Transcription
Splunki
SplunkAbout the TutorialSplunk is a software used to search and analyze machine data. This machine data cancome from web applications, sensors, devices or any data created by user. It serves theneeds of IT infrastructure by analyzing the logs generated in various processes but it canalso analyze any structured or semi-structured data with proper data modelling. It hasbuilt-in features to recognize the data types, field separators and optimize the searchprocesses. It also provides data visualization on the search results.AudienceThis tutorial targets IT professionals, students, and IT infrastructure managementprofessionals who want a solid grasp of essential Splunk concepts. After completing thistutorial, you will achieve intermediate expertise in Splunk, and easily build on yourknowledge to solve more challenging problems.PrerequisitesThe reader should be familiar with querying language like SQL. General knowledge intypical operations in using computer applications like storing and retrieving data andreading the logs generated by computer programs will be an highly useful.Copyright & Disclaimer Copyright 2019 by Tutorials Point (I) Pvt. Ltd.All the content and graphics published in this e-book are the property of Tutorials Point (I)Pvt. Ltd. The user of this e-book is prohibited to reuse, retain, copy, distribute or republishany contents or a part of contents of this e-book in any manner without written consentof the publisher.We strive to update the contents of our website and tutorials as timely and as precisely aspossible, however, the contents may contain inaccuracies or errors. Tutorials Point (I) Pvt.Ltd. provides no guarantee regarding the accuracy, timeliness or completeness of ourwebsite or its contents including this tutorial. If you discover any errors on our website orin this tutorial, please notify us at contact@tutorialspoint.comii
SplunkTable of ContentsAbout the Tutorial . iiAudience . iiPrerequisites . iiCopyright & Disclaimer . iiTable of Contents . iii1.Splunk – Overview . 1Product Categories . 1Splunk Features . 12.Splunk – Environment . 3Linux Version . 3Windows Version . 63.Splunk – Interface . 9Administrator Link . 9Settings Link . 10Search and Reporting Link . 114.Splunk – Data Ingestion . 13Selecting Source Type . 14Input Settings . 15Review Settings . 175.Splunk – Source Types. 19Supported Source Types . 19Source Type Sub-Category. 20Pre-Trained Source Types . 216.Splunk – Basic Search . 22Combining Search Terms . 23Using Wild Card . 24iii
SplunkRefining Search Results . 257.Splunk – Field Searching. 27Choosing the Fields. 28Field Summary . 29Using Fields in Search . 308.Splunk – Time Range Search . 31Selecting a Time Subset . 32Earliest and Latest . 339.Splunk – Sharing Exporting . 35Sharing the Search Result . 35Finding the Saved Results . 36Exporting the Search Result . 3710. Splunk – Search Language . 39Components of SPL . 3911. Splunk – Search Optimization . 44Analysing Search Optimisations . 44Turning Off Optimization . 4612. Splunk – Transforming Commands . 49Examples of Transforming Commands . 4913. Splunk – Reports . 53Report Creation . 53Report Configuration . 54Modifying Report Search Option . 5614. Splunk – Dashboards. 58Creating Dashboard . 58Adding Panel to Dashboard . 6015. Splunk – Pivot and Datasets . 64iv
SplunkCreating a Dataset . 64Selecting a Dataset . 64Choosing Dataset Fields. 65Creating Pivot . 67Choose the Pivot Fields . 6816. Splunk – Lookups . 70Steps to Create and Use Lookup File . 7017. Splunk – Schedules and Alerts. 77Creating a Schedule . 77Schedule Actions . 79Alerts . 7918. Splunk – Knowledge Management . 84Knowledge Object . 84Uses of Knowledge Objects . 8419. Splunk – Subsearching . 86Example . 8620. Splunk – Search Macros . 89Macro Creation . 89Macro Scenario . 90Defining the Macro . 90Using the Macro . 9221. Splunk – Event Types . 94Creating Event Type. 94Using New Event Types . 96Viewing the Event Type .
Splunk alerts can be used to trigger emails or RSS feeds when some specific criteria are found in the data being analyzed. Dashboards Splunk Dashboards can show the search results in the form of charts, reports and pivots, etc. Data Model The indexed data can be modelled into one or more data sets that is based on specialized domain knowledge. This leads to easier navigation by the end users who
