PacktLib: Implementing Splunk: Big Data Reporting and Development for Operational Intelligence

Implementing Splunk: Big Data Reporting and Development for Operational Intelligence


About the Author

About the Reviewers


The Splunk Interface

Logging in to Splunk

The Home app

The top bar

Search app

Using the time picker

Using the field picker

Using Manager


Understanding Search

Using search terms effectively

Boolean and grouping operators

Clicking to modify your search

Using fields to search

Using wildcards efficiently

All about time

Making searches faster

Sharing results with others

Saving searches for reuse

Creating alerts from searches


Tables, Charts, and Fields

About the pipe symbol

Using top to show common field values

Using stats to aggregate values

Using chart to turn data

Using timechart to show values over time

Working with fields


Simple XML Dashboards

The purpose of dashboards

Using wizards to build dashboards

Scheduling the generation of dashboards

Editing the XML directly

UI Examples app

Building forms


Advanced Search Examples

Using subsearches to find loosely related events

Using transaction

Determining concurrency

Calculating events per slice of time

Rebuilding top


Extending Search

Using tags to simplify search

Using event types to categorize results

Using lookups to enrich data

Using macros to reuse logic

Creating workflow actions

Using external commands


Working with Apps

Defining an app

Included apps

Installing apps

Building your first app

Editing navigation

Customizing the appearance of your app

Object permissions

App directory structure

Adding your app to Splunkbase


Building Advanced Dashboards

Reasons for working with advanced XML

Reasons for not working with advanced XML

Development process

Advanced XML structure

Converting simple XML to advanced XML

Module logic flow

Understanding layoutPanel

Reusing a query

Using intentions

Creating a custom drilldown

Third-party add-ons


Summary Indexes and CSV Files

Understanding summary indexes

When to use a summary index

When to not use a summary index

Populating summary indexes with saved searches

Using summary index events in a query

Using sistats, sitop, and sitimechart

How latency affects summary queries

How and when to backfill summary data

Reducing summary index size

Calculating top for a large time frame

Storing raw events in a summary index

Using CSV files to store transient data


Configuring Splunk

Locating Splunk configuration files

The structure of a Splunk configuration file

Configuration merging logic

An overview of Splunk .conf files

User interface resources


Advanced Deployments

Planning your installation

Splunk instance types

Common data sources

Sizing indexers

Planning redundancy

Working with multiple indexes

Deploying the Splunk binary

Using apps to organize configuration

Configuration distribution

Using LDAP for authentication

Using Single Sign On

Load balancers and Splunk

Multiple search heads


Extending Splunk

Writing a scripted input to gather data

Using Splunk from the command line

Querying Splunk via REST

Writing commands

Writing a scripted lookup to enrich data

Writing an event renderer

Writing a scripted alert action to process results