Implementing Splunk 7 Third Edition (cid:38)(cid:96)(cid:70)(cid:68)(cid:85)(cid:74)(cid:87)(cid:70)(cid:2)(cid:80)(cid:81)(cid:70)(cid:83)(cid:66)(cid:85)(cid:74)(cid:80)(cid:79)(cid:66)(cid:77)(cid:2)(cid:74)(cid:79)(cid:85)(cid:70)(cid:77)(cid:77)(cid:74)(cid:72)(cid:70)(cid:79)(cid:68)(cid:70)(cid:2)(cid:85)(cid:80)(cid:2)(cid:85)(cid:83)(cid:66)(cid:79)(cid:84)(cid:71)(cid:80)(cid:83)(cid:78) (cid:78)(cid:66)(cid:68)(cid:73)(cid:74)(cid:79)(cid:70)(cid:15)(cid:72)(cid:70)(cid:79)(cid:70)(cid:83)(cid:66)(cid:85)(cid:70)(cid:69)(cid:2)(cid:69)(cid:66)(cid:85)(cid:66)(cid:2)(cid:74)(cid:79)(cid:85)(cid:80)(cid:2)(cid:87)(cid:66)(cid:77)(cid:86)(cid:66)(cid:67)(cid:77)(cid:70)(cid:2)(cid:67)(cid:86)(cid:84)(cid:74)(cid:79)(cid:70)(cid:84)(cid:84)(cid:2)(cid:74)(cid:79)(cid:84)(cid:74)(cid:72)(cid:73)(cid:85)(cid:2) James D. Miller BIRMINGHAM - MUMBAI Implementing Splunk 7 TThird Edition Copyright (cid:97) 2018 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Commissioning Editor: Sunith Shetty Acquisition Editor: Tushar Gupta Content Development Editor: Mayur Pawanikar Technical Editor: Prasad Ramesh Copy Editor: Vikrant Phadke Project Coordinator: Nidhi Joshi Proofreader: Safis Editing Indexer: Mariammal Chettiyar Graphics: Tania Dutta Production Coordinator: Nilesh Mohite First published: January 2013 Second edition: July 2015 Third edition: March 2018 Production reference: 1280318 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78883-628-9 (cid:88)(cid:88)(cid:88)(cid:16)(cid:81)(cid:66)(cid:68)(cid:76)(cid:85)(cid:81)(cid:86)(cid:67)(cid:16)(cid:68)(cid:80)(cid:78) (cid:78)(cid:66)(cid:81)(cid:85)(cid:16)(cid:74)(cid:80) Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website. Why subscribe? Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals Improve your learning with Skill Plans built especially for you Get a free eBook or video every month Mapt is fully searchable Copy and paste, print, and bookmark content PacktPub.com Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at (cid:88)(cid:88)(cid:88)(cid:16)(cid:49)(cid:66)(cid:68)(cid:76)(cid:85)(cid:49)(cid:86)(cid:67)(cid:16)(cid:68)(cid:80)(cid:78) and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at (cid:84)(cid:70)(cid:83)(cid:87)(cid:74)(cid:68)(cid:70)(cid:33)(cid:81)(cid:66)(cid:68)(cid:76)(cid:85)(cid:81)(cid:86)(cid:67)(cid:16)(cid:68)(cid:80)(cid:78) for more details. At (cid:88)(cid:88)(cid:88)(cid:16)(cid:49)(cid:66)(cid:68)(cid:76)(cid:85)(cid:49)(cid:86)(cid:67)(cid:16)(cid:68)(cid:80)(cid:78), you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. Contributors About the author James D. Miller is an IBM-certified expert, creative innovator, director, senior project leader, and application/system architect with 35+ years extensive application, system design, and development experience. He has introduced customers to new and sometimes disruptive technologies and platforms, integrating with IBM Watson Analytics, Cognos BI, TM1, web architecture design, systems analysis, GUI design and testing, database modeling and systems analysis. He has done design and development of OLAP, client/server, web, and mainframe applications. I would like to thank Nanette, Shelby and Paige who continually amaze me with their support and love. About the reviewer Kyle Smith is a self-proclaimed geek from Pennsylvania and has been working with Splunk extensively since 2010. He has spoken many times at the Splunk User Conference and is an active contributor to the Splunk Answers Community, the #splunk IRC Channel, and the Splunk Slack Channels. He has published several Splunk apps and add-ons to Splunkbase, the Splunk community(cid:98)s premier app, and add- on publishing platform. He now works as a consultant/developer for Splunk's longest running Aplura, LLC. He has written Splunk Developer's Guide, also by Packt. I'd like to thank my wife, who most graciously put up with all of my BS during the writing of this book. Without her, this effort is meaningless. Yogesh Raheja is a certified DevOps and cloud expert with a decade of IT experience. He has expertise in technologies such as OS, source code management, build & release tools, continuous integration/deployment/delivery tools, containers, config management tools, monitoring, logging tools, and public and private clouds. He loves to share his technical expertise with audience worldwide at various forums, conferences, webinars, blogs, and LinkedIn ((cid:73)(cid:85)(cid:85)(cid:81)(cid:84)(cid:28)(cid:17)(cid:17)(cid:74)(cid:79)(cid:16)(cid:77)(cid:74)(cid:79)(cid:76)(cid:70)(cid:69)(cid:74)(cid:79)(cid:16)(cid:68)(cid:80)(cid:78)(cid:17)(cid:74)(cid:79)(cid:17)(cid:90)(cid:80)(cid:72)(cid:70)(cid:84)(cid:73)(cid:15)(cid:83)(cid:66)(cid:73)(cid:70)(cid:75)(cid:66)(cid:15)(cid:67)(cid:25)(cid:23)(cid:18)(cid:21)(cid:25)(cid:19)(cid:22)). He has written Automation with Puppet 5 and Automation with Ansible. Packt is searching for