Search icon Close icon
Search icon
0
Cart icon
Close icon
You have no products in your basket yet
Arrow left icon
All Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletters
Free Learning
Arrow right icon
Splunk 7 Essentials - Third Edition

You're reading from  Splunk 7 Essentials - Third Edition

Product type Book
Published in Mar 2018
Publisher Packt
ISBN-13 9781788839112
Pages 220 pages
Edition 3rd Edition
Languages
Concepts
Authors (4):
J-P Contreras J-P Contreras
Profile icon J-P Contreras
LinkedIn
J-P Contreras, a Splunk-certified administrator and sales engineer, has delivered value-oriented data analytics and performance planning solutions for 20+ years. He has built award-winning consulting teams to help companies turn data into analytical insights. He helps companies implement Splunk and enjoys everything the Splunk community offers. He received his MBA in e-commerce from DePaul University's Kellstadt Graduate School of Business, Chicago, in 2001. He trains in DePaul's Continuing Education Program and is a member of DePaul's Driehaus School of Business Advisory Board. He'd like to thank his family, especially his wife and children, and close friends for making life so enjoyable.
See other products by J-P Contreras
Steven Koelpin Steven Koelpin
Profile icon Steven Koelpin
LinkedIn
See other products by Steven Koelpin
Erickson Delgado Erickson Delgado
Profile icon Erickson Delgado
LinkedIn
Erickson Delgado is an enterprise architect who loves to mine and analyze data. He began using Splunk in version 4.0 and has pioneered the use of the application in his current work. In the earlier parts of his career, he worked with start-up companies in the Philippines to help build their open source infrastructure. He then worked in the cruise industry as a shipboard IT manager, and he loved it. From there, he was recruited to work at the company's headquarters as a software engineer.
See other products by Erickson Delgado
Betsy Page Sigman Betsy Page Sigman
Profile icon Betsy Page Sigman
LinkedIn
Betsy Page Sigman is a distinguished professor at the McDonough School of Business at Georgetown University in Washington, D.C. She has taught courses in statistics, project management, databases, and electronic commerce for the last 16 years, and has been recognized with awards for teaching and service. She has also worked at George Mason University in the past. Her recent publications include a Harvard Business case study and a Harvard Business review article. Additionally, she is a frequent media commentator on technological issues and big data.
See other products by Betsy Page Sigman
View More author details

Table of Contents (10) Chapters

Preface Splunk – Getting Started Bringing in Data Search Processing Language Reporting, Alerts, and Search Optimization Dynamic Dashboarding Data Models and Pivot HTTP Event Collector Best Practices and Advanced Queries Taking Splunk to the Organization

Bringing in Data

Computerized systems are responsible for much of the data produced on a daily basis. Splunk Enterprise makes it easy to get data from many of these systems. This data is frequently referred to as machine data. And since machines mostly generate data in an ongoing or streaming nature, Splunk is especially useful as it can handle streaming data easily and efficiently.

In addition to capturing machine data, Splunk Enterprise allows you, as the user, to enhance and enrich the data either as it is stored or as it is searched. Machine data can be enriched with business rules and logic for enhanced searching capabilities. Often it is combined with traditional row/column data to provide business context to machine data with data such a product hierarchies.

In this chapter, you will learn about Splunk and how it relates to a often used term - big data, as well as the most...

Splunk and big data

Big data is a widely used term but, as is often the case, one that means different things to different people. In this part of the chapter, we present common characteristics of big data .

There is no doubt that today there is a lot of data, and more commonly today, the term big data is not meant to reference the volume as much as it is characterized by other factors, including variability so wide that legacy, conventional organizational data systems cannot consume and produce analytics from it.

Streaming data

Streaming data is almost always being generated, with a timestamp associated to each entry. Splunk's inherent ability to monitor and track data loaded from ever growing log files, or accept data...

Splunk data sources

Splunk was invented as a way to keep track of and analyze machine data coming from a variety of computerized systems. It is a powerful platform for doing just that. But since its invention, it has been used for a myriad of different data types, including streaming log data, database and spreadsheet data, and data provided by web services. The various types of data that Splunk is often used for are explained in the next few sections.

Machine data

As mentioned previously, much of Splunk's data capability is focused on machine data. Machine data is data created each time a machine does something, even if it is as seemingly insignificant as a successful user login. Each event has information about its...

Creating indexes

Indexes are where Splunk Enterprise stores all the data it has processed. It is essentially a collection of databases that are, by default, located at $SPLUNK_HOME/var/lib/splunk. Before data can be searched, it needs to be indexed—a process we describe here.

