Session
Splunk Ninjas Breakout SessionSplunk
 
Splunk Ninjas: New features, pivot, and search dojo
Splunk Ninjas: New features, pivot, and search dojoSplunk Ninjas: New features, pivot, and search dojo
Splunk Ninjas: New features, pivot, and search dojoSplunk
 
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk
 
Data Models Breakout Session
Data Models Breakout SessionData Models Breakout Session
Data Models Breakout SessionSplunk
 
SplunkLive! Data Models 101
SplunkLive! Data Models 101SplunkLive! Data Models 101
SplunkLive! Data Models 101Splunk
 
Nationwide Splunk Ninjas!
Nationwide Splunk Ninjas!Nationwide Splunk Ninjas!
Nationwide Splunk Ninjas!Splunk
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk
 
SplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunk
 
SplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with SplunkSplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with SplunkSplunk
 
SplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunk
 
SplunkLive! Beginner Session
SplunkLive! Beginner SessionSplunkLive! Beginner Session
SplunkLive! Beginner SessionSplunk
 
SplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCSSplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCSSplunk
 
Splunk Dynamic lookup
Splunk Dynamic lookupSplunk Dynamic lookup
Splunk Dynamic lookupSplunk
 
Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...Splunk
 
SplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunk
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding Splunk
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunk
 
Apache Eagle Strata Hadoop World London 2016
Apache Eagle Strata Hadoop World London 2016Apache Eagle Strata Hadoop World London 2016
Apache Eagle Strata Hadoop World London 2016Arun Karthick Manoharan
 
Making Pretty Charts in Splunk
Making Pretty Charts in SplunkMaking Pretty Charts in Splunk
Making Pretty Charts in SplunkSplunk
 
Headaches and Breakthroughs in Building Continuous Applications
Headaches and Breakthroughs in Building Continuous ApplicationsHeadaches and Breakthroughs in Building Continuous Applications
Headaches and Breakthroughs in Building Continuous ApplicationsDatabricks
 
Splunk overview
Splunk overviewSplunk overview
Splunk overviewDaniel Hernandez
 
Reliable and Scalable Data Ingestion at Airbnb
Reliable and Scalable Data Ingestion at AirbnbReliable and Scalable Data Ingestion at Airbnb
Reliable and Scalable Data Ingestion at AirbnbDataWorks Summit/Hadoop Summit
 
Omid: scalable and highly available transaction processing for Apache Phoenix
Omid: scalable and highly available transaction processing for Apache PhoenixOmid: scalable and highly available transaction processing for Apache Phoenix
Omid: scalable and highly available transaction processing for Apache PhoenixDataWorks Summit
 
The Function, the Context, and the Data—Enabling ML Ops at Stitch Fix
The Function, the Context, and the Data—Enabling ML Ops at Stitch FixThe Function, the Context, and the Data—Enabling ML Ops at Stitch Fix
The Function, the Context, and the Data—Enabling ML Ops at Stitch FixDatabricks
 
Using Apache Solr for Images as Big Data: Presented by Kerry Koitzsch, Wipro...
Using Apache Solr for Images as Big Data: Presented by Kerry Koitzsch, Wipro...Using Apache Solr for Images as Big Data: Presented by Kerry Koitzsch, Wipro...
Using Apache Solr for Images as Big Data: Presented by Kerry Koitzsch, Wipro...Lucidworks
 
eBay Experimentation Platform on Hadoop
eBay Experimentation Platform on HadoopeBay Experimentation Platform on Hadoop
eBay Experimentation Platform on HadoopTony Ng
 
Raven: End-to-end Optimization of ML Prediction Queries
Raven: End-to-end Optimization of ML Prediction QueriesRaven: End-to-end Optimization of ML Prediction Queries
Raven: End-to-end Optimization of ML Prediction QueriesDatabricks
 
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk
 
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo Splunk
 

More Related Content

What's hot

SplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunk
 
SplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with SplunkSplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with SplunkSplunk
 
SplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunk
 
SplunkLive! Beginner Session
SplunkLive! Beginner SessionSplunkLive! Beginner Session
SplunkLive! Beginner SessionSplunk
 
SplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCSSplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCSSplunk
 
