Splunk User Manual
2y ago
93 Views
1 Downloads
5.57 MB
213 Pages
Report/dmca
Download PDF

Transcription

Splunk User ManualVersion: 4.2.3Generated: 10/18/2011 10:24 amCopyright Splunk, Inc. All Rights Reserved

Table of ContentsWelcome.1What's in this manual.1Splunk Overview.2Splunk overview.2Ways to access Splunk.4Splunk apps.5Splunk Tutorial!.8Welcome to the Splunk Tutorial.8Before you start the tutorial.9Start Splunk.11Add data to Splunk.14The Search app.16Start searching.21Use the timeline.25Change the time range.28Use fields to search.30Save a search.38Use Splunk's search language.40Use a subsearch.46Use field lookups.48More search examples.56Reporting examples.60Build and share a dashboard.67Index New Data.74About data and indexes.74Add data to your indexes.75Search and Investigate.76About search.76Searching in Splunk.77Perform actions on running searches.80Search interactively with Splunk Web.81Change the time range to narrow your search.84Use the timeline to investigate patterns of events.89Search and report in real time.91Specify one or multiple indexes to search.97Search across one or more distributed search peers.98How search commands work.99How subsearches work.102Create and use search macros.105i

Table of ContentsCapture Knowledge.108About capturing knowledge.108Use default fields.108Manipulate and evaluate fields with multiple values.114Classify and group similar events.116Tag and alias field values.118Extract and add new fields.120Extract fields with search commands.121Extract fields interactively in Splunk Web.122Use field lookups to add information to your events.125Identify transactions.132Save searches and share search results.132Supervise your search jobs.140Automate Monitoring.142Monitor recurring situations.142Create an alert.142Alert examples.154Review triggered alerts.159Analyze and Report.162About reports and charts.162Use reporting commands.163Real-time reporting.167Chart gallery.167Familiarize yourself with the data structure requirements for the different visualizationtypes, to better understand how to design searches for them.178Understand basic table and chart drilldown actions.178Define reports and generate charts.182Save reports and share them with others.187Use report-rich dashboards and views.190Create and edit simple dashboards.193Learn how to change and format dashboard panel visualizations with the VisualizationEditor.205Schedule delivery of dashboard PDF printouts via email.205Search Examples and Walkthroughs.207What's in this chapter.207Reporting: Build a chart of multiple data series.207Reporting: Compare hourly sums between multiple days.208Reporting Use rangemap to group together ranges of results.210Monitor and alert on Windows disk usage.210ii

WelcomeWhat's in this manualWhat's in this manualIn this manual, you'll find information and procedures for the Splunk enterprise user—if you useSplunk to investigate problems and report on results, this is the manual for you.Where to start?If you're new to Splunk, check out the overview and then proceed to the Splunk tutorial! It guidesyou through adding data, searching your data, and building simple reports and dashboards. Let usknow what you think!Continue reading to: learn how to add data to your indexes start searching with terms, Boolean expressions, and fields learn how to use the search results and timeline to interactively narrow your search learn how to save event types, extract new fields, and tag field values learn how to save searches and set alert conditions for scheduled searches start building reports and charts to save and share with othersIf you want to just jump right in and start searching, see the Search command cheat sheet for a quickreference complete with descriptions and examples.Make a PDFIf you'd like a PDF of any version of this manual, click the pdf version link above the table ofcontents bar on the left side of this page. A PDF version of the manual is generated on the fly for you,and you can save it or print it out to read later.1

Splunk OverviewSplunk overviewSplunk overviewSplunk is powerful and versatile IT search software that takes the pain out of tracking and utilizing theinformation in your data center. If you have Splunk, you won't need complicated databases,connectors, custom parsers or controls--all that's required is a web browser and your imagination.Splunk handles the rest.Use Splunk to: Continually index all of your IT data in real time. Automatically discover useful information embedded in your data, so you don't have to identifyit yourself. Search your physical and virtual IT infrastructure for literally anything of interest and get resultsin seconds. Save searches and tag useful information, to make your system smarter. Set up alerts to automate the monitoring of your system for specific recurring events. Generate analytical reports with interactive charts, graphs, and tables and share them withothers. Share saved searches and reports with fellow Splunk users, and distribute their results to teammembers and project stakeholders via email. Proactively review your IT systems to head off server downtimes and security incidents beforethey arise. Design specialized, information-rich views and dashboards that fit the wide-ranging needs ofyour enterprise.Index new dataSplunk offers a variety of flexible data input methods to index everything in your IT infrastructure inreal time, including live log files, configurations, traps and alerts, messages, scripts, performancedata, and statistics from all of your applications, servers, and network devices. Monitor file systemsfor script and configuration changes. Enable change monitoring on your file system or Windowsregistry. Capture archive files and SNMP trap data. Find and tail live application server stack tracesand database audit tables. Connect to network ports to receive syslog and other network-basedinstrumentation.No matter how you get the data, or what format it's in, Splunk indexes it the same way--without anyspecific parsers or adapters to write or maintain. It stores both the raw data and the rich index in anefficient, compressed, filesystem-based datastore--with optional data signing and auditing if you needto prove data integrity.For more details on data indexing with Splunk, see the "Index new data" chapter in this manual.2

Search and investigateNow you've got all that data in your system.what do you want to do with it? Start by using Splunk'spowerful search functionality to look

If you want to just jump right in and start searching, see the Search command cheat sheet for a quick reference complete with descriptions and examples. Make a PDF If you'd like a PDF of any version of this manual, click the pdf version link above the table of contents bar on the left side of this page. A PDF version of the manual is generated on the fly for you, and you can save it or print .

Related Books

Splunk Quick Reference Guide

Splunk Quick Reference Guide

Eventtypes Quick Reference Guide - Dive into Splunk: or .

Eventtypes Quick Reference Guide - Dive into Splunk: or .

Advanced Splunk Searching for Security Hunting and Alerting

Advanced Splunk Searching for Security Hunting and Alerting

Splunk - Tutorialspoint

Splunk - Tutorialspoint

Using the SplunkMachine Learning . - .conf21 Splunk

Using the SplunkMachine Learning . - .conf21 Splunk

Security use cases using splunk - Infosec

Security use cases using splunk - Infosec

Splunk Training and Certification - Developer & Admin .

Splunk Training and Certification - Developer & Admin .

Splunk Developer & Admin Certification Training

Splunk Developer & Admin Certification Training

RQP3 Training Guide Splunk

RQP3 Training Guide Splunk

Real*Time*Business*Management* UsingSplunk - .conf21 Splunk

Real*Time*Business*Management* UsingSplunk - .conf21 Splunk

FireEye and Splunk: Intro to Integration

FireEye and Splunk: Intro to Integration

WatchGuard and Splunk Integration Guide

WatchGuard and Splunk Integration Guide

PopularTags

Recent Views