Tip from the Fez: There are a variety of intricate settings which can be manipulated to control size and data management aspects of an index. We will not cover those in this book, however as your situation requires complexity, be sure to consider a variety of topics around index management, such as overall size, buckets parameters, archiving and other optimization settings.

There are two ways to create an index, through the Splunk user interface or by creating an indexes.conf file. You will be shown here how to create an index using the Splunk portal, but you should realize that when you do that...

Buckets

You may have noticed that there is a certain pattern in this configuration file, in which folders are broken into three locations: coldPath, homePath, and thawedPath. This is a very important concept in Splunk. An index contains compressed raw data and associated index files which are spread out into age-designated directories. Each age-designated directory is called a bucket.

A bucket moves through several stages as it ages. In general, as your data gets older (think colder) in the system, it is pushed to the next bucket. And, as you can see in the following list, the thawed bucket contains data that has been restored from an archive. Here is a breakdown of the buckets in relation to each other:

  • hot: This is newly indexed data and open for writing (hotPath)
  • warm: This is data rolled from the hot bucket with no active writing (warmPath)
  • cold: This is data rolled from...

Log files as data input

As mentioned earlier in this chapter, any configuration you make in the Splunk portal corresponds to a *.conf file written under the $SPLUNK_HOME directory. The same goes for the creation of data inputs; adding data inputs using the Splunk user interface creates a file called inputs.conf.

For this exercise use the windows_perfmon_logs.txt file provided in the Chapter 2/samples.

Now that you have an index to store Windows logs, let's create a data input for it, with the following steps:

  1. Go to the Splunk home page.
  2. Click on your Destinations app. Make sure you are in the Destinations app before you execute the next steps, or your configuration changes won't be isolated to your application.
  3. In the Splunk navigation bar, select Settings.
  1. Under the Data section, click on Data inputs.
  2. On the Data inputs page, click on Files & directories.
  3. In...

Splunk events and fields

All throughout this chapter, you have been running Splunk search queries that have returned data. It is important to understand what events and fields are before we go any further, for an understanding of these is essential to comprehending what happens when you run Splunk on the data.

In Splunk, data is classified into events and is like a record, such as a log file entry or other type of input data. An event can have many different attributes or fields or just a few. When you run a successful search query, you will see events returned from the Splunk indexes the search is being run against. If you are looking at live streaming data, events can come in very quickly through Splunk.

Every event is given a number of default fields. For a complete listing, go to http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Aboutdefaultfields. We will now go through...

Extracting new fields

Most raw data that you will encounter will have some form of structure. Just like a CSV (comma-separated value) file or a web log file, it is assumed that each entry in the log corresponds to some sort of format. Splunk makes custom field extraction very easy, especially for delimited files. Let's take the case of our Eventgen data and look at the following example. By design, the raw data generated by Eventgen is delimited by commas. Following is a example of a raw event:

2018-01-18 21:19:20:013632, 130.253.37.97,GET,/destination/PML/details,-,80,- 10.2.1.33,Mozilla/5.0 (iPad; U; CPU OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J3 Safari/6533.18.5,301,0,0,317,1514

Since there is a distinct separation of fields in this data, we can use Splunk's field extraction capabilities to automatically classify...

Summary

In this chapter, we began learning about big data and its related characteristics, such as streaming data, analytical data latency, and sparseness. We also covered the types of data that can be brought into Splunk. We then created an index and loaded a sample log file, all while examining the configuration file (.conf) entries made at the file system level. We talked about what fields and events are. And finally, we saw how to extract fields from events and name them so that they can be more useful to us.

In the chapters to come, we'll learn more about these important features of Splunk.

lock icon The rest of the chapter is locked
arrow left Previous Chapter
Chapter 1 of 10
Next Chapter arrow right
You have been reading a chapter from
Splunk 7 Essentials - Third Edition
Published in: Mar 2018 Publisher: Packt ISBN-13: 9781788839112
© 2018 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime}

Authors (4)

