Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Getting started with Splunk

SplunkLive! Breakout Session - Getting started with Splunk

  • Identifiez-vous pour voir les commentaires

Getting started with Splunk

  1. 1. Copyright © 2016 Splunk Inc. GETTING STARTED
  2. 2. What is Splunk? Getting Started with Splunk Search Alert Dashboard Deployment and Integration Community Help & Questions AGENDA
  3. 3. Spelunking: Splunking: to explore underground caves to explore machine data 3
  4. 4. What Does Machine Data Look Like? 4 Sources Order Processing Twitter Care IVR Middleware Error
  5. 5. Customer ID Order ID Customer’s Tweet Time Waiting On Hold Twitter ID Product ID Company’s Twitter ID Customer IDOrder ID Customer ID Sources Order Processing Twitter Care IVR Middleware Error Machine Data Contains Critical Insights
  6. 6. Machine Data Contains Critical Insights Order ID Customer’s Tweet Time Waiting On Hold Product ID Company’s Twitter ID Order ID Customer ID Twitter ID Customer ID Customer ID Sources Order Processing Twitter Care IVR Middleware Error
  7. 7. Getting Started
  8. 8. Turning Machine Data Into Business Value Index Untapped Data: Any Source, Type, Volume Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom ApplicationsMessaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID On- Premises Private Cloud Public Cloud Ask Any Question Application Delivery Security, Compliance and Fraud IT Operations Business Analytics Industrial Data and the Internet of Things
  9. 9. Install Splunk Start Splunk • WIN: Program FilesSplunkbinsplunk.exe start (services start) • *NIX: /opt/splunk/bin/splunk start www.splunk.com/download • 32 or 64 Bit? • Indexer or Universal Forwarder?
  10. 10. Install Splunk continued…
  11. 11. Splunk Licenses Free Download Limits Indexing to 500MB/day • Enterprise Trial License expires after 60 days • Reverts to Free License Features Disabled in Free License • Multiple user accounts and role-based access controls • Distributed search • Forwarding to non-Splunk Instances • Deployment management • Scheduled saved searches and alerting • Summary indexing Other License Types • Enterprise, Forwarder, Trial
  12. 12. Default installation on: http://localhost:8000 Splunk Web Basics Browser Support • Internet Explorer 9, 10 and 11 • Firefox (latest) • Safari (latest) • Chrome (latest)
  13. 13. Splunk Web Basics continued… Splunk Home • Provides Interactive portal to the Apps & data. • Explore Splunk Enterprise: 1 – Product Tours 2 – Add Data 3 – Splunk Apps 4 – Splunk Docs Splunk Apps • Default Search & Reporting App • Provide different contexts for your data out of sets of views, dashboards, and configurations • You can create your own!
  14. 14. Optional: add some test data Download the sample file, follow this link and save the file to your desktop, then unzip: http://www.splunkbook.com (Using Splunk Book) To add the file to Splunk: – From the Welcome screen, click Add Data. – Click From files and directories on the bottom half of the screen. – Select Skip preview. – Click the radio button next to Upload and index a file. – Click Save.
  15. 15. Search Basics
  16. 16. current view global stats app navigation time range picker Selecting Data Summary: • Host • Source • Sourcetype start search search box
  17. 17. Searching Search > * Select Time Range • Historical, custom, or real-time Select Mode • Smart, Fast, Verbose Using the timeline • Click events and zoom in and out • Click and drag over events for a specific range
  18. 18. Everything is searchable Everything is searchable • * wildcards supported • Search terms are case insensitive • Booleans AND, OR, NOT – Booleans must be uppercase – Implied AND between terms – Use () for complex searches • Quote phrases fail* fail* nfs error OR 404 error OR failed OR (sourcetype=access_*(500 OR 503)) "login failure"
  19. 19. Example Search:
  20. 20. Search Assistant Contextual Help - advanced type-ahead History - search - commands Search Reference - short/long description - examples suggests search terms updates as you type shows examples and help toggle off / on
  21. 21. Searches can be managed as asynchronous processes Jobs can be • Scheduled • Moved to background tasks • Paused, stopped, resumed, finalized • Managed • Archived • Cancelled Job Management Modify Job Settings pause finalize delete
  22. 22. Search Commands Search > error | head 1 Search results are “piped” to the command Commands for: • Manipulating fields • Formatting • Handling results • Reporting
  23. 23. Over 130 Commands! splunk.com > Documentation > Search Reference abstract accum addcoltotals addinfo addtotals af analyzefields anomalies anomalousvalue append appendcols ar associate audit autoregress bin bucket chart cluster collect common contingency convert correlate counttable crawl ctable dbinspect dedup delete delta diff discretize erex eval eventcount eventstats excerpt extract file fillnull folderize format gentimes head highlight iconify input inputcsv inputlookup iplocation join kmeans kv kvform loadjob localize localop lookup macro makecontinuous makemv maketable map metadata multikv mvcombine mvexpand nomv outlier outlierfilter outputcsv outputlookup outputtext overlap rangemap rare regex relevancy rename replace reverse run savedsearch savedsplunk script scrub selfjoin sendemail set sichart sirare sistats sitimechart sitop slc stash strcat streamstats sumindex summaryindex tail test timechart top transaction transam trendline typeahead typelearner typer uniq untable xmlkv xmlunescape xpath xyseries http://www.splunk.com/base/Documentation/latest/SearchReference/SearchCheatsheet
  24. 24. Field Extraction Fun
  25. 25. Fields Default fields • host, source, sourcetype, linecount, etc. • View on left panel in search results or all in field picker Where do fields come from? • Pre-defined by sourcetypes • Automatically extracted key-value pairs • User defined