authors like you If you're interested in becoming an author for Packt, please visit (cid:66)(cid:86)(cid:85)(cid:73)(cid:80)(cid:83)(cid:84)(cid:16)(cid:81)(cid:66)(cid:68)(cid:76)(cid:85)(cid:81)(cid:86)(cid:67)(cid:16)(cid:68)(cid:80)(cid:78) and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea. Table of Contents Preface 1 Chapter 1: The Splunk Interface 6 Logging in to Splunk 6 The home app 8 The top bar 12 The Search & Reporting app 16 Data generator 17 The Summary view 17 Search 19 Actions 21 Timeline 22 The field picker 23 Fields 23 Search results 25 Options 26 Events viewer 26 Using the time picker 27 Using the field picker 29 The settings section 30 Splunk Cloud 34 Try before you buy 35 A quick cloud tour 37 The top bar in Splunk Cloud 39 Splunk reference app – PAS 41 Universal forwarder 42 eventgen 42 Next steps 42 Summary 43 Chapter 2: Understanding Search 44 Using search terms effectively 44 Boolean and grouping operators 46 Clicking to modify your search 47 Event segmentation 48 Field widgets 48 Time 50 Using fields to search 51 Using the field picker 51 Table of Contents Using wildcards efficiently 52 Supplementing wildcards in fields 53 All about time 53 How Splunk parses time 53 How Splunk stores time 54 How Splunk displays time 54 How time zones are determined and why it matters 54 Different ways to search against time 55 Presets 56 Relative 57 Real-time 57 Windowed real-time versus all-time real-time searches 58 Date range 59 Date and time range 59 Advanced 60 Specifying time in-line in your search 60 _indextime versus _time 61 Making searches faster 61 Sharing results with others 62 The URL 63 Save As Report 64 Save As Dashboard Panel 67 Save As Alert 68 Save As Event Type 68 Searching job settings 69 Saving searches for reuse 70 Creating alerts from searches 74 Enable Actions 76 Action Options 76 Sharing 77 Event annotations 79 An illustration 80 Summary 81 Chapter 3: Tables, Charts, and Fields 82 About the pipe symbol 82 Using top to show common field values 83 Controlling the output of top 85 Using stats to aggregate values 87 Using chart to turn data 90 Using timechart to show values over time 92 The timechart options 94 Working with fields 96 A regular expression primer 96 Commands that create fields 98 [ ii ] Table of Contents eval 98 rex 99 Extracting loglevel 100 Using the extract fields interface 100 Using rex to prototype a field 104 Using the admin interface to build a field 105 Indexed fields versus extracted fields 107 Indexed field case 1 - rare instances of a common term 109 Indexed field case 2 - splitting words 109 Indexed field case 3 - application from source 110 Indexed field case 4 - slow requests 110 Indexed field case 5 - unneeded work 111 Chart enhancements in version 7.0 111 charting.lineWidth 112 charting.data.fieldHideList 114 charting.legend.mode 115 charting.fieldDashStyles 115 charting.axis Y.abbreviation 116 Summary 116 Chapter 4: Data Models and Pivots 117 What is a data model? 117 What does a data model search? 118 Data model objects 118 Object constraining 119 Attributes 119 Acceleration in version 7.0 120 Creating a data model 121 Filling in the new data model dialog 123 Editing fields (attributes) 126 Lookup attributes 128 Children 131 What is a pivot? 133 The Pivot Editor 135 Working with pivot elements 136 Filtering pivots 136 Split (row or column) 137 Column values 138 Pivot table formatting 139 A quick example 139 Sparklines 144 Summary 146 Chapter 5: Simple XML Dashboards 147 The purpose of dashboards 148 Using wizards to build dashboards 148 Adding another panel 153 [ iii ] Table of Contents A cool trick 158 Converting the panel to a report 161 More options 166 Back to the dashboard 166 Add input 167 Editing source 167 Edit UI 168 Editing XML directly 168 UI examples app 168 Building forms 168 Creating a form from a dashboard 169 Driving multiple panels from one form 173 Post-processing search results 175 Post-processing limitations 176 Features replaced 177 Autorun dashboard 179 Scheduling the generation of dashboards 180 Summary 181 Chapter 6: Advanced Search Examples 182 Using subsearches to find loosely related events 183 Subsearch 183 Subsearch caveats 185 Nested subsearches 186 Using transaction 187 Using transaction to determine session length 188 Calculating the aggregate of transaction statistics 190 Combining subsearches with transaction 191 Determining concurrency 195 Using transaction with concurrency 196 Using concurrency to estimate server load 197 Calculating concurrency with a by clause 198 Calculating events per slice of time 205 Using timechart 205 Calculating average requests per minute 206 Calculating average events per minute, per hour 208 Rebuilding top 211 Acceleration 218 Big data – summary strategy 218 Report acceleration 219 Report acceleration availability 223 Version 7.0 advancements in metrics 224 Definition of a Splunk metric 224 Using Splunk metrics 225 [ iv ]