Splunk Dynamic lookup
Splunk Dynamic lookupSplunk Dynamic lookup
Splunk Dynamic lookupSplunk
 
Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...Splunk
 
SplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunk
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding Splunk
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunk
 
Apache Eagle Strata Hadoop World London 2016
Apache Eagle Strata Hadoop World London 2016Apache Eagle Strata Hadoop World London 2016
Apache Eagle Strata Hadoop World London 2016Arun Karthick Manoharan
 
Making Pretty Charts in Splunk
Making Pretty Charts in SplunkMaking Pretty Charts in Splunk
Making Pretty Charts in SplunkSplunk
 
Headaches and Breakthroughs in Building Continuous Applications
Headaches and Breakthroughs in Building Continuous ApplicationsHeadaches and Breakthroughs in Building Continuous Applications
Headaches and Breakthroughs in Building Continuous ApplicationsDatabricks
 
Omid: scalable and highly available transaction processing for Apache Phoenix
Omid: scalable and highly available transaction processing for Apache PhoenixOmid: scalable and highly available transaction processing for Apache Phoenix
Omid: scalable and highly available transaction processing for Apache PhoenixDataWorks Summit
 
The Function, the Context, and the Data—Enabling ML Ops at Stitch Fix
The Function, the Context, and the Data—Enabling ML Ops at Stitch FixThe Function, the Context, and the Data—Enabling ML Ops at Stitch Fix
The Function, the Context, and the Data—Enabling ML Ops at Stitch FixDatabricks
 
Using Apache Solr for Images as Big Data: Presented by Kerry Koitzsch, Wipro...
Using Apache Solr for Images as Big Data: Presented by Kerry Koitzsch, Wipro...Using Apache Solr for Images as Big Data: Presented by Kerry Koitzsch, Wipro...
Using Apache Solr for Images as Big Data: Presented by Kerry Koitzsch, Wipro...Lucidworks
 
eBay Experimentation Platform on Hadoop
eBay Experimentation Platform on HadoopeBay Experimentation Platform on Hadoop
eBay Experimentation Platform on HadoopTony Ng
 
Raven: End-to-end Optimization of ML Prediction Queries
Raven: End-to-end Optimization of ML Prediction QueriesRaven: End-to-end Optimization of ML Prediction Queries
Raven: End-to-end Optimization of ML Prediction QueriesDatabricks
 

What's hot (20)

SplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with Splunk
 
SplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with SplunkSplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with Splunk
 
SplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk Enterprise
 
SplunkLive! Beginner Session
SplunkLive! Beginner SessionSplunkLive! Beginner Session
SplunkLive! Beginner Session
 
SplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCSSplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCS
 
Splunk Dynamic lookup
Splunk Dynamic lookupSplunk Dynamic lookup
Splunk Dynamic lookup
 
Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...
 
SplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners Session
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk Enterprise
 
Apache Eagle Strata Hadoop World London 2016
Apache Eagle Strata Hadoop World London 2016Apache Eagle Strata Hadoop World London 2016
Apache Eagle Strata Hadoop World London 2016
 
Making Pretty Charts in Splunk
Making Pretty Charts in SplunkMaking Pretty Charts in Splunk
Making Pretty Charts in Splunk
 
Headaches and Breakthroughs in Building Continuous Applications
Headaches and Breakthroughs in Building Continuous ApplicationsHeadaches and Breakthroughs in Building Continuous Applications
Headaches and Breakthroughs in Building Continuous Applications
 
Splunk overview
Splunk overviewSplunk overview
Splunk overview
 
Reliable and Scalable Data Ingestion at Airbnb
Reliable and Scalable Data Ingestion at AirbnbReliable and Scalable Data Ingestion at Airbnb
Reliable and Scalable Data Ingestion at Airbnb
 
Omid: scalable and highly available transaction processing for Apache Phoenix
Omid: scalable and highly available transaction processing for Apache PhoenixOmid: scalable and highly available transaction processing for Apache Phoenix
Omid: scalable and highly available transaction processing for Apache Phoenix
 
