Data
Reader small image

You're reading from  Splunk 7 Essentials - Third Edition

Product typeBook
Published inMar 2018
Reading LevelBeginner
PublisherPackt
ISBN-139781788839112
Edition3rd Edition
Languages
C++
Tools
Splunk
Concepts
Operational Intelligence
Right arrow
Authors (4):
J-P Contreras
J-P Contreras
author image
J-P Contreras

J-P Contreras, a Splunk-certified administrator and sales engineer, has delivered value-oriented data analytics and performance planning solutions for 20+ years. He has built award-winning consulting teams to help companies turn data into analytical insights. He helps companies implement Splunk and enjoys everything the Splunk community offers. He received his MBA in e-commerce from DePaul University's Kellstadt Graduate School of Business, Chicago, in 2001. He trains in DePaul's Continuing Education Program and is a member of DePaul's Driehaus School of Business Advisory Board. He'd like to thank his family, especially his wife and children, and close friends for making life so enjoyable.
Read more about J-P Contreras

Steven Koelpin
Steven Koelpin
author image
Steven Koelpin


Read more about Steven Koelpin

Erickson Delgado
Erickson Delgado
author image
Erickson Delgado

Erickson Delgado is an enterprise architect who loves to mine and analyze data. He began using Splunk in version 4.0 and has pioneered the use of the application in his current work. In the earlier parts of his career, he worked with start-up companies in the Philippines to help build their open source infrastructure. He then worked in the cruise industry as a shipboard IT manager, and he loved it. From there, he was recruited to work at the company's headquarters as a software engineer.
Read more about Erickson Delgado

Betsy Page Sigman
Betsy Page Sigman
author image
Betsy Page Sigman

Betsy Page Sigman is a distinguished professor at the McDonough School of Business at Georgetown University in Washington, D.C. She has taught courses in statistics, project management, databases, and electronic commerce for the last 16 years, and has been recognized with awards for teaching and service. She has also worked at George Mason University in the past. Her recent publications include a Harvard Business case study and a Harvard Business review article. Additionally, she is a frequent media commentator on technological issues and big data.
Read more about Betsy Page Sigman

View More author details
Right arrow

Reporting, Alerts, and Search Optimization

Finding the data you need in Splunk is relatively easy, as you have seen in previous chapters. Doing the same thing repeatedly for different datasets, however, requires that you employ techniques that make data retrieval faster, easier, and more controlled with reusable configurations. In Chapter 2, Bringing in Data, you were shown how to use data fields and make field extractions. In Chapter 6, Data Models and Pivot, you learned how to create data models. You will continue that journey in this chapter by learning how to classify your data using Event Types, enrich your data using Lookups, and normalize your data using Tags.

Once you have these essentials in place, you will be able to more easily create reports, alerts, and dashboards, and capture analytical value from machine data quickly.

In this chapter, we will cover a wide range...

Data classification with Event Types

When working with Splunk daily, you will find many of the tasks and searches you run are repeated on a periodic basis. As shown earlier, storing field extraction logic in a single place allows it to be reused in the future. Another way to make things easier and also shorten searches is to create Event Types. Event Types are not the same as events; an event is just a single instance of data. An Event Type is a grouping or classification of events meeting the same search criteria.

If you took a break between chapters, you will probably want to open up Splunk again. Then, execute a search command:

  1. Log in to the Splunk portal
  2. Click on your Destinations app
  3. Type this search in the search bar:
SPL> index=main http_uri=/booking/confirmation http_status_code=200

This search will return events representing successful booking confirmations. In...

Data normalization with Tags

Tags in Splunk are useful for grouping events with related field values. Unlike Event Types, which are based on specified search commands, Tags are created and mapped to specific field-value combinations. Multiple Tags can be assigned to the same field-value combination.