  26. 26. Sources, Sourcetypes, Hosts • Host - hostname, IP address, or name of the network host from which the events originated • Source - the name of the file, stream, or other input • Sourcetype - a specific data type or data format
  27. 27. Extract Fields Interactive Field Extractor • Regular Expression or Delimeteres • Creates Regular Expression for you! • preview/validate
  28. 28. Extract Fields Interactive Field Extractor props.conf [mysourcetype] REPORT-myclass = myFields transforms.conf [myFields] REGEX = ^(w+)s FORMAT = myFieldLabel::$1 Configuration File • manual field extraction • delim-based extractions Rex Search Command ... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"
  29. 29. Tagging and Event Typing Eventtypes for more human-readable reports • to categorize and make sense of mountains of data • punctuation helps find events with similar patterns Search > eventtype=failed_login instead of Search > “failed login” OR “FAILED LOGIN” OR “Authentication failure” OR “Failed to ………………authenticate user” Tags are labels • apply ad-hoc knowledge • create logical divisions or groups • tag hosts, sources, fields, even eventtypes Search > tag=web_servers instead of Search > host=“apache1.splunk.com” OR host=“apache2.splunk.com” OR …………….host=“apache3.splunk.com”
  30. 30. Saved Search & Alert Basics
  31. 31. Saved Searches Leverage Searches for future Insights! • Reports • Dashboards • Alerts • Eventtypes Add a Time Range Picker • Preset • Relative • Real-time • Date-Range • Date & Time Range • Advanced
  32. 32. Create Alerts Scheduled or Real-Time • Define Time Ranges • Conditions • Thresholds
  33. 33. Alerting Continued… Searches run on a schedule and fire an alert • Example: Run a search for “Failed password” every 15 min over the last 15 min and alert if the number of events is greater than 10 Searches are running in real-time and fire an alert • Example: Run a search for “Failed password user=john.doe” in a 1 minute window and alert if an event is found
  34. 34. Alerting Actions • Send email • Execute a script • Webhook • Create your own custom Alert Action!
  35. 35. Report & Dashboard Wackiness
  36. 36. Reporting results of any search Define your Search and set your time range, accelerate you search and more Choose the type of chart (line, area, column, etc) and other formatting options Build reports from
  37. 37. Reporting Examples • Use wizard or reporting commands (timechart, top, etc) • Build real-time reports with real-time searches • Save reports for use on dashboards
  38. 38. Dashboards Create dashboards from search results
  39. 39. Dashboard Examples Checkout the Splunk 6.x Dashboard Examples at splunkbase.com!
  40. 40. Manager Settings For All of that Cool Stuff You Just Created (and more!) • Permissions • Saved Searches/Reports • Custom Views • Distributed Splunk • Deployment Server • License Usage….
  41. 41. Deployment and Integration
  42. 42. Splunk Has Four Primary Functions Searching and Reporting (Search Head) Indexing and Search Services (Indexer) Data Collection and Forwarding (Forwarder) Distributed Management (Deployment Server) Data Governor (Cluster Master) Databases Networks Servers Virtual Machines Smart phones and Devices Custom Applications Security WebServer Sensors A Splunk install can be one or all roles…
  43. 43. IngestsData FromHeterogeneousData Sources Agent-lessandAgentApproachforFlexibilityandOptimization perf shell API Mounted File Systems hostnamemount syslog TCP/UDP Event Logs Performance Active Directory syslog hosts and network devices Unix, Linux and Windows hosts Local File Monitoring Splunk Forwarder virtual host Windows Scripted or Modular Inputs shell scripts API subscriptions Mainframes*nix Wire Data Splunk App for Stream
  44. 44. Scales to Hundreds of TBs/Day Enterprise-Class Scale, Resilience and Interoperability Send data from thousands of servers using any combination of Splunk Forwarders Auto load-balanced forwarding to Splunk Indexers Offload search load to Splunk Search Heads
  45. 45. Visibility Across Datacenters Distributed search unifies the view across locations Role-based access controls how far a given user's search will span New York Tokyo London Cloud
  46. 46. Delivers Mission-Critical Availability • Data replication – maintain searchability even if servers go down • Multi-site capable – maintain searchability even if a site goes down • Search Affinity – optimized searches by fetching from the closest/fastest location REPLICATION Portland Datacenter New York Datacenter Clustering
  47. 47. Forwards Events to Third-Party Systems Problem Investigation Service Desk Event Console SIEM RAW Formatted
  48. 48. Enrich Raw Data to Make It More Meaningful Create additional fields from the raw data with a lookup to an external data source LDAP, AD Watch Lists CRM/ERP CMDB External Data Sources Insight comes out Data goes in
  49. 49. Integrate Users and Roles Problem Investigation Problem Investigation Problem Investigation Save Searches Share Searches LDAP, AD Users and Groups Splunk Flexible Roles Manage Users Manage Indexes Capabilities& Filters NOT tag=PCI App=ERP … Map LDAP & AD groups to flexible Splunk roles. Define any search as a filter. Integrate authentication with LDAP and Active Directory.
  50. 50. FrozenWARM COLDHOT Index How the Data is Stored and Aged Hot – Newest buckets of data that are still open for write Warm – Recent data but closed for writing (read only) Cold – Oldest data, commonly on cheaper, slower storage Frozen – No longer searchable, commonly archived or deleted data
  51. 51. Support and Community
  52. 52. Support Through the Splunk Community Browse and share Apps from Splunk, Partners and the Community splunkbase.com Community-driven knowledge exchange and Q&A answers.splunk.com Splunk Docs docs.splunk.com
  53. 53. Thank You