The Function, the Context, and the Data—Enabling ML Ops at Stitch Fix
The Function, the Context, and the Data—Enabling ML Ops at Stitch FixThe Function, the Context, and the Data—Enabling ML Ops at Stitch Fix
The Function, the Context, and the Data—Enabling ML Ops at Stitch Fix
 
Using Apache Solr for Images as Big Data: Presented by Kerry Koitzsch, Wipro...
Using Apache Solr for Images as Big Data: Presented by Kerry Koitzsch, Wipro...Using Apache Solr for Images as Big Data: Presented by Kerry Koitzsch, Wipro...
Using Apache Solr for Images as Big Data: Presented by Kerry Koitzsch, Wipro...
 
eBay Experimentation Platform on Hadoop
eBay Experimentation Platform on HadoopeBay Experimentation Platform on Hadoop
eBay Experimentation Platform on Hadoop
 
Raven: End-to-end Optimization of ML Prediction Queries
Raven: End-to-end Optimization of ML Prediction QueriesRaven: End-to-end Optimization of ML Prediction Queries
Raven: End-to-end Optimization of ML Prediction Queries
 

Similar to Splunk live! ninjas_break-out

Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk
 
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo Splunk
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk
 
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk
 
SplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojoSplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojoSplunk
 
Intershop Commerce Management with Microsoft SQL Server
Intershop Commerce Management with Microsoft SQL ServerIntershop Commerce Management with Microsoft SQL Server
Intershop Commerce Management with Microsoft SQL ServerMauro Boffardi
 
SplunkLive! Advanced Session
SplunkLive! Advanced SessionSplunkLive! Advanced Session
SplunkLive! Advanced SessionSplunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 
Splunk Enterprise 6.3 - Splunk Tech Day
Splunk Enterprise 6.3 - Splunk Tech DaySplunk Enterprise 6.3 - Splunk Tech Day
Splunk Enterprise 6.3 - Splunk Tech DayZivaro Inc
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 
Real-Time Status Commands
Real-Time Status CommandsReal-Time Status Commands
Real-Time Status CommandsSplunk
 
Splunk Enterprise 6.4
Splunk Enterprise 6.4Splunk Enterprise 6.4
Splunk Enterprise 6.4Splunk
 
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding OverviewSplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding OverviewSplunk
 
SplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security NinjitsuSplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security NinjitsuSplunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseShannon Cuthbertson
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk
 
SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2Splunk
 
Regain Control Thanks To Prometheus
Regain Control Thanks To PrometheusRegain Control Thanks To Prometheus
Regain Control Thanks To PrometheusEtienne Coutaud
 

Similar to Splunk live! ninjas_break-out (20)

Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search Dojo
 
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search Dojo
 
Splunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search DojoSplunk Ninjas: New Features, Pivot, and Search Dojo
Splunk Ninjas: New Features, Pivot, and Search Dojo
 
SplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojoSplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojo
 
Intershop Commerce Management with Microsoft SQL Server
Intershop Commerce Management with Microsoft SQL ServerIntershop Commerce Management with Microsoft SQL Server
Intershop Commerce Management with Microsoft SQL Server
 
SplunkLive! Advanced Session
SplunkLive! Advanced SessionSplunkLive! Advanced Session
SplunkLive! Advanced Session
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Splunk Enterprise 6.3 - Splunk Tech Day
Splunk Enterprise 6.3 - Splunk Tech DaySplunk Enterprise 6.3 - Splunk Tech Day
Splunk Enterprise 6.3 - Splunk Tech Day
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Real-Time Status Commands
Real-Time Status CommandsReal-Time Status Commands
Real-Time Status Commands
 
Splunk Enterprise 6.4
Splunk Enterprise 6.4Splunk Enterprise 6.4
Splunk Enterprise 6.4
 
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding OverviewSplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
 
SplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security NinjitsuSplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security Ninjitsu
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
 
SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2
 
Regain Control Thanks To Prometheus
Regain Control Thanks To PrometheusRegain Control Thanks To Prometheus
Regain Control Thanks To Prometheus
 
Williams, Kirk iSetup OAUG 2004 V3
Williams, Kirk iSetup OAUG 2004 V3Williams, Kirk iSetup OAUG 2004 V3
Williams, Kirk iSetup OAUG 2004 V3
 