A common scenario of using Tags is for classifying IP addresses. In the Eventgen logs, three IP addresses are automatically generated. We will create Tags against these IP addresses to allow us to classify them:

IP address Tags
10.2.1.33 main, patched, and east
10.2.1.34 main, patched, and west
10.2.1.35 backup and east

We are going to group IP addresses by purpose, patch status, and geolocation in the server farm of three servers represented in our Eventgen data. We will achieve this using Tags, as shown in the following steps:

  1. Begin by using the following search command...

Data enrichment with Lookups

Occasionally you will require pieces of data to be rendered in a more readable manner. A common example to go through using our Eventgen data is with HTTP status. Computer engineers are often familiar with HTTP status codes as three-digit numbers. Business analysts or more casual users may not know the meaning of these codes and require a text-based description to comprehend the search results. In Splunk, you can enrich event data using Lookups, which can pair numbers or acronyms with more understandable text descriptions found in a separate file.

A lookup table is a mapping of keys and values Splunk can search, allowing for the displaying of more meaningful information at search time. Having the Lookup execute at search run time also optimizes the need to index verbose descriptions that consume additional index space. This is best understood through...

Creating and scheduling reports

In this chapter, you have learned three very important things: classifying raw events using Event Types, classifying data using Tags, and enriching data using Lookups. These, in addition to good SPL, constitute essential elements you need to use Splunk in an efficient manner.

Splunk reports are saved searches which can be shared to others or used as a dashboard panel. Reports can be scheduled periodically and perform an action upon completion, such as sending an email with the report results.

Reports can be configured to display search results in a statistical table, as well as visualization charts. A report is created using the search command line or through a Pivot. Here we will create a report using the search command line:

  1. In the Destinations app's search page, run the following search:
SPL> eventtype=bad_logins | top client_ip

The...

Creating alerts

Alerts are crucial in IT and security operations. They provide proactive awareness of the state of the systems to those persons who monitor and control them. Alerts enable you to act fast when an issue has been detected, as opposed to waiting for a user to run a report and find the issue, which may or may not happen. In today's world, every minute someone has breached your network is costly and potentially devastating.

However, alerts are only good if they are controlled and if they provide enough actionable information. They should not be created on low-priority items or triggered too often to the point they lose relevance.

Tip from the Fez: Out-of-the box functionality for alerts is most commonly driven to email. Users may also want to explore the use of text messages. When Splunk doesn't provide something out of the box, there is a good chance the...

Search and Report acceleration

In Chapter 6, Data Models and Pivot, you learned how to accelerate a data model to speed up retrieval of data. The same principle applies to saved searches or reports:

  1. Click on the Reports link in the navigation menu of the Destinations app
  2. Click on the Edit | Edit Acceleration option in the Bookings Last 24 Hrs report:
  1. Enable 1 Day acceleration as seen in the following screenshot and click on Save:
  1. To check the progress of your report's acceleration, click on Settings | Report acceleration summaries:
If Eventgen has not been running for more than a day, the report acceleration build may not execute because there is not enough data for the scope of the acceleration. To verify the report acceleration, ensure that Eventgen has been running.

Scheduling options

No matter how advanced and well-scaled your Splunk infrastructure is, if all scheduled reports and alerts are running at the same time, the system will start experiencing performance issues. Typically, you will receive a Splunk message saying that you have reached the limit of concurrent or historical searches. There are only a certain number of searches that can be run on fixed CPU capacity for each Splunk server or collection of servers. A common problem a Splunk administrator will inevitably face is how to limit the number of searches running at the same time. One way to fix this is to throw more servers into you Splunk environment, but that is not a cost-efficient way.

It is important to properly stagger and plan scheduled searches, reports, alerts, dashboards, and so on, ensuring they are not all running at the same time. In addition to the schedule time...

Summary indexing

In a matter of days, Splunk will accumulate data and start to move events through the bucketing process. With the millions or billions of events that are typical with a robust Splunk implementation, you can start to understand how searches run over long-time horizons can slow down.

There are two ways to circumvent this problem. In addition to search acceleration, completed earlier in this chapter, faster search results on large amounts of data can be achieved through summary indexing.

With summary indexing, you run a scheduled search and output the results into a different index, often called summary. The result will only show the computed statistics of the search. This results in a very small subset of data that will be much faster to retrieve and report on than going through a large set of detailed event records and summarizing results on the fly. This concept...

Summary

In this chapter, you learned how to enhance data in three ways: classifying data using Event Types, normalizing data using Tags, and enriching data using Lookups. You also learned some reporting and alerting techniques, along with report acceleration. You were introduced to the powerful Cron expression, which allows you to create granularity on your scheduled searches, as well as stagger execution times. Finally, you were introduced to the concept of summary indexing, allowing searches against pre-aggregated and stored historical data in the interest of performance.

