Chapter 1, Play Time – Getting Data In, introduces you to the many ways in which data can be put into Splunk, whether it is by collecting data locally from files and directories, through TCP/UDP port inputs, directly from a Universal Forwarder, or by simply utilizing scripted and modular inputs. You will also be introduced to the datasets that will be referenced throughout this book and learn how to generate samples that can be used to follow each of the recipes as they are written.

Chapter 2, Diving into Data – Search and Report, will provide an introduction to the first set of recipes in this book. Leveraging data now available as a result of the previous chapter, the information and recipes provided here will act as a guide, walking you through searching event data using Splunk's SPL (Search Processing Language); applying field extractions; grouping common events based on field values; and then building basic reports using the table, top, chart, and stats commands.

Chapter 3, Dashboards and Visualizations – Make Data Shine, acts as a guide to building visualizations based on reports that can now be created as a result of the information and recipes provided in the previous chapter. This chapter will empower you to take your data and reports and bring them to life through the powerful visualizations provided by Splunk. The visualizations that are introduced will include single values, charts (bar, pie, line, and area), scatter charts, and gauges.

Chapter 4, Building an Operational Intelligence Application, builds on the understanding of visualizations that you have gained as a result of the previous chapter and introduces the concept of dashboards. The information and recipes provided in this chapter will outline the purpose of dashboards and teach you how to properly utilize dashboards, use the dashboard editor to build a dashboard, build a form to search event data, and much more.

Chapter 5, Extending Intelligence – Data Models and Pivoting, will take you deeper into the data by introducing transactions, subsearching, concurrency, associations, and more advanced search commands. Through the information and recipes provided in this chapter, you will harness the ability to converge data from different sources and understand how to build relationships between differing event data.

Chapter 6, Diving Deeper – Advanced Searching, will introduce the concept of lookups and workflow actions for the purpose of augmenting the data being analyzed. The recipes provided will enable you to apply this core functionality to further enhance your understanding of the data being analyzed.

Chapter 7, Enriching Data – Lookups and Workflows, explains how scheduled or real-time alerts are a key asset to complete operational intelligence and awareness. This chapter will introduce you to the concepts and benefits of proactive alerts, and provide context for when these alerts are best applied. The recipes provided will guide you through creating alerts based on the knowledge gained from previous chapters.

Chapter 8, Being Proactive – Creating Alerts, explains the concept of summary indexing for the purposes of accelerating reports and speeding up the time it takes to unlock business insight. The recipes in this chapter will provide you with a short introduction to common situations where summary indexing can be leveraged to speed up reports or preserve focused statistics over long periods of time.

Chapter 9, Speed Up Intelligence – Data Summarization, introduces two of the newest and most powerful features released as part of Splunk Enterprise Version 6: data models and the Pivot tool. The recipes provided in this chapter will guide you through the concept of building data models and using the Pivot tool to quickly design intelligent reports based on the constructed models.

Chapter 10, Above and Beyond – Customization, Web Framework, REST API, and SDKs, is the final chapter of the book and will introduce you to four very powerful features of Splunk. These features provide the ability to create a very rich and powerful interactive experience with Splunk. The recipes provided will open you up to the possibilities beyond core Splunk Enterprise and a method to make your own Operational Intelligence application that includes powerful D3 visualizations. Beyond this, it will also provide a recipe to query Splunk's REST API and a basic Python application to leverage Splunk's SDK to execute a search.

To follow along with the recipes provided in this book, you will need an installation of Splunk Enterprise 6 and the sample data that is made available with this book. The recipes are intended to be portable to all Splunk Enterprise environments, but for best results, we suggest that you use the samples provided with this book.

Splunk Enterprise 6 can be downloaded for free for most major platforms from http://www.splunk.com/download.

The samples provided with this book will also be packaged with the Splunk Event Generator tool so that the event data can be refreshed or events can be replayed as new as you work through the recipes.

This book is intended for all users, beginner or advanced, who are looking to leverage the Splunk Enterprise platform as a valuable Operational Intelligence tool. The recipes provided in this book will appeal to individuals from all facets of a business—IT, security, product, marketing, and many more!

Although the book and its recipes are written so that anyone can follow along, it does progress at a steady pace into concepts or features that might not be common knowledge to a beginner. If there exists the necessity to understand more about a feature, Splunk has produced a vast amount of documentation on all Splunk Enterprise features available at http://docs.splunk.com/Documentation/Splunk.

There might also be sections that utilize regular expressions and introduce recipes that take advantage of the Python and XML languages. Experience with these concepts is not required but beneficial.

In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.

Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "The field values are displayed in a table using the table command."

A block of code is set as follows:

<table>
 <searchString>
  index=opintel status=404 | stats count by src_ip
 </searchString>
 <title>Report – 404 Errors by Source IP</title>

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

<table>
 <searchString>
  index=opintel status=404 | stats count by src_ip
 </searchString>
 <title>Report – 404 Errors by Source IP</title>

Any command-line input or output is written as follows:

./splunk add monitor /var/log/messages –sourcetype linux_messages

New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "Quickly create a report by navigating to Save As | Report above the search bar."

Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.

To send us general feedback, simply send an e-mail to <feedback@packtpub.com>, and mention the book title via the subject of your message.

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.