More from Splunk

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routineSplunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTVSplunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)Splunk
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank InternationalSplunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)Splunk
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College LondonSplunk
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSplunk
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability SessionSplunk
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - KeynoteSplunk
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform SessionSplunk
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security SessionSplunk
 

More from Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Recently uploaded

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 

Recently uploaded (20)

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

Splunk live! ninjas_break-out

  • 1. Splunk Ninjas: New Features, Pivot and Search Dojo
  • 2. 2 Safe Harbor Statement During the course of this presentation,we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described orto includeany suchfeatureor functionalityina futurerelease.
  • 3. 3 Agenda What’s new in 6.1 – New features and capabilities Data Models and Pivot – Analyze data without using search commands Harness the power of search – The 5 search commands that can solve most problems
  • 4. 4 Introducing Splunk Enterprise 6.1 ENABLING THE MISSION-CRITICAL ENTERPRISE ENHANCED INTERACTIVE ANALYTICS EMBEDDING OPERATIONAL INTELLIGENCE
  • 5. 5 Introducing Splunk Enterprise 6.1 ENABLING THE MISSION-CRITICAL ENTERPRISE ENHANCED INTERACTIVE ANALYTICS EMBEDDING OPERATIONAL INTELLIGENCE
  • 6. 6 Mission-critical Availability New Clustering Features • Location aware replication • Search Head Affinity MISSION CRITICAL ENTERPRISE REPLICATION Portland Datacenter New York Datacenter
  • 7. 7 Load and Preview Structured Data Data Preview with Structured Inputs • Easily onboard structured data • Preview the fields before indexing • Configure from the GUI Adjust configurations in the UI • Delimiters, Headers, Time Stamp Preview results before committing MISSION CRITICAL ENTERPRISE
  • 8. 8 MISSION CRITICAL ENTERPRISE Integrated Mainframe Insights New Forwarder • Collect data from mainframes • Correlate with the rest of the stack
  • 9. 13 Introducing Splunk Enterprise 6.1 ENABLING THE MISSION-CRITICAL ENTERPRISE ENHANCED INTERACTIVE ANALYTICS EMBEDDING OPERATIONAL INTELLIGENCE
  • 10. 14 More Actionable Alerting Customized Alerts • Add tokens to the alerts from the search results • Select preferred format and delivery of results Customize Recipients Customize Message Select Delivery Method EMBEDDING OPERATIONAL INTELLIGENCE
  • 11. 15 Visualization in Splunk iframe Visualization in non-Splunk UI Add Splunk Insights to Business Apps Embedded Reporting • Embed scheduled reports into web applications • Share with users who don’t have access to Splunk • 1-line copy/paste to embed in external application EMBEDDING OPERATIONAL INTELLIGENCE
  • 12. 16 Splunk Mobile App EMBEDDING OPERATIONAL INTELLIGENCE • Access dashboards and reports • Annotate dashboards and share with others • Receive push notifications Native Mobile Experience
  • 13. 17 Download the Overview App http://apps.splunk.com/app/1773
  • 15. 19 Model, Report, and Accelerate Build complex reports without the search language Provides more meaningful representation of underlying raw machine data Pivot Data Model Acceleration technology delivers up to 1000x faster analytics over Splunk 5 Analytics Store
  • 16. 20 Creating a Data Model Basic Steps 1. Have a use for a Data Model 2. Write a base search 3. Select the fields to include
  • 17. 27 Data Model Acceleration • Automatically collected and maintained • Stored on the indexers • Must share the Data Model • Cost is additional disk space Makes reporting crazy fast
  • 18. 28 Pivot • Drag-and-drop interface • No need to understand underlying data • Click to visualize Select fields from data model Time window All chart types available in the chart toolbox Save report to share Build Reports without SPL
  • 19. Harness the Power of Search