In the next chapter, Chapter 5, Dynamic Dashboarding, you will go on to learn how to do visualizations.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 5 of 10
Next Chapter
You have been reading a chapter from
Splunk 7 Essentials - Third Edition
Published in: Mar 2018Publisher: PacktISBN-13: 9781788839112
© 2018 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Authors (4)

author image
J-P Contreras

J-P Contreras, a Splunk-certified administrator and sales engineer, has delivered value-oriented data analytics and performance planning solutions for 20+ years. He has built award-winning consulting teams to help companies turn data into analytical insights. He helps companies implement Splunk and enjoys everything the Splunk community offers. He received his MBA in e-commerce from DePaul University's Kellstadt Graduate School of Business, Chicago, in 2001. He trains in DePaul's Continuing Education Program and is a member of DePaul's Driehaus School of Business Advisory Board. He'd like to thank his family, especially his wife and children, and close friends for making life so enjoyable.
Read more about J-P Contreras

author image
Steven Koelpin


Read more about Steven Koelpin

author image
Erickson Delgado

Erickson Delgado is an enterprise architect who loves to mine and analyze data. He began using Splunk in version 4.0 and has pioneered the use of the application in his current work. In the earlier parts of his career, he worked with start-up companies in the Philippines to help build their open source infrastructure. He then worked in the cruise industry as a shipboard IT manager, and he loved it. From there, he was recruited to work at the company's headquarters as a software engineer.
Read more about Erickson Delgado

author image
Betsy Page Sigman

Betsy Page Sigman is a distinguished professor at the McDonough School of Business at Georgetown University in Washington, D.C. She has taught courses in statistics, project management, databases, and electronic commerce for the last 16 years, and has been recognized with awards for teaching and service. She has also worked at George Mason University in the past. Her recent publications include a Harvard Business case study and a Harvard Business review article. Additionally, she is a frequent media commentator on technological issues and big data.
Read more about Betsy Page Sigman

Other recommended products

Related to this chapter

Splunk 7.x Quick Start Guide

Splunk 7.x Quick Start Guide

Splunk is a leading platform and solution for collecting, searching, and extracting value from ever increasing amounts of big data – and big data is eating the world! This book covers all the crucial Splunk topics and gives you the information and examples to get the immediate job done. You will find enough insights to support further research for using Splunk to suit any business environment or situation.

BookNov 2018298 pages
Splunk Operational Intelligence Cookbook

Splunk Operational Intelligence Cookbook

This book demonstrates the power of Splunk 7.x to offer you quick solutions and strategies to bring efficient operational intelligence in your organization. Implement a wide range of tasks in recipe format to perform operations on machine data. Learn to achieve intelligent data-driven way using machine learning capabilities to explore complex data.

BookMay 2018541 pages
Mastering Splunk 8

Mastering Splunk 8

This book will cover Splunk's offerings to efficiently capture, index, and correlate data from a searchable repository all in real-time to generate insightful graphs, reports, dashboards, and alerts. Developers and architects alike can be in high demand if they become experts with this tool.

BookDec 2020456 pages
Implementing Splunk 7

Implementing Splunk 7

This book will help you implement Splunk 7's new services and will show you how to utilize them to quickly and efficiently process machine-generated big data. You will explore Splunk Cloud and the Machine Learning Toolkit and use them with ease throughout your organization. By the end of the book, you will have learned to implement these services in your tasks at work.

BookMar 2018576 pages
Big Data Visualization

Big Data Visualization

Uncover new approaches to big data visualization to make your analysis more effective and efficient with Big Data Visualization. Featuring in-depth coverage of big data analysis concepts together with industry-proven techniques, you?ll learn how to approach the challenge of big data visualization with confidence, ease and precision.

BookFeb 2017304 pages
Learn Grafana 7.0

Learn Grafana 7.0

This book will focus on Grafana 7.0's features to build interactive dashboards to visualize and monitor data. You will cover the administrative aspects of Grafana and working with various plugins. By the end of this book, you will have enough knowledge to query, visualize, and understand your metrics and use the new improved security features.

BookJun 2020410 pages

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages