Implementing Splunk: Big Data Reporting and Development for Operational Intelligence

Learn to transform your machine data into valuable IT and business insights with this comprehensive and practical tutorial

Implementing Splunk: Big Data Reporting and Development for Operational Intelligence

Starting
Vincent Bumgarner

Learn to transform your machine data into valuable IT and business insights with this comprehensive and practical tutorial
$29.99
$49.99
RRP $29.99
RRP $49.99
eBook
Print + eBook
$12.99 p/month

Get Access

Get Unlimited Access to every Packt eBook and Video course

Enjoy full and instant access to over 3000 books and videos – you’ll find everything you need to stay ahead of the curve and make sure you can always get the job done.

Book Details

ISBN 139781849693288
Paperback448 pages

About This Book

  • Learn to search, dashboard, configure, and deploy Splunk on one machine or thousands
  • Start working with Splunk fast, with a tested set of practical examples and useful advice
  • Step-by-step instructions and examples with a comprehensive coverage for Splunk veterans and newbies alike

Who This Book Is For

The book targets professionals and organizations who want to implement or have already implemented Splunk for log analysis and indexing. Analysts and IT staff for end-to-end investigation, performance monitoring, and so on will also learn from the practical examples. It would even help managers to build reports and summarize the health, performance, and activity of their IT infrastructure and business. You will also find it helpful as a technical administrator, consultant, or end user.

This book aims to be useful to Splunk users of all levels, from complete newbie to seasoned user. The book assumes that you have access to a copy of Splunk, ideally not in production. Many examples also assume your user has admin rights.

Table of Contents

Chapter 1: The Splunk Interface
Logging in to Splunk
The Home app
The top bar
Search app
Using the time picker
Using the field picker
Using Manager
Summary
Chapter 2: Understanding Search
Using search terms effectively
Boolean and grouping operators
Clicking to modify your search
Using fields to search
Using wildcards efficiently
All about time
Making searches faster
Sharing results with others
Saving searches for reuse
Creating alerts from searches
Summary
Chapter 3: Tables, Charts, and Fields
About the pipe symbol
Using top to show common field values
Using stats to aggregate values
Using chart to turn data
Using timechart to show values over time
Working with fields
Summary
Chapter 4: Simple XML Dashboards
The purpose of dashboards
Using wizards to build dashboards
Scheduling the generation of dashboards
Editing the XML directly
UI Examples app
Building forms
Summary
Chapter 5: Advanced Search Examples
Using subsearches to find loosely related events
Using transaction
Determining concurrency
Calculating events per slice of time
Rebuilding top
Summary
Chapter 6: Extending Search
Using tags to simplify search
Using event types to categorize results
Using lookups to enrich data
Using macros to reuse logic
Creating workflow actions
Using external commands
Summary
Chapter 7: Working with Apps
Defining an app
Included apps
Installing apps
Building your first app
Editing navigation
Customizing the appearance of your app
Object permissions
App directory structure
Adding your app to Splunkbase
Summary
Chapter 8: Building Advanced Dashboards
Reasons for working with advanced XML
Reasons for not working with advanced XML
Development process
Advanced XML structure
Converting simple XML to advanced XML
Module logic flow
Understanding layoutPanel
Reusing a query
Using intentions
Creating a custom drilldown
Third-party add-ons
Summary
Chapter 9: Summary Indexes and CSV Files
Understanding summary indexes
When to use a summary index
When to not use a summary index
Populating summary indexes with saved searches
Using summary index events in a query
Using sistats, sitop, and sitimechart
How latency affects summary queries
How and when to backfill summary data
Reducing summary index size
Calculating top for a large time frame
Storing raw events in a summary index
Using CSV files to store transient data
Summary
Chapter 10: Configuring Splunk
Locating Splunk configuration files
The structure of a Splunk configuration file
Configuration merging logic
An overview of Splunk .conf files
User interface resources
Summary
Chapter 11: Advanced Deployments
Planning your installation
Splunk instance types
Common data sources
Sizing indexers
Planning redundancy
Working with multiple indexes
Deploying the Splunk binary
Using apps to organize configuration
Configuration distribution
Using LDAP for authentication
Using Single Sign On
Load balancers and Splunk
Multiple search heads
Summary
Chapter 12: Extending Splunk
Writing a scripted input to gather data
Using Splunk from the command line
Querying Splunk via REST
Writing commands
Writing a scripted lookup to enrich data
Writing an event renderer
Writing a scripted alert action to process results
Summary

What You Will Learn

  • How to write searches that are fast and lean
  • How to create fields from your unstructured data
  • How to enrich your data with lookups and commands
  • How to transform your data into useful and beautiful reports
  • How to build professional looking and informative dashboards
  • How to make apps to organize and share your searches and dashboards
  • How to manage configurations for one to thousands of instances
  • How to integrate with enterprise systems
  • How to extend Splunk with scripts and advanced configuration

In Detail

Splunk is a data collection, indexing, and visualization engine for operational intelligence. It's a powerful and versatile search and analysis engine that lets you investigate, troubleshoot, monitor, alert, and report on everything that's happening in your entire IT infrastructure from one location in real time. Splunk collects, indexes, and harnesses all the fast moving machine data generated by our applications, servers, and devices - physical, virtual, and in the cloud.

Given a mountain of machine data, this book shows you exactly how to learn to use Splunk to make something useful from it. Depending on your needs, you can learn to search, transform, and display data, or learn to administer your Splunk installation, large or small.

"Implementing Splunk: Big Data Reporting and Development for Operational Intelligence" will help you get your job done faster, whether you read from the beginning or jump to what you need to know today. New and experienced users alike will find nuggets of wisdom throughout.

This book provides you with valuable examples and step-by-step instructions, showing you how to take advantage of everything Splunk has to offer you, to make the most out of your machine data.

"Implementing Splunk: Big Data Reporting and Development for Operational Intelligence" takes you on a journey right from inception to a fully functioning implementation of Splunk. Using a real-world data walkthrough, you’ll be shown how to search effectively, create fields, build dashboards, reports, and package apps, manage your indexes, integrate into the enterprise, and extend Splunk. This practical implementation guide equips you with high-level knowledge for configuring, deploying, extending, and integrating Splunk. Depending on the goal and skills of the reader, enough topics are covered to get you on your way to dashboard guru, app developer, or enterprise administrator. This book uses examples curates reference, and sage advice to help you make the most of this incredibly powerful tool.

Authors

Table of Contents

Chapter 1: The Splunk Interface
Logging in to Splunk
The Home app
The top bar
Search app
Using the time picker
Using the field picker
Using Manager
Summary
Chapter 2: Understanding Search
Using search terms effectively
Boolean and grouping operators
Clicking to modify your search
Using fields to search
Using wildcards efficiently
All about time
Making searches faster
Sharing results with others
Saving searches for reuse
Creating alerts from searches
Summary
Chapter 3: Tables, Charts, and Fields
About the pipe symbol
Using top to show common field values
Using stats to aggregate values
Using chart to turn data
Using timechart to show values over time
Working with fields
Summary
Chapter 4: Simple XML Dashboards
The purpose of dashboards
Using wizards to build dashboards
Scheduling the generation of dashboards
Editing the XML directly
UI Examples app
Building forms
Summary
Chapter 5: Advanced Search Examples
Using subsearches to find loosely related events
Using transaction
Determining concurrency
Calculating events per slice of time
Rebuilding top
Summary
Chapter 6: Extending Search
Using tags to simplify search
Using event types to categorize results
Using lookups to enrich data
Using macros to reuse logic
Creating workflow actions
Using external commands
Summary
Chapter 7: Working with Apps
Defining an app
Included apps
Installing apps
Building your first app
Editing navigation
Customizing the appearance of your app
Object permissions
App directory structure
Adding your app to Splunkbase
Summary
Chapter 8: Building Advanced Dashboards
Reasons for working with advanced XML
Reasons for not working with advanced XML
Development process
Advanced XML structure
Converting simple XML to advanced XML
Module logic flow
Understanding layoutPanel
Reusing a query
Using intentions
Creating a custom drilldown
Third-party add-ons
Summary
Chapter 9: Summary Indexes and CSV Files
Understanding summary indexes
When to use a summary index
When to not use a summary index
Populating summary indexes with saved searches
Using summary index events in a query
Using sistats, sitop, and sitimechart
How latency affects summary queries
How and when to backfill summary data
Reducing summary index size
Calculating top for a large time frame
Storing raw events in a summary index
Using CSV files to store transient data
Summary
Chapter 10: Configuring Splunk
Locating Splunk configuration files
The structure of a Splunk configuration file
Configuration merging logic
An overview of Splunk .conf files
User interface resources
Summary
Chapter 11: Advanced Deployments
Planning your installation
Splunk instance types
Common data sources
Sizing indexers
Planning redundancy
Working with multiple indexes
Deploying the Splunk binary
Using apps to organize configuration
Configuration distribution
Using LDAP for authentication
Using Single Sign On
Load balancers and Splunk
Multiple search heads
Summary
Chapter 12: Extending Splunk
Writing a scripted input to gather data
Using Splunk from the command line
Querying Splunk via REST
Writing commands
Writing a scripted lookup to enrich data
Writing an event renderer
Writing a scripted alert action to process results
Summary

Book Details

ISBN 139781849693288
Paperback448 pages
Read More