  • 20. 36 search and filter | munge | report | cleanup Search Processing Language sourcetype=access* | eval KB=bytes/1024 | stats sum(MB) dc(clientip) | rename sum(MB) AS "Total MB" dc(clientip) AS "Unique Customers"
  • 21. 37 Five Commands that will Solve Most Data Questions eval - Modify or Create New Fields and Values stats - Calculate Statistics Based on Field Values eventstats - Add Summary Statistics to Search Results streamstats - Cumulative Statistics for Each Event transaction - Group Related Events Spanning Time
  • 22. 39 eval - Modify or Create New Fields and Values Examples • Calculation: sourcetype=access* |eval KB=bytes/1024 • Evaluation: sourcetype=access* | eval http_response = if(status == 200, "OK", "Error”) • Concatenation: sourcetype=access* | eval connection = clientip.":".port
  • 23. 40 Examples • Calculation: sourcetype=access* |eval KB=bytes/1024 • Evaluation: sourcetype=access* | eval http_response = if(status == 200, "OK", "Error”) • Concatenation: sourcetype=access* | eval connection = clientip.":".port eval - Modify or Create New Fields and Values
  • 24. 41 Examples • Calculation: sourcetype=access* |eval KB=bytes/1024 • Evaluation: sourcetype=access* | eval http_response = if(status == 200, "OK", "Error”) • Concatenation: sourcetype=access* | eval connection = clientip.":".port eval - Modify or Create New Fields and Values
  • 25. 43 stats – Calculate Statistics Based on Field Values Examples • Calculate stats and rename sourcetype=access* | eval KB=bytes/1024 | stats sum(KB) AS “Total KB” • Multiple statistics sourcetype=access* | eval KB=bytes/1024 | stats sum(KB) avg(KB) • By another field sourcetype=access* | eval KB=bytes/1024 | stats sum(KB) avg(KB) by clientip
  • 26. 44 stats – Calculate Statistics Based on Field Values Examples • Calculate stats and rename sourcetype=access* | eval KB=bytes/1024 | stats sum(KB) as “Total KB” • Multiple statistics sourcetype=access* | eval KB=bytes/1024 | stats sum(KB) avg(KB) • By another field sourcetype=access* | eval KB=bytes/1024 | stats sum(KB) avg(KB) by clientip
  • 27. 45 stats – Calculate Statistics Based on Field Values Examples • Calculate statistics sourcetype=access* | eval KB=bytes/1024 | stats sum(KB) AS "Total KB” • Multiple statistics sourcetype=access* | eval KB=bytes/1024 | stats avg(KB) sum(KB) • By another field sourcetype=access* | eval KB=bytes/1024 | stats sum(KB) avg(KB) by clientip
  • 28. 47 eventstats – Add Summary Statistics to Search Results Examples • Overlay Average sourcetype=access* | eventstats avg(bytes) AS avg_bytes | timechart latest(avg_bytes) avg(bytes) • Moving Average sourcetype=access* | eventstats avg(bytes) AS avg_bytes by date_hour | timechart latest(avg_bytes) avg(bytes) • By created field sourcetype=access* | eval http_response = if(status == 200, "OK", "Error”) | eventstats avg(bytes) AS avg_bytes by http_response | timechart latest(avg_bytes) avg(bytes) by http_response
  • 29. 48 Examples • Overlay Average sourcetype=access* | eventstats avg(bytes) AS avg_bytes | timechart latest(avg_bytes) avg(bytes) • Moving Average sourcetype=access* | eventstats avg(bytes) AS avg_bytes by date_hour | timechart latest(avg_bytes) avg(bytes) • By created field sourcetype=access* | eval http_response = if(status == 200, "OK", "Error”) | eventstats avg(bytes) AS avg_bytes by http_response | timechart latest(avg_bytes) avg(bytes) by http_response eventstats – Add Summary Statistics to Search Results
  • 30. 49 Examples • Overlay Average sourcetype=access* | eventstats avg(bytes) AS avg_bytes | timechart latest(avg_bytes) avg(bytes) • Moving Average sourcetype=access* | eventstats avg(bytes) AS avg_bytes by date_hour | timechart latest(avg_bytes) avg(bytes) • By created field sourcetype=access* | eval http_response = if(status == 200, "OK", "Error”) | eventstats avg(bytes) AS avg_bytes by http_response | timechart latest(avg_bytes) avg(bytes) by http_response eventstats – Add Summary Statistics to Search Results
  • 31. 51 streamstats – Cumulative Statistics for Each Event Examples • Cumulative Sum sourcetype=access* | reverse | streamstats sum(bytes) as bytes_total | timechart max(bytes_total) • Cumulative Sum by Field sourcetype=access* | reverse | streamstats sum(bytes) as bytes_total by status | timechart max(bytes_total) by status • Moving Average sourcetype=access* | timechart avg(bytes) as avg_bytes | streamstats avg(avg_bytes) AS moving_avg_bytes window=10 | timechart latest(moving_avg_bytes) latest(avg_bytes)