Left arrow icon
Profile icon J-P Contreras
LinkedIn
J-P Contreras, a Splunk-certified administrator and sales engineer, has delivered value-oriented data analytics and performance planning solutions for 20+ years. He has built award-winning consulting teams to help companies turn data into analytical insights. He helps companies implement Splunk and enjoys everything the Splunk community offers. He received his MBA in e-commerce from DePaul University's Kellstadt Graduate School of Business, Chicago, in 2001. He trains in DePaul's Continuing Education Program and is a member of DePaul's Driehaus School of Business Advisory Board. He'd like to thank his family, especially his wife and children, and close friends for making life so enjoyable.
Read more
See other products by J-P Contreras
Profile icon Steven Koelpin
LinkedIn
See other products by Steven Koelpin
Profile icon Erickson Delgado
LinkedIn
Erickson Delgado is an enterprise architect who loves to mine and analyze data. He began using Splunk in version 4.0 and has pioneered the use of the application in his current work. In the earlier parts of his career, he worked with start-up companies in the Philippines to help build their open source infrastructure. He then worked in the cruise industry as a shipboard IT manager, and he loved it. From there, he was recruited to work at the company's headquarters as a software engineer.
See other products by Erickson Delgado
Profile icon Betsy Page Sigman
LinkedIn
Betsy Page Sigman is a distinguished professor at the McDonough School of Business at Georgetown University in Washington, D.C. She has taught courses in statistics, project management, databases, and electronic commerce for the last 16 years, and has been recognized with awards for teaching and service. She has also worked at George Mason University in the past. Her recent publications include a Harvard Business case study and a Harvard Business review article. Additionally, she is a frequent media commentator on technological issues and big data.
Read more
See other products by Betsy Page Sigman
Right arrow icon

Other recommended products

Related to this chapter
Left arrow icon
Splunk 7.x Quick Start Guide
Splunk 7.x Quick Start Guide
Splunk is a leading platform and solution for collecting, searching, and extracting value from ever increasing amounts of big data – and big data is eating the world! This book covers all the crucial Splunk topics and gives you the information and examples to get the immediate job done. You will find enough insights to support further research for using Splunk to suit any business environment or situation.
Nov 2018 9 hours 56 minutes
Splunk Operational Intelligence Cookbook
Splunk Operational Intelligence Cookbook
This book demonstrates the power of Splunk 7.x to offer you quick solutions and strategies to bring efficient operational intelligence in your organization. Implement a wide range of tasks in recipe format to perform operations on machine data. Learn to achieve intelligent data-driven way using machine learning capabilities to explore complex data.
May 2018 18 hours 2 minutes
Mastering Splunk 8
Mastering Splunk 8
This book will cover Splunk's offerings to efficiently capture, index, and correlate data from a searchable repository all in real-time to generate insightful graphs, reports, dashboards, and alerts. Developers and architects alike can be in high demand if they become experts with this tool.
Dec 2020 15 hours 12 minutes
Implementing Splunk 7
Implementing Splunk 7
This book will help you implement Splunk 7's new services and will show you how to utilize them to quickly and efficiently process machine-generated big data. You will explore Splunk Cloud and the Machine Learning Toolkit and use them with ease throughout your organization. By the end of the book, you will have learned to implement these services in your tasks at work.
Mar 2018 19 hours 12 minutes
Big Data Visualization
Big Data Visualization
Uncover new approaches to big data visualization to make your analysis more effective and efficient with Big Data Visualization. Featuring in-depth coverage of big data analysis concepts together with industry-proven techniques, you?ll learn how to approach the challenge of big data visualization with confidence, ease and precision.
Feb 2017 10 hours 8 minutes
Learn Grafana 7.0
Learn Grafana 7.0
This book will focus on Grafana 7.0's features to build interactive dashboards to visualize and monitor data. You will cover the administrative aspects of Grafana and working with various plugins. By the end of this book, you will have enough knowledge to query, visualize, and understand your metrics and use the new improved security features.
Jun 2020 13 hours 40 minutes
Right arrow icon

Personalised recommendations for you

Based on your interests and search pattern
Left arrow icon
Et al.
Et al.
Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.
Aug 2023 7 hours 40 minutes
Generative AI with LangChain
Generative AI with LangChain
This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.
Dec 2023 12 hours 0 minutes
Generative AI with LangChain
Generative AI with LangChain
This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.
Dec 2023 12 hours 0 minutes
Generative AI with LangChain
Generative AI with LangChain
This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.
Dec 2023 12 hours 0 minutes
Generative AI with LangChain
Generative AI with LangChain
This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.
Dec 2023 12 hours 0 minutes
Mastering Tableau 2023
Mastering Tableau 2023
This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.
Aug 2023 22 hours 48 minutes
Building AI Applications with ChatGPT APIs
Building AI Applications with ChatGPT APIs
This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.
Sep 2023 8 hours 36 minutes
Building AI Applications with ChatGPT APIs
Building AI Applications with ChatGPT APIs
This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.
Sep 2023 8 hours 36 minutes
Data Engineering with AWS
Data Engineering with AWS
Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.
Oct 2023 21 hours 12 minutes
Modern Data Architecture on AWS
Modern Data Architecture on AWS
Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.
Aug 2023 14 hours 0 minutes
Practical Guide to Applied Conformal Prediction in Python
Practical Guide to Applied Conformal Prediction in Python
Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.
Dec 2023 8 hours 0 minutes
TinyML Cookbook
TinyML Cookbook
With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.
Nov 2023 22 hours 8 minutes
Right arrow icon