Implementing Splunk 7 effective operational intelligence to transform machine-generated data into valuable business insight
A comprehensive guide to making machine data accessible across the organization using advanced dashboards About This Book Enrich machine-generated data and transform it into useful, meaningful insights Perform search operations and configurations, build dashboards, and manage logs Extend Splunk serv...
| Otros Autores: | |
|---|---|
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
Birmingham ; Mumbai :
Packt
2018.
|
| Edición: | Third edition |
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009631761006719 |
Tabla de Contenidos:
- Cover
- Title Page
- Copyright and Credits
- Packt Upsell
- Contributors
- Table of Contents
- Preface
- Chapter 1: The Splunk Interface
- Logging in to Splunk
- The home app
- The top bar
- The Search &
- Reporting app
- Data generator
- The Summary view
- Search
- Actions
- Timeline
- The field picker
- Fields
- Search results
- Options
- Events viewer
- Using the time picker
- Using the field picker
- The settings section
- Splunk Cloud
- Try before you buy
- A quick cloud tour
- The top bar in Splunk Cloud
- Splunk reference app - PAS
- Universal forwarder
- eventgen
- Next steps
- Summary
- Chapter 2: Understanding Search
- Using search terms effectively
- Boolean and grouping operators
- Clicking to modify your search
- Event segmentation
- Field widgets
- Time
- Using fields to search
- Using the field picker
- Using wildcards efficiently
- Supplementing wildcards in fields
- All about time
- How Splunk parses time
- How Splunk stores time
- How Splunk displays time
- How time zones are determined and why it matters
- Different ways to search against time
- Presets
- Relative
- Real-time
- Windowed real-time versus all-time real-time searches
- Date range
- Date and time range
- Advanced
- Specifying time in-line in your search
- _indextime versus _time
- Making searches faster
- Sharing results with others
- The URL
- Save As Report
- Save As Dashboard Panel
- Save As Alert
- Save As Event Type
- Searching job settings
- Saving searches for reuse
- Creating alerts from searches
- Enable Actions
- Action Options
- Sharing
- Event annotations
- An illustration
- Summary
- Chapter 3: Tables, Charts, and Fields
- About the pipe symbol
- Using top to show common field values
- Controlling the output of top
- Using stats to aggregate values.
- Using chart to turn data
- Using timechart to show values over time
- The timechart options
- Working with fields
- A regular expression primer
- Commands that create fields
- eval
- rex
- Extracting loglevel
- Using the extract fields interface
- Using rex to prototype a field
- Using the admin interface to build a field
- Indexed fields versus extracted fields
- Indexed field case 1 - rare instances of a common term
- Indexed field case 2 - splitting words
- Indexed field case 3 - application from source
- Indexed field case 4 - slow requests
- Indexed field case 5 - unneeded work
- Chart enhancements in version 7.0
- charting.lineWidth
- charting.data.fieldHideList
- charting.legend.mode
- charting.fieldDashStyles
- charting.axis Y.abbreviation
- Summary
- Chapter 4: Data Models and Pivots
- What is a data model?
- What does a data model search?
- Data model objects
- Object constraining
- Attributes
- Acceleration in version 7.0
- Creating a data model
- Filling in the new data model dialog
- Editing fields (attributes)
- Lookup attributes
- Children
- What is a pivot?
- The Pivot Editor
- Working with pivot elements
- Filtering pivots
- Split (row or column)
- Column values
- Pivot table formatting
- A quick example
- Sparklines
- Summary
- Chapter 5: Simple XML Dashboards
- The purpose of dashboards
- Using wizards to build dashboards
- Adding another panel
- A cool trick
- Converting the panel to a report
- More options
- Back to the dashboard
- Add input
- Editing source
- Edit UI
- Editing XML directly
- UI examples app
- Building forms
- Creating a form from a dashboard
- Driving multiple panels from one form
- Post-processing search results
- Post-processing limitations
- Features replaced
- Autorun dashboard
- Scheduling the generation of dashboards
- Summary.