  • 32. 52 Examples • Cumulative Sum sourcetype=access* | timechart sum(bytes) as bytes | streamstats sum(bytes) as cumulative_bytes | timechart max(cumulative_bytes) • Cumulative Sum by Field sourcetype=access* | reverse | streamstats sum(bytes) as bytes_total by status | timechart max(bytes_total) by status • Moving Average sourcetype=access* | timechart avg(bytes) as avg_bytes | streamstats avg(avg_bytes) AS moving_avg_bytes window=10 | timechart latest(moving_avg_bytes) latest(avg_bytes) streamstats – Cumulative Statistics for Each Event
  • 33. 53 Examples • Cumulative Sum sourcetype=access* | timechart sum(bytes) as bytes | streamstats sum(bytes) as cumulative_bytes | timechart max(cumulative_bytes) • Cumulative Sum by Field sourcetype=access* | reverse | streamstats sum(bytes) as bytes_total by status | timechart max(bytes_total) by status • Moving Average sourcetype=access* | timechart avg(bytes) as avg_bytes | streamstats avg(avg_bytes) AS moving_avg_bytes window=10 | timechart latest(moving_avg_bytes) latest(avg_bytes) streamstats – Cumulative Statistics for Each Event
  • 34. 55 transaction – Group Related Events Spanning Time Examples • Group by Session ID sourcetype=access* | transaction JSESSIONID • Calculate Session Durations sourcetype=access* | transaction JSESSIONID | stats min(duration) max(duration) avg(duration) • Stats is Better sourcetype=access* | stats min(_time) AS earliest max(_time) AS latest by JSESSIONID | eval duration=latest-earliest | stats min(duration) max(duration) avg(duration)
  • 35. 56 Examples • Group by Session ID sourcetype=access* | transaction JSESSIONID • Calculate Session Durations sourcetype=access* | transaction JSESSIONID | stats min(duration) max(duration) avg(duration) • Stats is Better sourcetype=access* | stats min(_time) AS earliest max(_time) AS latest by JSESSIONID | eval duration=latest-earliest | stats min(duration) max(duration) avg(duration) transaction – Group Related Events Spanning Time
  • 36. 57 Examples • Group by Session ID sourcetype=access* | transaction JSESSIONID • Calculate Session Durations sourcetype=access* | transaction JSESSIONID | stats min(duration) max(duration) avg(duration) • Stats is Better sourcetype=access* | stats min(_time) AS earliest max(_time) AS latest by JSESSIONID | eval duration=latest-earliest | stats min(duration) max(duration) avg(duration) transaction – Group Related Events Spanning Time
  • 37. 58 Learn Them Well and Become a Ninja eval - Modify or Create New Fields and Values stats - Calculate Statistics Based on Field Values eventstats - Add Summary Statistics to Search Results streamstats - Cumulative Statistics for Each Event transaction - Group Related Events Spanning Time See many more examples and neat tricks at docs.splunk.com and answers.splunk.com
  • 40. 61 cluster – Find Common and/or Rare Events Examples • Find the most common events * | cluster showcount=t t=0.1 | table cluster_count, _raw | sort - cluster_count • Select a field to cluster on sourcetype=access* | cluster field=bc_uri showcount=t | table cluster_count bc_uri _raw | sort -cluster_count • Most or least common errors index=_internal source=*splunkd.log* log_level!=info | cluster showcount=t | table cluster_count _raw | sort -cluster_count
  • 41. 62 cluster – Find Common and/or Rare Events Examples • Find the most common events * | cluster showcount=t t=0.1 | table cluster_count, _raw | sort - cluster_count • Select a field to cluster on sourcetype=access* | cluster field=bc_uri showcount=t | table cluster_count bc_uri _raw | sort -cluster_count • Most or least common errors index=_internal source=*splunkd.log* log_level!=info | cluster showcount=t | table cluster_count _raw | sort -cluster_count
  • 42. 63 cluster – Find Common and/or Rare Events Examples • Find the most common events * | cluster showcount=t t=0.1 | table cluster_count, _raw | sort - cluster_count • Select a field to cluster on sourcetype=access* | cluster field=bc_uri showcount=t | table cluster_count bc_uri _raw | sort -cluster_count • Most or least common errors index=_internal source=*splunkd.log* log_level!=info | cluster showcount=t | table cluster_count _raw | sort -cluster_count

