PacktLib: Implementing Splunk: Big Data Reporting and Development for Operational Intelligence

Implementing Splunk: Big Data Reporting and Development for Operational Intelligence

Credits

About the Author

About the Reviewers

www.PacktPub.com

Preface

The Splunk Interface

Logging in to Splunk

The Home app

The top bar

Search app

Using the time picker

Using the field picker

Using Manager

Summary

Understanding Search

Using search terms effectively

Boolean and grouping operators

Clicking to modify your search

Using fields to search

Using wildcards efficiently

All about time

Making searches faster

Sharing results with others

Saving searches for reuse

Creating alerts from searches

Summary

Tables, Charts, and Fields

About the pipe symbol

Using top to show common field values

Using stats to aggregate values

Using chart to turn data

Using timechart to show values over time

Working with fields

Summary

Simple XML Dashboards

The purpose of dashboards

Using wizards to build dashboards

Scheduling the generation of dashboards

Editing the XML directly

UI Examples app

Building forms

Summary

Advanced Search Examples

Using subsearches to find loosely related events

Using transaction

Determining concurrency

Calculating events per slice of time

Rebuilding top

Summary

Extending Search

Using tags to simplify search

Using event types to categorize results

Using lookups to enrich data

Using macros to reuse logic

Creating workflow actions

Using external commands

Summary

Working with Apps

Defining an app

Included apps

Installing apps

Building your first app

Editing navigation

Customizing the appearance of your app

Object permissions

App directory structure

Adding your app to Splunkbase

Summary

Building Advanced Dashboards

Reasons for working with advanced XML

Reasons for not working with advanced XML

Development process

Advanced XML structure

Converting simple XML to advanced XML

Module logic flow

Understanding layoutPanel

Reusing a query

Using intentions

Creating a custom drilldown

Third-party add-ons

Summary

Summary Indexes and CSV Files

Understanding summary indexes

When to use a summary index

When to not use a summary index

Populating summary indexes with saved searches

Using summary index events in a query

Using sistats, sitop, and sitimechart

How latency affects summary queries

How and when to backfill summary data

Reducing summary index size

Calculating top for a large time frame

Storing raw events in a summary index

Using CSV files to store transient data

Summary

Configuring Splunk

Locating Splunk configuration files

The structure of a Splunk configuration file

Configuration merging logic

An overview of Splunk .conf files

User interface resources

Summary

Advanced Deployments

Planning your installation

Splunk instance types

Common data sources

Sizing indexers

Planning redundancy

Working with multiple indexes

Deploying the Splunk binary

Using apps to organize configuration

Configuration distribution

Using LDAP for authentication

Using Single Sign On

Load balancers and Splunk

Multiple search heads

Summary

Extending Splunk

Writing a scripted input to gather data

Using Splunk from the command line

Querying Splunk via REST

Writing commands

Writing a scripted lookup to enrich data

Writing an event renderer

Writing a scripted alert action to process results

Summary

Index