- Chapter 6: Advanced Search Examples
- Using subsearches to find loosely related events
- Subsearch
- Subsearch caveats
- Nested subsearches
- Using transaction
- Using transaction to determine session length
- Calculating the aggregate of transaction statistics
- Combining subsearches with transaction
- Determining concurrency
- Using transaction with concurrency
- Using concurrency to estimate server load
- Calculating concurrency with a by clause
- Calculating events per slice of time
- Using timechart
- Calculating average requests per minute
- Calculating average events per minute, per hour
- Rebuilding top
- Acceleration
- Big data - summary strategy
- Report acceleration
- Report acceleration availability
- Version 7.0 advancements in metrics
- Definition of a Splunk metric
- Using Splunk metrics
- Creating a metrics index
- Creating a UDP or TCP data input
- Summary
- Chapter 7: Extending Search
- Using tags to simplify search
- Using event types to categorize results
- Using lookups to enrich data
- Defining a lookup table file
- Defining a lookup definition
- Defining an automatic lookup
- Troubleshooting lookups
- Using macros to reuse logic
- Creating a simple macro
- Creating a macro with arguments
- Creating workflow actions
- Running a new search using values from an event
- Linking to an external site
- Building a workflow action to show field context
- Building the context workflow action
- Building the context macro
- Using external commands
- Extracting values from XML
- xmlkv
- XPath
- Using Google to generate results
- Summary
- Chapter 8: Working with Apps
- Defining an app
- Included apps
- Installing apps
- Installing apps from Splunkbase
- Using Geo Location Lookup Script
- Using Google Maps
- Installing apps from a file
- Building your first app
- Editing navigation.
- Customizing the appearance of your app
- Customizing the launcher icon
- Using custom CSS
- Using custom HTML
- Custom HTML in a simple dashboard
- Using server-side include in a complex dashboard
- Object permissions
- How permissions affect navigation
- How permissions affect other objects
- Correcting permission problems
- App directory structure
- Adding your app to Splunkbase
- Preparing your app
- Confirming sharing settings
- Cleaning up our directories
- Packaging your app
- Uploading your app
- Self-service app management
- Summary
- Chapter 9: Building Advanced Dashboards
- Reasons for working with advanced XML
- Reasons for not working with advanced XML
- Development process
- Advanced XML structure
- Converting simple XML to advanced XML
- Module logic flow
- Understanding layoutPanel
- Panel placement
- Reusing a query
- Using intentions
- stringreplace
- addterm
- Creating a custom drilldown
- Building a drilldown to a custom query
- Building a drilldown to another panel
- Building a drilldown to multiple panels using HiddenPostProcess
- Third-party add-ons
- Google Maps
- Sideview Utils
- The Sideview search module
- Linking views with Sideview
- Sideview URLLoader
- Sideview forms
- Summary
- Chapter 10: Summary Indexes and CSV Files
- Understanding summary indexes
- Creating a summary index
- When to use a summary index
- When to not use a summary index
- Populating summary indexes with saved searches
- Using summary index events in a query
- Using sistats, sitop, and sitimechart
- How latency affects summary queries
- How and when to backfill summary data
- Using fill_summary_index.py to backfill
- Using collect to produce custom summary indexes
- Reducing summary index size
- Using eval and rex to define grouping fields
- Using a lookup with wildcards.
- Using event types to group results
- Calculating top for a large time frame
- Summary index searches
- Using CSV files to store transient data
- Pre-populating a dropdown
- Creating a running calculation for a day
- Summary
- Chapter 11: Configuring Splunk
- Locating Splunk configuration files
- The structure of a Splunk configuration file
- The configuration merging logic
- The merging order
- The merging order outside of search
- The merging order when searching
- The configuration merging logic
- Configuration merging - example 1
- Configuration merging - example 2
- Configuration merging - example 3
- Configuration merging - example 4, search
- Using btool
- An overview of Splunk.conf files
- props.conf
- Common attributes
- Search-time attributes
- Index-time attributes
- Parse-time attributes
- Input-time attributes
- Stanza types
- Priorities inside a type
- Attributes with class
- inputs.conf
- Common input attributes
- Files as inputs
- Using patterns to select rolled logs
- Using blacklist and whitelist
- Selecting files recursively
- Following symbolic links
- Setting the value of the host from the source
- Ignoring old data at installation
- When to use crcSalt
- Destructively indexing files
- Network inputs
- Native Windows inputs
- Scripts as inputs
- transforms.conf
- Creating indexed fields
- Creating a loglevel field
- Creating a session field from the source
- Creating a tag field
- Creating host categorization fields
- Modifying metadata fields
- Overriding the host
- Overriding the source
- Overriding sourcetype
- Routing events to a different index
- Lookup definitions
- Wildcard lookups
- CIDR wildcard lookups
- Using time in lookups
- Using REPORT
- Creating multivalue fields
- Creating dynamic fields
- Chaining transforms
- Dropping events
- fields.conf.
- outputs.conf.