Editor's Notes

  1. The Enhanced Dashboard Editor makes it easier to build advanced dashboards, adding visualizations and charts – all without Advanced XML. You can now easily add new inputs and panels to drive a richer experience and create advanced visualizations all in the the UI – without any coding.
  2. With Contextual Drill-down a primary panel can drive the charts, tables and visualizations on the rest of a dashboard.
  3. Splunk 6.1 delivers new controls to deliver an even more focused analytics experience with the machine data in Splunk Enterprise. Chart Overlay: Improves data analysis by providing the ability to overlay one chart on top of another. Pan and Zoom Controls: Enables more focused analytics by providing the ability in selecting a range of interest on a chart and zoom in for deeper analysis.
  4. Alerts are triggered when certain conditions are met – a feature Splunk Enterprise has had for sometime. Now with Splunk Enterprise 6.1 you can deliver alerts with embedded machine data context. This includes fields and values from the result set that triggered the alert as well as the search artifacts such as the time range the search ran over. You can also choose what you include or exclude in the email.
  5. Alerts are triggered when certain conditions are met – a feature Splunk Enterprise has had for sometime. Now with Splunk Enterprise 6.1 you can deliver alerts with embedded machine data context. This includes fields and values from the result set that triggered the alert as well as the search artifacts such as the time range the search ran over. You can also choose what you include or exclude in the email.
  6. Embedded Reports, enables any Splunk report or table to be embedded in third-party business application such as salesforce.com, WordPress, Wiki or Microsoft® SharePoint With Embedded Reports users are connected to the critical insights using tools they are already familiar with – all without having access to Splunk. Simply copy the iframe code provided by Splunk and paste it into your webpage. The authentication is handled in the URL.
  7. For more information, or to try out the features yourself. Check out the overview app which explains each of the features and includes code samples and examples where applicable.
  8. This section should take ~10 minutes
  9. Data Model – A data model is just like a map of the underlying data. It defines meaningful relationships in the data Pivot – is an interface to analyze data without using the splunk search language Analytics Store – is an option that can be applied to Data Models to make Pivot searches extremely fast. Think of it like our 3rd generation acceleration technology. Let’s dig into each of these features
  10. sourcetype=access* | eval http_response = if(status == 200, "OK", "Error") | eventstats avg(bytes) AS avg_bytes by http_response | timechart latest(avg_bytes) avg(bytes)
  11. Note: Chart is just stats visualized. Timechart is just stats by _time visualized.
  12. sourcetype=access* | eval KB=bytes/1024 | stats sum(KB) AS "Sum of KB"
  13. sourcetype=access* | stats values(useragent) avg(bytes) max(bytes) by clientip
  14. sourcetype=access* | stats values(useragent) avg(bytes) max(bytes) by clientip
  15. Eventstats let’s you add statistics about the entire search results and makes the statistics available as fields on each event. <Walk through the examples with a demo. Hidden slides are available as backup>
  16. Eventstats let’s you add statistics about the entire search results and makes the statistics available as fields on each event. Let’s use eventstats to create a timechart of the average bytes on top of the overall average. index=* sourcetype=access* | eventstats avg(bytes) AS avg_bytes | timechart latest(avg_bytes) avg(bytes)
  17. We can turn this into a moving average simply by adding “by date_hour” to calculate the average per hour instead of the overall average. index=* sourcetype=access* | eventstats avg(bytes) AS avg_bytes by date_hour | timechart latest(avg_bytes) avg(bytes)
  18. Decrease the threshold of similarity and see the change in results sourcetype=access* | cluster field=bc_uri showcount=t t=0.1| table cluster_count bc_uri _raw | sort -cluster_count